August 2011: Yale University announced that 43,000 social security numbers posted to an insecure FTP server have been available to Google search engine users for the past 10-months.
May 2011: Southern California Medical-Legal Consultants (SCMLC) disclosed that the medical records of 300,000 injured workers were available online to the public through Google search.
For Yale, it seems that the file containing the names and social security numbers was stored in a FTP server which was used for open source work – That means that ANYONE could access the information without even being asked for a username/password. Although IT Director Len Peters said “there is no indication that the information has been exploited”, that sounds to me an awful lot like “nobody has told us that their information was breached but we don’t have the visibility or audit trail to know for sure.”
For SCMLC, an internal server exposed documents containing health information (including names and social security numbers) of California residents who applied for workers’ compensation benefits. The files were neither encrypted nor password-protected. According to Joel Hecht, President of SCMLC, “We take data security and privacy very seriously, unfortunately, our internal security policies and procedures were not followed.” In theory he’s saying the right things and his company may (or may not) have the proper tools and systems in place, but the key here is they lacked the proper management and enforcement of access controls and security policies. Now there are a gazillion reasons wanting to keep health information confidential, and in this case that list would include workers compensation information being read by possible future employers and impacting hiring decisions.
Ipswitch’s Frank Kenney sums things up nicely in a recent article on the increasing security risks of web-searchable databases:
“In many cases organizations don’t know that they’re wide open. The databases that exist today have ultimately been designed to allow the easiest access from a multitude of devices and places. In many people’s minds they think that there is a measure of safety for the data sitting underneath the application because the application is secure. But your database is sitting out there and it came configured out of the box to be connected to the Internet.”
So take this opportunity to identify what Web-facing databases you have and really dig into the information they contain. If you are exposing any sensitive or confidential information, take measures to properly manage that data, control access to it, set up security policies and of course ensure visibility into all files being uploaded or downloaded from the server.