Blog Feed Post

Caution: Web-searchable servers and databases

August 2011:  Yale University announced that 43,000 social security numbers posted to an insecure FTP server have been available to Google search engine users for the past 10-months.

May 2011:  Southern California Medical-Legal Consultants (SCMLC) disclosed that the medical records of 300,000 injured workers were available online to the public through Google search.

For Yale, it seems that the file containing the names and social security numbers was stored in a FTP server which was used for open source work – That means that ANYONE could access the information without even being asked for a username/password.  Although IT Director Len Peters said “there is no indication that the information has been exploited”, that sounds to me an awful lot like “nobody has told us that their information was breached but we don’t have the visibility or audit trail to know for sure.”

For SCMLC, an internal server exposed documents containing health information (including names and social security numbers) of California residents who applied for workers’ compensation benefits.  The files were neither encrypted nor password-protected. According to Joel Hecht, President of SCMLC, “We take data security and privacy very seriously, unfortunately, our internal security policies and procedures were not followed.”  In theory he’s saying the right things and his company may (or may not) have the proper tools and systems in place, but the key here is they lacked the proper management and enforcement of access controls and security policies.  Now there are a gazillion reasons wanting to keep health information confidential, and in this case that list would include workers compensation information being read by possible future employers and impacting hiring decisions.

Ipswitch’s Frank Kenney sums things up nicely in a recent article on the increasing security risks of web-searchable databases:

“In many cases organizations don’t know that they’re wide open.  The databases that exist today have ultimately been designed to allow the easiest access from a multitude of devices and places. In many people’s minds they think that there is a measure of safety for the data sitting underneath the application because the application is secure. But your database is sitting out there and it came configured out of the box to be connected to the Internet.” 

So take this opportunity to identify what Web-facing databases you have and really dig into the information they contain.  If you are exposing any sensitive or confidential information, take measures to properly manage that data, control access to it, set up security policies and of course ensure visibility into all files being uploaded or downloaded from the server.

Related posts:

  1. Misuse, but not malicious
  2. Are data breaches inevitable?
  3. Takeaways from Verizon’s 2011 Data Breach Investigations Report

Read the original blog entry...

More Stories By Frank Kenney

Frank Kenney is Vice President, Global Strategy and Product Management at Ipswitch, responsible for defining the company's vision and strategy and integrating his global perspective into the products, services and messaging. Frank brings an unmatched depth of experience and knowledge in the managed file transfer space to the team.

Most recently, Frank was a Research Director at Gartner, Inc., responsible for analyzing topics including managed file transfer, application integration, SOA, and business process management. He initiated and drove the Magic Quadrants on managed file transfer and SOA governance technologies. Before joining Gartner, Frank was Director of Creative Services and Content Distribution at the Executive Business Group.

Frank holds a degree in Music Technology from the Center for the Media Arts and has studied English and Computer Science at University of Tampa.

When not working, Frank can be found living the life of a frustrated musician and producer in his home studio in Tampa.