Friday, December 7, 2007

Data Security

As more of our personal data goes online and is collected by an ever-expanding number of public and private organizations, data loss and identity theft becomes more of a risk.
Two recent and embarrassing events brought this into the news yet again: The UK child benefit data scandal and the Passport Canada privacy breach. This is great news for identity thieves - The BBC reports the child benefit data is worth worth £1.5bn to criminals.
From a technical perspective, protecting personal data is relatively straight-forward. Best-practices like data encryption and using salted hashes to protect passwords are easy to adapt. Ways of preventing URL guessing and SQL injection in a website are common knowledge and at the most fundamental level of web security. Frankly, they have been for years.
In most data loss cases, the problem clearly isn't a lack of easy ways to secure data, it's that the organizations don't have enough incentive to protect your data. Privacy laws simply don't go far enough to make organizations lose as much as the people who have their data comprised.


On a related note, this is a great example of why one should never trust user input [The Daily WTF]


  1. some girl I work with lost a usb key with an excel file with cold-call leads on it. Not in the same league, but it was a reminder that we have to be prudent.