Monday, February 5, 2007

VA déjà vu

It happens again and again. People's identity data is compromised by the loss of a computer, hard drive or some system gets hacked. In fact for the VA this is tragically the second time in only months. See Computerworld {Link}. It's just unbelievable to me that these employees need to work with thousands of records on a local drive for any reason. First of all the article isn't clear how many records were compromised. Is it 48,000 or 20,000? I wish these articles would explain why these records were on an external hard drive in the first place. What project could this person been working on where he/she could not access the records as needed from a secured database or something? Why aren't the records on a server in a locked data center? Going back to May 2006 why was an employee carrying around 26 million records on a lap top? Now that would be helpful information in the article.

When I hear about these breaches it makes me stop and think about the project I've been involved in for the last 2 years and the projects coming up where I'll be dealing with employee identity data. When developing a TDI assembly line to pull user attributes from one system to another it's very common to test it with simple CSV or flat files for the source or destination of that data. I remember developing an assembly line to read thousands of users from one system and write the records to an LDAP. To test this I would first output the data to a file. This testing might occur many times over and over. These files may end up on various directories of my computer (lap top) which undoubtedly would go home with me at night. Maybe I'll stop at the Gym on the way home or the grocery store. Next thing you know my car gets broken into and I'm the next cause of a security breach at my company.

Well luckily I don't keep these files on my lap top really. Also lucky for me I don't happen to be dealing with personal information. But these security breaches have to make you stop and think if you are like me and happen to deal identity data from time to time. I guess the simple lesson is don't keep information like this on your machine. Make up a pile of bogus users if you have to test your assembly lines. If you need to test with real users do it on a secured machine that won't be sitting on the back seat of your car after 5:00pm.

No comments: