Last month wasn’t a good one for data security news. First, the California Public Employees’ Retirement System (Calpers) exposed the Social Security numbers of 445,000 retirees. Then the US Federal Trade Commission revealed trade secrets from an antitrust lawsuit. And later in the month, security experts said Monster.com has leaked the personal data of hundreds of thousands of job seekers.
As it happens, the first two incidents were almost prevented, thanks to the kindness of strangers.
Well, okay, not strangers, but business partners.
In the Calpers case, an employee sent a disk containing Social Security numbers along with names and addresses to the company responsible for printing and mailing 445,000 brochures. Fortunately, the printer had software designed to detect SSNs and keep them from being printed. That would have saved the day.
Unfortunately, many of the Calpers SSNs had leading zeroes, which fooled the software. As a result, full or partial SSNs were printed on many of the address labels.
At the FTC, the problem was with a legal document that was part of the commission’s lawsuit to block the buyout of an organic grocery by a competitor, Whole Foods. The document was posted on a federal court’s online database, and the FTC was supposed to present it for public viewing — with confidential information blacked out, including tactics the would-be purchaser uses with suppliers to keep from being undercut by Wal-Mart.
But the “blacked out” information was easy to retrieve with a simple cut and paste. Fortunately, court employees spotted the problem and pulled down the filing — but unfortunately not before it was downloaded by the Associated Press and the trade secrets were distributed to newspapers.
Those partners weren’t able to save Calpers and the FTC from breaching confidentiality. But they tried, and that’s good. Defence in depth shouldn’t stop at an organisation’s borders. The more business partners can help guard against improper disclosures, the better off every organisation — and its customers — will be.
Of course, that’s no replacement for basic data security inside the organisation. That’s why the FTC is investigating how an employee failed to properly black things out, and why Calpers says it is now looking at ways to eliminate its use of Social Security numbers.
Then there’s Monster. This time, the partners — recruiters and HR people who use Monster to look for employees — were the ones whose PCs were penetrated first. Using their stolen Monster log-ins, attackers collected job seekers’ résumés to harvest names, addresses, phone numbers and email addresses. All in all, 1.6 million records about several hundred thousand people were stolen, according to Symantec security analyst Amado Hidalgo.
Then that data was used to trick job seekers into downloading malware.
Monster says it does its best to watch out for improper activity. But that’s hard to do when your partners are the ones who open the door for attackers.
And anyhow, we can’t rely on the kindness of strangers for our security.
But we don’t have to. We can talk with our business partners. We can find out how they’re backstopping our security efforts and encourage them to do more. We can include them in our postmortems of breaches, disclosures and near misses.
By including those partners in our security efforts, we add just a little more depth to our defence. It won’t always save us, as Calpers and the FTC learned. But it could help.
And when it comes to staying out of the data security headlines, we need all the help we can get.