[BreachExchange] Deleting Data Vs. Destroying Data: The Difference Can Be Damning

Audrey McNeil audrey at riskbasedsecurity.com
Tue Feb 23 11:08:29 EST 2016


http://www.information-management.com/news/security/deleting-data-vs-destroying-data-the-difference-can-be-damning-10028296-1.html

Since last August, dating site Ashley Madison has become notorious for more
than just infidelity; it’s become the poster child for the data breach
debate– and confusion between ‘deleting’ and ‘erasing’ data for good.

Amidst all the media backlash and shaming of the site’s users, one thing is
certain. Ashley Madison broke the cardinal rule of overpromising and
under-delivering – they charged users a $20 fee for the ‘Full Delete’
service purporting to remove their data, but the data was not completely
erased and was still intact.

The site wasn’t the first to be hacked and it won’t be the last; but what
is unique about this specific case is that the tech and IT staff inside the
site’s organization haven’t learned what they really should from the
mistake.

Attempting to repent for its ‘sins’ – so to speak – and make good with
distraught customers – Ashley Madison rolled out a new “discreet photo”
security tool that lets users hide their identity on their profile page by
choosing from two different masks (black or brown), a black bar that covers
their eyes or four different degrees of blurring.

While this new feature is somewhat interesting, it’s not really what I
would deem to be the best corrective action to take after they failed so
miserably to remove customer data. Rather than address the big issue – the
failure to remove user data completely and permanently – they’re just
putting a very ineffective and flimsy Band-aid over the injury.

Rather than let users put a mask over their profile photos, I’d caution the
dating site to take stock of the cause of the breach (not the breach
itself) and focus on changing things seriously so that cause doesn’t – and
can’t – ever happen again. Here’s what I would advise them.

Collect data, but do it responsibly.

Protecting data at the end of life starts before you even allow it into the
enterprise. Before data is collected and processed, set clear definitions
for all types and levels of profiling implemented by your organization.
Communicate your plan with data subjects so that they are aware of the
intended purpose behind collecting certain data.

A concern was raised following the Ashley Madison hack that bogus accounts
were being created in order to blackmail individuals. It was found that the
only verification needed to create an account was an email address. Part of
collecting data responsibly and protecting individuals’ data is also making
sure that there is an identity verification process in place that dissuades
this type of activity.

Do your due diligence and review everything you have - and don’t have.

It may seem like an obvious point, but the number of businesses that don’t
keep up to date documentation of where all of their data is stored is a
serious cause for concern.

Data is stored onsite on network servers, hard drives, solid state drives,
computers, smartphones and tablets, but it’s also maintained offsite with
third party data centers and cloud storage providers. It’s everywhere and
there are multiple people involved in the process at different stages.

So what should businesses like Ashley Madison do? They should create a
detailed account that can be communicated with internal departments and
stakeholders of all of the physical, virtual and logical places that data
is stored.

Once all data has been located, it’s necessary to determine which data
should be kept in a secure environment and which data is no longer needed
and therefore, must be completely erased so as to never resurface again.
This needs to be documented, communicated and shared with your internal
staff (across all departments) as well as to your customers.

So if your privacy policy – or a service like ‘Full Delete’ – tells
customers that once they remove their account, all of their personally
identifiable information is irrevocably erased, your company better honor
that.

Get rid of it – for good.

There’s so much myth and confusion around the ‘deletion’ of data. Is it an
effective method? Does it remove data completely and permanently so there’s
no possibility of it ever being retrieved, or worse, hacked? Is there proof
that the method used to ‘delete’ data actually got rid of the data for
good? And as the Ashley Madison mistake proved, it’s not just everyday
users who make this mistake. Even those who work in IT and technology don’t
necessarily understand the difference.

Here are the facts. ‘Deleting’ data only removes pointers to the data –
creating the illusion that the data has been removed, when it can still be
accessed and retrieved.

Instead of pushing the promotion of their new ‘hidden masks’ feature on the
site, Ashley Madison should be telling customers and the media that it’s
either in the process of, close to finalizing or has finalized the purchase
of a technology solution that achieves all of the following:

Randomly overwrites data with 0s and 1s, in accordance with legal
requirements (remember, other methods such as reformatting hard drives are
not adequate and a factory reset does not work on Android devices)

Has been tested, certified and approved by leading governing bodies such as
NATO, NIST, CESG, etc.

Provides physical proof of the ‘erased’ data
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160223/1f87e6e6/attachment.html>


More information about the BreachExchange mailing list