Six Messy Database Breaches So Far In 2010

Whether it be insecure Web applications, poor password management, or a lack of database policies and monitoring, the average database today is at risk of exposure through a host of different threat vectors that many organizations are not even aware of -- let alone are addressing. Already in 2010, the number of database breaches as a result of such mistakes is mounting.

The list of disturbing database breaches so far this year mostly could have been avoided. The affected organizations had to learn the hard way, through public embarrassment and expensive incident response procedures. But the missteps that led to them provide a cautionary tale for other organizations.

"Security needs to be addressed by appropriate policies and systems, but perhaps more importantly a cultural commitment and buy-in by employees to achieving security," Daniel Mayo and Graham Titterington, principal analysts for Ovum, wrote recently about database security.

Garnering that cultural commitment starts with awareness. Here are six of the more eye-popping database-related breaches so far this year -- and some lessons learned from each:

1. Arkansas Army National Guard

Breach Details: An Arkansas soldier caused the Arkansas Army National Guard a lot of embarrassment earlier this year when he brought home an external hard drive containing a copy of the Guard's entire personnel database with the personal information of more than 32,000 current and former Guardsmen. For about two months the Guard couldn't track the hard drive down and had to notify personnel of the loss as a result of the potential breach. The drive was eventually recovered and the information destroyed, but the entire event left the organization with egg on its face.

Lessons Learned: Strike one in this case was that the data was completely unencrypted. But strike two and three was the fact that the soldier in question was able to copy the database in the first place and take it off-site.

Database security experts repeatedly warn organizations to take measures to prevent wholesale copying of database files, whether by innocent but negligent insiders or by malicious insiders looking to steal data. Database activity monitoring tools can help monitor for and prevent such activities.

2. University of Louisville

Breach Details: A staff doctor who set up a Web application that tapped into a University of Louisville database of dialysis patients put hundreds of patient records at risk by failing to use password protection to prevent unauthorized access to the application. The records were openly available online for close to a year-and-a-half until someone outside of the organization sent an e-mail cluing the university in on the privacy breach.

Lessons Learned: Web applications are the Achilles' heel of database security, and organizations have to work hard to bring DBAs, developers, and business stakeholders together to develop Web app security policies, particularly around access management issues that can cause breaches such as this.

3. WellPoint

Breach Details: A business logic flaw in a Web application that was tied to a database of individual insurance customers of health giant WellPoint allowed unauthorized users to potentially access any of 470,000 customer records. The vulnerability was discovered by a WellPoint customer who found that a simple URL manipulation could give her access to other customers' personal data. Turns out an outsourced vendor tasked with updating the application introduced the flaw last fall.

Lessons Learned: Insecure Web app code is frequently the submerged iceberg just waiting to sink an organization's database security. Before rolling out new or updated applications to live environments, organizations should run application testing that not only scans for common code vulnerabilities, but also business logic flaws such as this one.