First, there was the story of the data breach at Hannaford, an East Coast-based supermarket chain. Over 4 million credit card numbers were exposed as part of the data breach which resulted in 1,800 cases of fraud (was that all?). Last week we hear about a similar breach at the restaurant chain Dave & Busters, where hackers used a simple packet sniffer to capture patron credit and debit card payment information. In both cases, sensitive information was transmitted across a network in an unencrypted format.
Now, I don't want to come down too hard on the principals involved in these two incidents. I'm willing to bet that the lack of network encryption in both cases was due to a combination of possible factors:
- A lack of network encryption support when the systems were initially brought online
- Overconfidence in the data protection offered by use of an external firewall or other security measures
- Simple oversight
There may be other factors that I am not listing here, but I believe that the reality of what gave rise to these two situations is covered by one or more of those items.
The question that I have is, how many of these news items like this will those who work for corporate IT organizations have to read about before they start to take network encryption seriously? The repercussions of data breaches are serious enough that I would think IT organizations of all shapes and sizes would implement a regular security audit process. Ideally it would encompass determining the sensitivity of data moving through or contained within the corporate network and review whether adequate end-to-end security measures are in place to protect the data. Perhaps it would include review of other factors and considerations as well. What I'm mentioning is really the minimum for what folks should be doing.
So the takeaway of all of this is (for those who still haven't gotten it), if the data is something you or your customers wouldn't want someone else seeing / accessing / using without your permission, for the sake of Pete - encrypt it before you send it across the network. If you don't, I will list you as an additional offending party here (and I can't promise I will be as charitable in my criticism the next time around).
I'd be interested in anyone's thoughts on what other steps organizations can take to avoid data breaches like that. Perhaps you have some feedback on other incidents as well. I welcome all comments on this subject.
Technorati Tags | | data+breach encryption data+encryption data+security network+encryption