Another data breach carried out by the “hactivist” group known as “Anonymous” provides an opportunity for businesses to become reacquainted with several important data security concepts. First let’s briefly review the background of the incident.
This time Anonymous hacked the Bay Area Rapid Transit system, commonly known as BART. BART is the second largest public transportation system in Northern California and carries about 40,000 riders a day. Anonymous was able to access and steal personal information on about 2400 BART customers who utilize the myBART website to manage their accounts. The information taken was reported by Anonymous to include system user names and passwords, individual last names, addresses, and telephone numbers.
The breach was apparently the result of Anonymous’ displeasure with a decision by BART authorities last Thursday to turn off cell phone service at four of its stations. BART decided to do so as part of an effort to control a planned demonstration that day at the train station where a homeless man was fatally shot by a BART police officer after he confronted them with a knife.
Much of the media coverage of this incident has focused (as no doubt intended by Anonymous) around First Amendment and political questions related to the decision to suspend phone service as a means of controlling protest. Some have likened BART’s actions to that of some middle eastern governments’ efforts to control protests against them this past spring and summer. These and related issues are better discussed on other blogs. I will focus on some of the security and privacy issues implicated by this incident. There are three significant issues of interest to businesses: information governance, risk assessment, and breach notification.
Information Governance – Know Your Business And Related Privacy Responsibilities
Today almost all businesses possess significant amounts of sensitive information which is likely to be subject to various laws, regulations, and guidelines related to data security and privacy. However, many executives, especially, but not exclusively, those in small or medium size organizations (who may not have the benefit of in-house IT or legal support) are often unaware of how information security and privacy laws apply to the information they possess,in the context of their particular business operations. For example, few people naturally think of a public transportation agency like BART as being a repository of sensitive personal information. However, with the movement toward electronic fares and payment systems, this is more and more becoming the case.
Lack of knowledge about a company’s privacy and security responsibilities regarding information in its possession is often exacerbated by the fact that businesses are collecting, and more importantly, indefinitely storing, increasing amounts of information about their customers, employees, and partners. Some of this information is necessary to the business’ core functioning, much of it is not. This kind of information overload is often the root cause of many information security and privacy missteps.
This highlights the principle that changes in a businesses’ method or means of operation may necessitate changes in its information security and privacy responsibilities and practices. It is often the case that the first time that a connection is made between the information in a businesses’ possession, and the security and privacy obligations affecting that information, is in the middle of a breach incident.
To address these issues, every business needs to have a sound business and legal answer to each of four basic information governance questions: (1) what sensitive personal information do we collect; (2) where and how is it stored; (3) how long does it need to be kept, and most importantly; (4) how will we protect it while it is in our possession. Answering these questions is critical to the development of cost effective, technologically sound, and legally defensible information security and privacy policies and practices.
We will discuss information governance in depth in future posts on this blog.
Risk Assessment – Making The Right Choices
It is not enough to merely identify sensitive information and system vulnerabilities. Effective and legally defensible security requires sound risk assessment. That is, the analysis and weighing of likely attacks and their resultant consequences.
Anonymous has stated that it breached the myBART website using an SQL injection exploit. If true, this is a common and very well known form of attack. For several years there have been a number of programming methods which have been shown to effectively eliminate or seriously minimize this kind of threat. BART is not alone in falling victim to this relatively unsophisticated attack. For example, a number of the successful attacks by Anonymous on the Sony gaming systems earlier this year used this method. The continued availability of these unsophisticated attack vectors, even after they have been publicly disclosed and extensively analyze and documented indicates that far too many businesses are either not taking information security seriously enough, or more likely, not making sound decisions about what information to protect and how to do so.
While it is true that there is no such thing as perfect or foolproof security, there should none the less be far fewer examples of data breaches carried out through the use of common, well understood and documented vulnerabilities and exploits. This is attainable through application of a basic risk assessment guideline: the most sensitive information must at least be protected from the most common methods of attack. This is true not only because of the potential legal risks (negligence, breach of duty, foreseeable risk, etc) attendant to a failure to do so, but because of the business risks as well. Put simply, if a business is perceived as being unable to secure its information from a relatively simple and well known attack, its present and potential customers and business partners may suffer diminished confidence in its ability to secure their information from the far more sophisticated attacks emerging today (e.g. “spear phishing” and Advanced Persistent Threat (APT) attacks) and a diminished interest in engaging in prospective relationships with such businesses.
Breach Disclosure – Strong But Useful Medicine
Most state breach notification laws now require not only notification of the affected individuals, but also notification of the state Attorney General. Most Attorney’s General then disclose the notification and related information to the public. While often stressful and costly to the businesses involved, public disclosure is a valuable contributor to the goal of improving overall information security and privacy protection.
Notification allows affected individuals to make informed choices about the actions that they may wish to take to mitigate any potential harm that has been or may be caused as a result of the breach. Public disclosure also allows the affected individuals, as well as others not presently affected, to make choices about whether or not they wish to entrust their sensitive information with a particular business in the future.
While not an ideal model for advancing security awareness and readiness, public disclosure has also proven to provide an effective incentive for spurring businesses to improve security. This results not only from fear of public shaming, but also because public disclosure forces busy business leaders to think about security issues when they otherwise may not have the time, desire, or interest to do so. Public disclosure provides a safe and convenient way to review and compare the relative state of their own security with that of their peers or competitors. Many substantive discussions with clients, and the first steps toward a significantly improved information security structure, have come on the heels, and as a result, of a publicly disclosed breach involving another entity. Most of the various federal breach notification bills now pending before Congress seem to recognize and preserve these concepts.
Because of the nature of the information which reportedly was accessed and taken in the BART breach, it is possible that BART may not have had a legal obligation, under the California breach notification statute, to disclose the breach to affected customers or the public in general. In point of fact, many companies now feel that they have an ethical duty to notify their affected customers and employees of such breaches. They do so regardless of the existence of a precise legal requirement.
Any speculation about what action BART would or should have taken to disclose the breach of their system was rendered moot as a result of Anonymous’ own disclosures. For the reasons previously discussed, measured notification and/or public disclosure of data breaches has many salutary effects, Thus once again, and in some ways paradoxically, infroming the public and educating businesses about security matters has proven to be a silver lining in an otherwise Anonymous cloud.