How to Turn 4 Million Into 18 Million


June 23, 2015

By Joel Rosenblatt

The story about the Office of Personnel Management getting hacked this week was, unfortunately, not a big surprise to anyone in the security world.  How it got hacked, by phishing, was something that anyone who has been in the security field for any length of time could have predicted. 

What comes as a surprise to me (and, it really shouldn’t have) was the news this morning that in addition to anyone who works for the government, and people who used to work for the government, the hackers also were able to collect the information on people who merely applied to work for the government.

This last group, in my opinion, represents the real problem with how we treat data collection today.  My rule on data is you can’t lose what you don’t have. Never save data that you do not have a good business reason to save.  This rule was clearly violated in the OPM case. 

What possible reason could they have for retaining the information on 14 million Americans who, in good faith, just applied for a job?  It appears to me that once the rejection letter went out, the proper thing to do would be to purge the record. 

I guess in some way, I could blame the storage manufacturers, since they keep coming out with cheaper and cheaper storage.  I have cases of 1 TB drives (for the storage of email in Data Discovery cases) – each drive will very comfortably fit in your pocket and is available in a 2 TB package for the serious packrat.

I’ve been around this business long enough that my first storage device was a punch card – 80 bytes of permanent memory (provided you didn’t fold, spindle or mutilate).  In those days, storing the data on 14 million people that you didn’t really need would have been unheard of.

I jest of course, but we are living in a world where deleting information has become unnecessary.  It is not unusual for storage devices to be measured in petabytes, soon to become Exabyte’s (for the curious, after Exabyte’s, come zettabytes and then yottabytes).

The problem as I see it, is not that hackers are breaking in and stealing data. People have been breaking into things forever and stealing stuff, but it’s that we are collecting information in such massive quantities that WHEN they break in (notice, I did not say IF) they find 18 million records to take instead of the 4 million that should have been there.

comments powered by Disqus

The Human Factor: Gain new insight into the ways attackers exploit end-users' psychology​​

About Security Current | Privacy Policy | Subscribe to our newsletter