Over recent months the Internet has been awash with reports of corporate data loss. Test data (especially if it is based on a cut from production) is just as valuable to potential thieves or wrongdoers as production data. In this article we describe how data obfuscation can remove the risk of sensitive data falling into the wrong hands.
Target - data theft
Last autumn (or “Fall” for our American readers), Target suffered a significant data breach. It appears that hackers used a password stealing bot to get access to Target’s internal user credentials and passwords. Once they had administrative credentials, they were able to access servers from outside the organization. The hackers are thought to have stolen credit card information for over 100,000,000 customers. Target could now be facing steep fines for non-compliance with the PCI (Payment Cards Industry), as allowing access from the outside without demanding two factor authentication is a breach of their standards.
The bad new for the American retailer doesn't stop there. According to the 'Hollywood Reporter", Sony have bought the rights to turn the whole sorry saga into a film. The story could well run and run.
Barclays Bank – Stolen data sold
At a smaller, but no less embarrassing, scale two major UK organisations have recently suffered data loss. As previously discussed, Barclays bank recently found that 27,000 customer records had been stolen and sold to rogue city traders. The data was believed to date from 2008 and was thought to be originated in Barclays Financial Planning division. Despite its age, much of it remained valid.
WM Morrison – Data theft / potential fraud
Only last week, we heard that WM Morrison’s staff payroll had been published online. The data, which included bank account information for 100,000 employees, appears to have been stolen by a member of staff. The staff member has been arrested on suspicion of “making or supplying an article for use in fraud". Whatever his motives or intentions, he has caused significant damage to the reputation of his (presumably former) employer.
NHS data – Sent offshore
This recent Guardian article describes patient’s discomfort at the knowledge that the NHS health data was being exported to Google servers. Using large data sets for scientific study is a great idea and many “Big Data” initiatives rely on this type of data migration. Unfortunately exporting data to remote locations can reduce control and security. Once data is offsite it is easily “forgotten”. This meaning, it may not be monitored effectively or deleted as soon as it is no longer required. The main concern for patient groups is whether suitable safeguards are in place to protect data.
Moving data offshore raises concerns for many organisations. Whether this stems from the Patriot Act (which may allow the US government access to your sensitive data), or the lack of robust data protection legislation in the country hosting the data; you need to give careful consideration to the type and quantity of data which you choose to move off-site. Data used for testing systems (commonly used as a 'cut' or sub-set of the live system - yes your real information) is obviously just as valuable to potential thieves or wrongdoers as production data, and may be being sent off to offshore test service providers.
Yet again, Dilbert illustrates this nicely...
In my earlier blog post, I mentioned the ease with which testers can usually get access to sensitive data. Although test data is only (currently) linked to a small number of data breaches, it remains a relatively simple source of sensitive data for people with malicious intent.
(A recent study around 2% of breaches were thought to be related to test data).
Getting the right type and quantity of test data is difficult enough without insisting that test data is obfuscated. But these recent breaches are likely to increase the demands that test data is held more securely and made useless in the event of theft. We have used data masking tools such as those provided by DataVantage to sanitise and secure test data. The data masking process is illustrated below. Tools such as DataVantage allow simple “on the fly” extracts of production data. This makes it suitable for use in test environments and removes the risk that sensitive data can fall into the wrong hands.