Security Sense: You Cannot Lose What You Do Not Have, So Stop Having It!

I was sent over a link to a data breach the other day by someone who thought it would be a good addition to Have I been pwned? which is my free service to help people understand where their personal info may have been exposed. This time it was an ISP in Moldova that was hacked and as is often the way these days, the attackers proceeded to dump the spoils publicly for all to see, assumedly as a sign of their hacking prowess. (Actually, that link also includes a video of them being arrested in rather dramatic style so it may not have worked out so well for them in the end)

Anyway, in looking at the personal data attributes that were leaked, I’m seeing things like birthdate, gender and even passport number. What on earth were these guys thinking?! I cannot for one moment fathom how knowing a person’s passport number of gender helps an ISP deliver a better service to their customers. Even birthdate has little value, perhaps just verifying that someone is over a certain age or sending them an annual card, both of which could be achieved without requiring the entire birthdate (and frankly the latter is of questionable value anyway).

When I look back through the publicly dumped breaches of recent years, I see this trend over and over again. Sony Pictures back in 2011 had birthdates as did Boxee last year. The Bell telco in Canada stored gender as did even the Pokemon Creed RPG website. Why?! What possible advantage did these organisations gain from holding data which they were clearly unable to protect?

So now, as with data breaches of passwords, everyone needs to go and change their birthdate, gender and passport. Except only one of those is readily feasible, another is not going to appeal to most people and the remaining one is an unchangeable historical record. This is the thing with many of these classes of data – once they’re public, they’re public forever.

It’s the same with things like mother’s maiden name, childhood pet and your first school. Yes, I understand the temptation to use these as verification questions or password hints but once they’re out there in the wild in plain text (I’m looking at you, Adobe) that’s it – they’re irretrievable and forever compromised.

And this brings me to the crux of the matter – you do not want this data. Seriously, the responsibility involved in holding it is just not worth the risk unless you really, really need it. If you’re running a service specifically designed to remind people exactly how old they are then you’ll need their birthdate. If you’re running a visa a processing service then you’ll need passport info. As for gender, well, frankly I struggled on valid use cases where it’s actually needed for the success of the service beyond perhaps a dating site.

Certainly the legitimate uses for these data classes are few and far between and frankly, it’s just not worth taking risks with immutable data attributes like these. If you do not have it, you cannot lose it!

Troy Hunt
http://troyhunt.com
@troyhunt
Microsoft MVP - Developer Security