Not all data breaches are created equal. The data elements compromised don't always destroy civilization as we know it. Further, understanding the root cause of a breach is a better use of time and resources than chasing elusive causes, causes that arise because someone was quick to point a finger at security ignorance as the reason things fell apart.
In a recent article at CSOonline.com, Joan Goodchild described a breach of student dates of birth and grades stored on a Princeton Web site. The data were available for some time, allegedly due to a change of site hosting services. The reaction to the breach was predictable, with people expressing fear and concern over the loss of dates of birth. Claims were made that loss of this information exposes students to increased risk of identity theft. This was accompanied by comments about Princeton and site hosting staff not understanding the importance of Web site security. I submit that both assertions are wrong.
It's been some time since I believed using a date of birth, mother's maiden name, or father's middle name was a good way to verify identity. This information is freely available via public records, both on and off the Internet. Take a look at a sample individual report, available for $34.95. About a year ago I actually paid the fee to see what I could find out about myself. The result caused me to quickly check the secret questions I use for banking and other secure online transactions. While exposing grades might be life-changing for students more concerned with the social benefits of college life, losing dates of birth is not going to increase student identity exposure very much.
Organizations and security pundits need to get this right. Proper data classification is important if an organization wants to apply limited resources to the right vulnerabilities.
As for claims that the cause of this breach might be that both Princeton and the site provider don't understand the importance of security, I believe the root cause lies elsewhere. What are the chances Princeton IT staff don't understand the need to properly protect information? The problem is probably located in change processes rather than in a mythical security vacuum.
Change management is a critical process many organizations either ignore or loosely follow. A good change process requires cross-functional review, including security. It also mandates quality assurance testing of all requirements. And no system requirements definition is complete without security requirements resulting from a thorough risk assessment. There's a good chance that a root cause analysis of the Princeton breach will find a flaw in how changes are managed rather than IT negligence.
Resolving security issues is often about asking the right questions instead of quickly looking for someone to blame. And protecting personal information starts with understanding which identity components are already available to anyone with a small credit card balance.
This is just one more example of why each of us must take responsibility for protecting ourselves from identity thieves. No system is invulnerable to attack, making it likely that every one of us will eventually have his or her identity exposed to possible theft. The U.S. Federal Trade Commission provides numerous personal protection guidelines. It takes effort from both the public and those who store their information to apply the layers of defense necessary to stop identity thieves.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.