Pete Finnigan's Oracle Security Weblog

A few days ago another major data leak occured in the UK. This time involving a UK consultancy called PA Consulting and also the British Home Office. An article Worker suspended over loss of prisoner data

"A staff member at PA Consulting Group has been suspended after the contractor lost details on all prisoners in England and Wales, along with those of tens of thousands of offenders.

The data was being held, unencrypted, on a memory stick for processing purposes, the Home Office said in a Friday statement, saying that precisely how that stick was lost is now the subject of an internal investigation. A Home Office spokesperson told ZDNet.co.uk that PA Consulting had been "appointed by the Home Office in June 2007 to provide application support for tracking prolific and other priority offenders through the criminal justice system"."

Whilst this is the latest in a line of data losses in the UK, it seems to be part of a world wide trend in data loss. Is data loss a new issue? or is it simply that data loss reporting is a new trend? or is it even worse than this and in fact data loss recognition is in fact the new trend? - I mean that in years gone by (even recent years) did people even know or care that data loss had occured?

It is a current certainty that data losses are occuring and that now people and governments are standing up and paying attention, unfortunately we are in the "we know its happening" phase and not the "we have stopped it happening" phase. But it is (perversely) a step in the right direction that the public do know that this is going on.

In each of these major UK government involved (in the sense that its the data they hold) cases there is an enquiry into what went wrong and supposedly fixes to stop it happening but it seems to carry on happening. In each case the details are different in terms of how it happended but the end result is that data gets lost. Why is data being taken out of the systems designed to protect that data? - why is it ending up on CD's and memory sticks or on laptops left on trains?

To me this is an indication of evidence I see day to day in work for customers to protect data held in Oracle databases. I teach classes on how to perform an Oracle Database Security Audit and I also conduct Oracle Database Security Audits and whilst these government data losses are not indicated to be from Oracle databases, the lessons I teach and evidence I find is the same endemic issue.

One of the key things I want to understand is who accesses data and at what level and from where and how. That is I want to understand how data "flows" into and out of the database. Leading from this I also want to understand "where" the data actually is. In all companies that I audit there are always more routes to the data than the customer thinks and also more people accessing it in ways that the customers management think. Coupled with this is the problem that customers niavely think that data is in one place and held in one table. This is not the case, in my experience data is held in many places and used for many purposes. The idea that the employee data is on SCOTT.EMP is very niave. The data is often in other tables, such as interface tables, summary tables, reports layers..... Worse the data is often outside of the database in report files, csv files on desktops, export files, backup files.....

This is one of the key issues for me, most companies do not appeciate or understand exactly where their data is or how its accessed and by whom. They often think that they know....