GCN published an article on June 3, 2013 regarding the possible data breach of Customs and Border Protection (CBP) systems operated by third-parties for clearances. The information used to obtain clearances is not only personal identifiable information (PII), but also re-tells the past ten or more years of history of an individual. So the potential compromise of this information is a serious issue.
Now add the recent scandals regarding surveillance by the NSA and other government agencies adds to the concern. This is more than a privacy issue, but one of the capability to maintain data secure. DHS is meant to provide the “cybersecurity” component of the government in conjunction with the DoD, but if DHS and the DoD have issues with maintaining the security of their respective systems, what will the potential breach be with the new surveillance information. While granted, the information of the phone calls from the various telecoms is currently not maintaining the call content itself, the associated metadata could expose even greater risk to individuals than is being expressed. Most phones maintain GPS and cell tower information with a call. Add the additional cell phone number and owner information, it is now possible to track the patterns of the individual in addition to the various calls.
While the potential privacy issues around surveillance has its place, the ability for the government to protect the data is also equally important.
In an article in Dark reading, South Carolina officials announced that more than three-quarters of the states social security numbers were exposed in a recent hack. The data included debit and credit card information for the states residents as well. The most concerning issue was that the database that was compromised was not encrypted. As a state agency, it should have been an example to follow rather than one to avoid. The state’s Department of Revenue should have been held to not only federal regulatory requirements, but also PCI. This type of failure is not acceptable.
While not everything has been released as to the cause other than the database was breached and not encrypted, the article states the following:
Although state officials referred to the hack as a “database” breach, they didn’t specify just what flaw was exposed. Security experts say it was most likely a SQL injection or other vulnerability in the Web-based application that ultimately led to the data breach.
Chris Eng, vice president of research for Veracode, says it sounds like a SQL injection attack against a Web application. “That’s the simplest way in,” he says.
It is easy to make conjecture about how the breach occurred, but it would seem that the necessary due diligence was not followed. Security should be more than a check-box. States and Federal governments should be setting the examples for the rest of business…Another instance where measure twice and cut once should have been put in place…