By Bob William Nkonjela (ICT Consultant – KPMG).
The views expressed in this article are his own and not necessarily those of KPMG.
Introduction
As an information systems auditor, I have had the privilege of working with multiple organisations both domiciled within the country and some offshore. I have inspected multiple systems that range from simple Service desk applications to complex loan calculation systems run by multinational companies with the most secure controls, but one thing always baffles me. Why is the weakest point of entry, almost always the database?!
To put everything in context, systems would usually have three layers. These are the operating system, application and database layer.
- The application layer is what the regular user of the system would usually interact with, and organisations would make sure that all security measures are considered and implemented.
- The operating system layer more or less gains you access to the computer. Given that the regular user would directly interact with this, organisations always make sure that security controls are up to par.
- The database layer, as the name suggests is where the system stores all the data that is generated and used by the application. This means that this layer may have a record of all transactions that the organisation has had since its inception and can give a picture of the organisations state in present day.
Given the obscure nature of the database, in that you would not know it is a separate layer of the system unless you have some basic I.T knowledge, it is easy to see why organisations may overlook the security requirements to this layer.
In layman’s terms, allot of organisational systems are equivalent to a house in which the owner buys the most expensive locks to secure the front door but keeps the back door open. Most burglars only know about the front door so some attacks will not succeed but then there are a few individuals that may know about the back door, and this is where the risk of having an under protected database comes in.
Popular Data Leaks
Meta
Meta, formerly known as Facebook, is a billion-dollar multinational technology company that facilitates a social networking platform that allows individuals to connect online. The organisation makes most of its revenue by selling advertising space on its platforms. This means that in addition to the personal data that we add to our Facebook accounts, there are millions of user bank account details as well. Of course, a company of such magnitude, handling all sorts of personal and sensitive data would be expected to have the most secure controls to avoid any data leakages, which they do. However, in 2019 multiple Facebook databases were found to be unprotected by passwords or encryption, meaning anyone who searched the internet could gain access to the data. This affected millions of user records. The organisation has since then encrypted, and password protected all affected databases but was fined an estimated amount of $5 billion.
Amazon
Amazon.com, Inc. is an American multinational technology company that focuses on e-commerce, cloud computing, digital streaming, and artificial intelligence. The organisation reports revenue of about $232.9 billion per year and has an average of about 197 million monthly website visitors. This means the organisation has access to millions of users’ sensitive data and as such has made use of the most up to date security controls on their systems. However, as was the case with Facebook, the organisation recorded a data breach in May 2021. The breach was caused by a database with no encryption or password protection. Compromised data included email addresses, Telegram and WhatsApp phone numbers, PayPal account details and usernames (many containing names and surnames).
It is amazing to think that organisations of such magnitudes would have databases without any security controls. One only tends to wonder how many other trusted organisations have similar problems, not to mention the small to medium organisations that hold our sensitive data.
What are the Consequences of Data Leaks?
Repercussions of a data breach are more severe for the company’s customers/users. The breach might mean that unknown individuals have access to their finances and other such data. With the right set of data, malicious individuals can assume your identity for their own benefit. Imagine paying back a loan that you don’t remember taking. Perhaps your details may be used to commit a crime and you wouldn’t know how to defend yourself.
To an organisation, the loss of data will greatly impact their reputation, lead to a loss of business and can become less attractive to prospective employees. Furthermore, depending on the nature of the breach, regulation and legal penalties will be enforced.
The global data protection regulation (GDPR) provides a set of data protection laws that span all member countries of the European union (EU) and extends to anyone providing or receiving services from the EU. The GDPR has fined companies such as Yahoo and Equifax amounts as significant as $85 Million and $575 Million respectively due to data breaches that affected millions of users in their databases. Different bodies govern data protection in different parts of the world. Locally, the Zambian parliament has enacted the Data protection Act, 2021. The act provides guidelines to organisations regarding the safeguarding of all personal and sensitive data. It also stipulates various penalties for not following the documented guidelines. These include paying various fines, imprisonment, or in some cases both.
Conclusion
It is not all doom and gloom in the field of data. As the heading suggests, data is an asset and with correct usage, it can be the backbone on which an organisation thrives in its operations. The data science field is still in its infant stage, but organisations are currently able to use it to optimise processes and make more informed decisions.
If organisations adhere to the data protection laws in their environments and ensure that they become independently certified with compliance, only then will they be able to get value from their data and ensure its integrity.
References
Safety Detectives. “Amazon Fake Reviews Scam Exposed in Data Breach”.
https://www.safetydetectives.com/blog/amazon-reviews-leak-report/. Accessed 01 June
2022.
IT Pro. “Data breach exposes widespread fake reviews on Amazon”.
https://www.itpro.com/security/data-breaches/359460/data-breach-exposes-widespread- fake-reviews-on-amazon. Accessed 01 June 2022.
CSO. “The biggest data breach fines, penalties, and settlements so far”.
https://www.csoonline.com/article/3410278/the-biggest-data-breach-fines-penalties-and- settlements-so-far.html. Accessed 01 June 2022.
Security Intelligence. “6 Potential Long-Term Impacts of a Data Breach”.
https://securityintelligence.com/articles/long-term-impacts-security-breach/. Accessed 01
June 2022.
National Assembly of Zambia. “The Data Protection Act, 2021”.
https://www.parliament.gov.zm/node/8853. Accessed 01 June 2022.