Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Oracle's October pre-cpu advisory is released"] [Next entry: "October 2009 Critical Patch Update is out; Paul has a paper on escalation to OSDBA"]

Health Data Theft



I watched the Tonight program last night on ITV (This is a UK TV channel for all the non-UK readers of this blog) because I saw an ad for it at the weekend and it sounded really interesting.

The program is available on the ITV website on their ITV Player feature but the program is time restricted in that it will only be there for the next 29 days. I am also not sure if its also region restricted (i.e. can you only watch it is you are in the UK), I cannot check this but i am guessing possibly not. The Tonight program was about the black-market sale of UK health records in India. The bottom line is actually appalling. The reporter Chris Rogers was able to locate someone calling himself JAY.S who said he could provide British health records that include names, address, health registration details, doctors name, address and even hand-written doctors transcripts. He made contact with Jay S and went to India to meet him in person and to view sample records and make a possible deal to buy. Then amazingly someone higher up the food chain calling himself John intervened and offered a better price and better/more data. The best bit (in scale of appalling not that i think it was good) was when he said (paraphrased) "you name the disease and we will give you as many records as you want for people with that disease", amazing. So you could say you wanted 15,000 cancer patients records for instance. The reporters cover story was that he wanted the leads to market products and get customers/leads. The "Tonight show: Health records for sale" even tracked down a few of the people whose records they had been given in India.

I was appalled by the story; especially because I work in a data security business. The focus was on the off-shoring of work/data to India; but this has nothing to do with India specifically or off-shoring in general in my opinion; the real issue is that the original holder of this sensitive data asked one company to help electronicise (is that a real word? i must get a spell checker added to Greymatter blog software) their data, this company asked a second company to help, which in turn off-shored some of the work. It doesn't matter how many steps were involved or that the sales of this data were occuring in India, the issue for me is that the holder of the data lost control of his data once the data was managed by an outsider who then passed it out again. This is typical of data flow. Once data gets out, it multiplies. In my expericence most companies do not know where their data is; they think they do but in reallity they don't. In other words they often have a naive view of their data; they think that the credit card details are only in the table CREDIT_CARD for instance when in reallity its in a lot lot more places - some obvious, some not so.

Often data is replicated within the database itself through copying to other tables or because Oracle tends to copy data transiently and also permanently in some cases. Also data is often stored outside of the database in things like export files, old databases, output files from system / application features, reports, logs and many more; its also often copied to multiple databases thereby multiplying the problems.

For me the issue is really fundamental; if you store and manage critical data you must know where that data is. If you dont know where it is then it is impossible to secure that data. If you do know where your data is then you must know where every copy of your data is; this TV program illustrates why. It would be very difficult for thousands of health records to go missing from the source storage (i.e. a thief would need to infiltrate the original health practice in this case and then attempt to steal thousands of records - this would not go un-noticed) but it was clearly easier for the data to go missing from a copy of that data. This is the case in my experience in Oracle databases. You may have fantastic security features in you application, the database may be hardened to the nth degree, the privileges locked down on the CREDIT CARD table (say!) but if the data sits outside of the security cordon (database and application) because maybe it's in an unathorised list file created by a DBA or its copied to a development database with no security then the value of the original security doesnt matter. The thief will always take the data from the easiest option.

You must know where your data is, you must know how it flows, you must know who can see or modify the data; otherwise you cannot secure that data. period.

There has been 4 Comments posted on this article


October 20th, 2009 at 01:12 pm

Marcel-Jan Krijgsman says:

I don't remember where I got this, but I've found a report by Verizon Business with an analysis of 500 breaches: http://www.verizonbusiness.com/resources/security/databreachreport.pdf

It tells that in 66% of the cases the victim did not know that the stolen data was at the particular location where it was stolen.



October 20th, 2009 at 06:55 pm

Pete says:

Thanks for the link marcel-Jan, this bears out my own experience. Most sites I visit do not *really* know where their data really is.

I think data security and Oracle security in particular has improved immensely in the last 8 or so years that I have done only Oracle security full time but i still think there is a liong way to go before data can be really thought of as secure and that importantly we can trust others to look after our personal data.

Cheers

Pete



October 25th, 2009 at 03:20 pm

Frank Siepmann, 1SSA says:

Pete,

This is quite alarming. Seing such articles in a time when the US is going to enforce electronic medical records should be an eye opener. I have talked with many doctors and nurses about privacy and security of EMR data but security is not even #3 or #4 on their list of problems they are worrying about.

Regards,

Frank



October 26th, 2009 at 09:00 am

Pete says:

Hi Frank,

Thanks for your comment; you are right its a worrying time when records such as these are made electronic. As I said in the post the big issue for me is that organisations are not truly controlling their own data; they lose control once someone else is involved and having a legal contract to protect them is not enough; once my data is lost to someone its lost (and most likely replicated) you cannot un-lose it; a contract saying it is illegal is pointless. Data must be identified at source, you MUST know where it is and then you must prevent its access and replication.

Thanks Frank,

cheers

Pete