News Database Security
Six Messy Database Breaches So Far In 2010
From a National Guardsman's external hard drive faux pas to a financial services firm's slack practice of password-sharing, this year has already had its share of shocking database exposures
4. Virginia Beach Department of Social Services
Breach Details: In April The Department of Social Services in Virginia Beach, Va., announced it had fired or disciplined at least eight employees and supervisors in the past year for abusing their database privileges to access restricted information about former employees, family members, and clients. In one egregious example, a supervisor made her employees access a Virginia database to find information about her husband's child.
More Security Insights
- A Smarter Approach: Inside IBM Business Analytics Solutions for Mid-Size Businesses
- Collective intelligence: Capitalizing on the crowd
- Informed CIO: SDN and Server Virtualization on a Collision Course
- Strategy: Building and Maintaining Database Access Control Permissions
- Mobile DevOps: Achieving continuous delivery with multiple front ends and complex backends in Banking, Financial Services, and Insurance
- How Cloud Facilitates an Agile Contact Center
Lessons Learned: Insider threats to database information are very real, as this example clearly illustrates. While all of the employees involved in these incidents had legitimate access to departmental databases, their use of credentials was for purposes way outside the bounds of their job duties. Robust database activity monitoring tools are the only reliable way for organizations to ferret out account abuse cases on this plane.
5. Florida International University
Breach Details: Though details are sketchy about the exact nature of this breach, what is clear is that Florida International University found the "existence of a database containing sensitive information that did not reside in a secure computing environment" during a risk assessment following an unrelated security incident, according to notification letters sent to nearly 20,000 students and faculty. The unsecure database contained personal data, such as student data related to state mastery standards, grade tracking, assignments, and Social Security numbers of both students and faculty.
Lessons Learned: Not only do databases themselves need to be secured, but so, too, do the systems on which they run and the networks that they're attached to. This means practicing diligent patch and configuration management on database servers, segregating critical databases onto the most secure network segments, and employing the rule of least privilege for these critical database environments.
6. Lincoln National Corp.
Breach Details: In January this financial services firm revealed that lax password management practices and frequent credential-sharing for access to the company's client portfolio database potentially exposed the records of 1.2 million customers. Some shared passwords were used for as long as seven years. The security lapse was not uncovered until an anonymous whistleblower sent Financial Industry Regulatory Authority (FINRA) a user name and password combo that gave access to the portfolio.
Lessons Learned: Password-sharing is one of the most common and potentially damaging behaviors to affect enterprise database security postures. Not only do organizations need to develop and enforce password management policies, they also need a way to look for account use patterns that indicate illegitimate sharing.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.