Norm Coleman's campaign donor database was hacked and then posted on the Internet. Powerline offers one perspective on the matter; the ever-cogent commenters over at MDE offer another. Feel the love.
There's a lot of blame to go around here. First and foremost, the people who committed the theft need to be caught and prosecuted. Stealing a car even though it was unlocked with the keys in the ignition is still theft.
Whoever is in charge of Coleman's data processing should be immediately dismissed. Common sense data access and handling practices should have made such a theft very difficult if not impossible to pull off, especially for amateurs. That being said, Coleman, as the head of the operation, has the ultimate responsibility to make sure his people know what they are doing and, if necessary, farm out his data processing operations to private sector professionals.
The database should not have been stored on any machine with direct access to the internet without the proper security access infrastructure. There are free and low cost scanning utilities (as well as some expensive ones) that will test the vulnerability of a web site from the outside world. The data also should have been encrypted so it would be worthless if it fell into the wrong hands regardless of how it got there.
We in the private sector who are open to serious legal prosecution if we let our client's (which include some units of governemt) sensitive data fall into the wrong hands take the aforementioned and other steps to minimize the risks and there is very seldom an incident. In rare cases where something like happened to Coleman occurs it is almost always traceable to someone who shortcut or ignored the proper practices or left unencrypted copies of the data in a non-secured location.
1 comment:
There's a lot of blame to go around here. First and foremost, the people who committed the theft need to be caught and prosecuted. Stealing a car even though it was unlocked with the keys in the ignition is still theft.
Whoever is in charge of Coleman's data processing should be immediately dismissed. Common sense data access and handling practices should have made such a theft very difficult if not impossible to pull off, especially for amateurs. That being said, Coleman, as the head of the operation, has the ultimate responsibility to make sure his people know what they are doing and, if necessary, farm out his data processing operations to private sector professionals.
The database should not have been stored on any machine with direct access to the internet without the proper security access infrastructure. There are free and low cost scanning utilities (as well as some expensive ones) that will test the vulnerability of a web site from the outside world. The data also should have been encrypted so it would be worthless if it fell into the wrong hands regardless of how it got there.
We in the private sector who are open to serious legal prosecution if we let our client's (which include some units of governemt) sensitive data fall into the wrong hands take the aforementioned and other steps to minimize the risks and there is very seldom an incident. In rare cases where something like happened to Coleman occurs it is almost always traceable to someone who shortcut or ignored the proper practices or left unencrypted copies of the data in a non-secured location.
Post a Comment