Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Stopping a user from changing his own Oracle database password"] [Next entry: "Designing application and code to use the minimum privileges"]

Another Major UK Data Loss

A few days ago another major data leak occured in the UK. This time involving a UK consultancy called PA Consulting and also the British Home Office. An article Worker suspended over loss of prisoner data

"A staff member at PA Consulting Group has been suspended after the contractor lost details on all prisoners in England and Wales, along with those of tens of thousands of offenders.

The data was being held, unencrypted, on a memory stick for processing purposes, the Home Office said in a Friday statement, saying that precisely how that stick was lost is now the subject of an internal investigation. A Home Office spokesperson told that PA Consulting had been "appointed by the Home Office in June 2007 to provide application support for tracking prolific and other priority offenders through the criminal justice system"."

Whilst this is the latest in a line of data losses in the UK, it seems to be part of a world wide trend in data loss. Is data loss a new issue? or is it simply that data loss reporting is a new trend? or is it even worse than this and in fact data loss recognition is in fact the new trend? - I mean that in years gone by (even recent years) did people even know or care that data loss had occured?

It is a current certainty that data losses are occuring and that now people and governments are standing up and paying attention, unfortunately we are in the "we know its happening" phase and not the "we have stopped it happening" phase. But it is (perversely) a step in the right direction that the public do know that this is going on.

In each of these major UK government involved (in the sense that its the data they hold) cases there is an enquiry into what went wrong and supposedly fixes to stop it happening but it seems to carry on happening. In each case the details are different in terms of how it happended but the end result is that data gets lost. Why is data being taken out of the systems designed to protect that data? - why is it ending up on CD's and memory sticks or on laptops left on trains?

To me this is an indication of evidence I see day to day in work for customers to protect data held in Oracle databases. I teach classes on how to perform an Oracle Database Security Audit and I also conduct Oracle Database Security Audits and whilst these government data losses are not indicated to be from Oracle databases, the lessons I teach and evidence I find is the same endemic issue.

One of the key things I want to understand is who accesses data and at what level and from where and how. That is I want to understand how data "flows" into and out of the database. Leading from this I also want to understand "where" the data actually is. In all companies that I audit there are always more routes to the data than the customer thinks and also more people accessing it in ways that the customers management think. Coupled with this is the problem that customers niavely think that data is in one place and held in one table. This is not the case, in my experience data is held in many places and used for many purposes. The idea that the employee data is on SCOTT.EMP is very niave. The data is often in other tables, such as interface tables, summary tables, reports layers..... Worse the data is often outside of the database in report files, csv files on desktops, export files, backup files.....

This is one of the key issues for me, most companies do not appeciate or understand exactly where their data is or how its accessed and by whom. They often think that they know....

There has been 3 Comments posted on this article

August 25th, 2008 at 12:10 pm

Pete Finnigan says:

Rather than "data loss reporting a new trend", I think it is more of "data loss a new issue". In early computing environments, data was really in one place. Now, it is on Thumbdrives, CDs, Notebooks and what not.

August 25th, 2008 at 04:07 pm

Pete Finnigan says:

Hi Hemant,

Thanks for your comment. I agree with your view about the plethora of places people are now storing data and multiple copies of that data in general.

What i was talking about is, is problem new or is it that people have started to realise that data is going missing? - certainly ten years ago I can remember data strewn all over the place on various customers machines / sites. I remember data being written to tapes and sent through the post, i also remember data being copied to test systems in copious quantities.

I think data leakage, distribution or whatever is not new, my view is that people are starting to take notice of it or perhaps the consequences of it going missing. Probably people always knew it was being copied and maybe even knew it went missing.



August 28th, 2008 at 06:56 am

Pete Finnigan says:

Interesting questions you ask...I think the issue of data loss has become critical when companies and governments especially started to gather all kind of personal information about customers or citizens repectively. And I think they're not aware or don't care enough about the sensitivity of the data.