Pete Finnigan's Oracle Security Weblog

I watched the Tonight program last night on ITV (This is a UK TV channel for all the non-UK readers of this blog) because I saw an ad for it at the weekend and it sounded really interesting.

The program is available on the ITV website on their ITV Player feature but the program is time restricted in that it will only be there for the next 29 days. I am also not sure if its also region restricted (i.e. can you only watch it is you are in the UK), I cannot check this but i am guessing possibly not. The Tonight program was about the black-market sale of UK health records in India. The bottom line is actually appalling. The reporter Chris Rogers was able to locate someone calling himself JAY.S who said he could provide British health records that include names, address, health registration details, doctors name, address and even hand-written doctors transcripts. He made contact with Jay S and went to India to meet him in person and to view sample records and make a possible deal to buy. Then amazingly someone higher up the food chain calling himself John intervened and offered a better price and better/more data. The best bit (in scale of appalling not that i think it was good) was when he said (paraphrased) "you name the disease and we will give you as many records as you want for people with that disease", amazing. So you could say you wanted 15,000 cancer patients records for instance. The reporters cover story was that he wanted the leads to market products and get customers/leads. The "Tonight show: Health records for sale" even tracked down a few of the people whose records they had been given in India.

I was appalled by the story; especially because I work in a data security business. The focus was on the off-shoring of work/data to India; but this has nothing to do with India specifically or off-shoring in general in my opinion; the real issue is that the original holder of this sensitive data asked one company to help electronicise (is that a real word? i must get a spell checker added to Greymatter blog software) their data, this company asked a second company to help, which in turn off-shored some of the work. It doesn't matter how many steps were involved or that the sales of this data were occuring in India, the issue for me is that the holder of the data lost control of his data once the data was managed by an outsider who then passed it out again. This is typical of data flow. Once data gets out, it multiplies. In my expericence most companies do not know where their data is; they think they do but in reallity they don't. In other words they often have a naive view of their data; they think that the credit card details are only in the table CREDIT_CARD for instance when in reallity its in a lot lot more places - some obvious, some not so.

Often data is replicated within the database itself through copying to other tables or because Oracle tends to copy data transiently and also permanently in some cases. Also data is often stored outside of the database in things like export files, old databases, output files from system / application features, reports, logs and many more; its also often copied to multiple databases thereby multiplying the problems.

For me the issue is really fundamental; if you store and manage critical data you must know where that data is. If you dont know where it is then it is impossible to secure that data. If you do know where your data is then you must know where every copy of your data is; this TV program illustrates why. It would be very difficult for thousands of health records to go missing from the source storage (i.e. a thief would need to infiltrate the original health practice in this case and then attempt to steal thousands of records - this would not go un-noticed) but it was clearly easier for the data to go missing from a copy of that data. This is the case in my experience in Oracle databases. You may have fantastic security features in you application, the database may be hardened to the nth degree, the privileges locked down on the CREDIT CARD table (say!) but if the data sits outside of the security cordon (database and application) because maybe it's in an unathorised list file created by a DBA or its copied to a development database with no security then the value of the original security doesnt matter. The thief will always take the data from the easiest option.

You must know where your data is, you must know how it flows, you must know who can see or modify the data; otherwise you cannot secure that data. period.