Why Trusting Any Organization With Your Data is Dicey at Best
The government would like us to believe that if they have unfettered access to all the data that they want, it will be secure. The evidence does not support that.
This past week, a terrorism database called World-Check was leaked accidentally (At least I think it was an accident). It contains information on about 2 million plus people for whom there are “heightened” security concerns. This could mean that they were in the news or that they were seen in Syria at an ISIS training camp. My point is that there is a huge range of reasons why someone might be on this list and to let it be leaked could get someone fired or much worse.
The database includes people’s date and place of birth, among other fields. No one has provided the complete list of fields.
Thompson Reuters bought World-Check in 2011 for about $500 million, it is believed.
According to their web site, the data is collected from 500+ government and regulatory lists, local and government records, media searches, relevant industry sources and other sources.
On World-Check’s web site they claim that they identified 180 people or organizations before they were on the Treasury Department’s official OFAC (office of foreign asset control – the official list that banks have to check). What they don’t say is how many people were added to the list that did nothing wrong.
Since the list is secret, you have no idea if you or a family member is on the list until one of Thompson’s customers decides to not do business with you.
This week, CNN reported, an Arab businessman was arrested in a hotel lobby at gun point. His crime? He was in the U.S. getting medical care and his landlord wanted to rent out his apartment for a lot of money during the Republican convention so he asked him to stay in a hotel that week. So his crime was that he was an Arab with a cell phone, looking for a hotel to stay at.
The hotel clerk saw a man in Arab dress and freaked. The police and the Mayor in this town had to come and apologize. The man had a stroke over the event and was hospitalized. Given that his health wasn’t good to start with, this could get expensive for the town of Avon, Ohio.
But the point is not about this person. I have no idea if he was on this list and I am pretty certain the hotel clerk didn’t know if he was either, but the clerk panicked and under those circumstances, people can die. Luckily, the man was smart enough to cooperate with the police and let them pay the bill for their error afterwards.
In fact, of the 2.2 million people on the list, 181,000 are on it for financial crimes, 928,000 are listed as ‘individual’ and 450,000 are listed as ‘political individual’.
Since you can’t see your own entry if it is there, you have no way to get incorrect or misleading information deleted or repaired.
In fact, some people are listed as deceased. Hopefully they actually are. Otherwise, that could cause problems.
In this case, the data was loaded into a database that was accessible from the Internet and was not even protected by the weakest level of security – it didn’t even have a password on it.
Thompson Reuters, in their defense, did find out which of their clients had posted the offending database quickly and was able to get them to remove it from the Internet.
Of course, we have no clue who else saw that database before Chris Vickery (the researcher who reported it to Thompson Reuters) found it.
Thompson Reuters said that the database was two years old. You can look at that several different ways. The first way was that it had been sitting on the Internet, unprotected, for two years. Another way is that the list is likely larger now, so those people who were added recently did not get their data compromised. None of the ways that you could reasonably look at it are positive.
The UK Information Commissioner said that the Data Protection Act requires this data to be protected, so they will be making ‘enquiries’.
The problem is that when you have large quantities of data and you share it with other people – whether that is inside the government (think of the Office of Personnel Management) or outside the government (think Anthem or this leak), it is quite hard to protect it.
Which means that we should probably be careful about what data we allow organizations to collect. Which is a serious challenge.
In this case, it wasn’t even a government entity; this is a private, commercial, for profit (in 2015 their EBITDA was about $3 billion).
They may be fined as a result of this leak, but probably not since it was a customer who leaked it, not them. And this was not the work of hackers. My guess – this is pure human error.
Still, large databases of information can cause large problems.
Whether this one will cause a large problem or not is mostly based on who was able to download it before it got pulled. This data might be useful to a range of people from blackmailers to terrorists. Only time will tell.
Information for this post came from Risk Based Security and BBC.