Friday, December 18, 2009

The 2009 Data Breach Hall of Shame

CIO Article on 2009 Data Breaches

If there was anything even vaguely comforting about the data breaches that were announced this year, it was that many of them stemmed from familiar and downright mundane security failures.

What does this say or speak loudly of?  Is it about Competence or Incompetence?  I don’t really think so.  Overall, it is about a lack of “dogged, stick-to-it-iveness”.  What does that mean?  I am certain that all the named organizations on this list have highly competent practitioners in their IT space.  Certainly there may be exceptions. 

I have found through many, many year of hands-on experience that it isn’t always about the level of technical competence.  Most of the time, it is about the burning desire to ALWAYS get it right.  Is this type of discipline possible or warranted for every aspect of Technology Management?  Well, in an ideal environment called “Nirvana”, maybe.  In real life, it just isn’t practical.  As a result, some Technology disciplines such as Security, Data Privacy, etc. absolutely require that kind of commitment and effort.

For example, if I were build a submarine and I had the best Screen Door2engineers / practitioners in the world, but the Project Manager decided to put in a screen door, overall, a small detail, but  completely defeats the concept of a secured and air-tight perimeter. You can use the same example for corporate network access.  If you secure 99% and one rogue sales office adds a DSL modem without proper security, you will get the same affect of the screen-door in the submarine.

Heartland makes the list simply by virtue of the spectacular size and scope of the data breach it disclosed in January.

The compromise stemmed from SQL injection errors that allowed hackers to break into the payment processor's networks and steal data on approximately 130 million credit and debit cards over several months.

It gave Heartland the dubious distinction of having announced the largest ever data breach in history.

TAKEAWAY: 130 million credit card records were in the open.  Was it one of yours? Technical Competency must be augmented with strict levels of effort and commitment in order to be effective.

Caesar si viveret, ad remum dareris
(If Caesar were alive, you'd be chained to an oar)


No comments: