Yesterday Silicon Republic ran a story about 6700 email addresses and passwords, some of which were from Government Departments and large Irish corporates, that were discovered posted in a “prominent hacker forum”. The original article contained speculation about where this data could have been obtained from, with an implication of a potentially serious security breach somewhere in the information chain from browser to internet. The whiff of internet intrigue and black hat operations hung heavy in the air.

But reality is never as sexy as a Mission Impossible trailer. While the attack vectors that were hinted at in the original article were all possible, the actual root cause appears to have been much more mundane and much more common place. In an update to the story posted later in the day, Silicon Republic reported that:

The 6,700 leaked email addresses and passwords containing details of workers at organisations like HSE, AIB, and Enterprise Ireland, as well as many users’ Gmail and Hotmail addresses and passwords, came from a shopping website that went out of business but hadn’t been shut down properly.

The developers and the former website owners were not aware that the data had been compromised and had been posted on a hacker forum until they were told about it yesterday. A test server had been left running, with data on it and the site was still live, which they were also unaware of.

And this is where the confluence of Information Security, Data Protection, and Information Governance becomes significant.

Applying Information Governance Principles

As an Information Quality guy and Data Protection nut, I am obsessive about the notion of Information as an Asset. It is an Asset. It is valuable, it helps your organisation deliver services and drive net cashflow. It is worth money (just ask Facebook, Apple, and Google). It just doesn’t appear on your balance sheet (unlike paper clips and office furniture and goodwill).

Because it is an asset it has a life cycle. This life cycle needs to be managed, and the information needs to be stewarded and curated through this life cycle. Bad things can happen when the life cycle is ignored. This life cycle is a fundamental life cycle for the management of any asset and is described by the acronym: POSMAD

P: for PLAN

Every asset should have a plan for how it is going to be put to use. That way you can identify what information you will need and assess whether you have it or not, and if not whether or not you can get it. Investing time and effort in the planning stage means you can avoid expensive mistakes later on. The analogy I use with clients and people I am training is buying shoes. When you are buying shoes you have a plan about the type of shoes you will need. A pair of Gucci high heels will be no use if you are planning on going hillwalking or running a marathon. Information is the same.

O: for Obtain

Organisations need to think about how they are going to obtain the information they need to execute their plan and meet their strategic goals. This means having to think about the processes for gathering data, the legal and other regulations that might apply to the gathering of that data, and the resourcing of getting that data. While you may be able to buy data, is that data coming from a trusted source and how will you ensure quality and fitness for purpose of that data?

Going back to the shoes.. it’s the decision you make between buying on-line and hoping for a good fit or going to a shop to get a good fit, or buying your shoes when they’re on special in Aldi or Lidl.

S: for Store and Share

Where will you store the data? How will you store it? How will you share it, and with whom, and why? This drives out a lot of questions and issues around your Information Securty and Information Governance policies. It also drives out a lot of questions around your approach to Data Protection Compliance. Oh, yeah.. and there is probably going to be some technical architecture questions and answers in here too.

For shoes: where will you put them away when not in use (wardrobe, shoe rack, thrown under your bed?) and will you share them with people (and if so on what basis and what hygiene protocols will you put in place to avoid getting trenchfoot from your brother).

M: for Maintain

Maintenance of data and information relates to the processes and procedures you will put in place to keep it ‘fit for purpose’ and able to be used to meet the objectives you set out in your Plan (remember that…).

For shoes… well, will you polish and clean them, get them resoled, or waterproof them or whatever… but you will have a plan to keep them ship shape and wearable.

A: for Apply

Information at rest doesn’t make you money. It is only when you are using information to run your business, deliver your services, or generate revenues that it is actually of any use to you. Everything else is just cost. It costs you money to store it, to secure it, to gather it.

An analogy I use for students is the call centre. If you hire 200 people and give them 200 desks, 200 phones, and 200 computers but data with no phone numbers, what is the net profit you can generate per week from that call centre?

And as for your shoes? Well, you do actually intend to wear them don’t you?

D: is for Dispose/Destroy/Delete

This is the doozy. It’s the one people forget. But it is the one that is catered for in the Data Protection Acts under the “retain for no longer than is necessary for purpose for which it was obtained” principle.

When you can no longer apply the data there is no point maintaining it and there is no need to keep it. So you need to have a PLAN (remember that?) for how you will dispose of and destroy the data. It needs to be done securely. It needs to be done with care. But most importantly: IT NEEDS TO BE DONE!!

(as for your shoes… do you still have the shoes you wore as a 2 year old? As a 12 year old? Why not? Same principles apply here. With your new shoes, the time will come to get rid of them. Are they going to go in the bin having been worn to destruction or will you give them to a charity who might be able to extend their life in a good cause?)

Back to the 6700 emails…

No plan was in place to manage the asset. Live data appears to have been used in a test system, which was left up and running. Using live data for testing is never a good practice and as such the risks of doing so should have been planned for. Obtaining live production data is a quick and easy way to get data for testing but it is, in my experience, never a good idea unless your test environment is disconnected from the world. Apart from anything else, it introduces the risk of real customers getting test messages and emails unless your test system has stubbed certain functionality.

Of course, test systems you are STORING the data on need to be MAINTAINED while they are still running, even if the project has died. Patching, passwords, brute force attacks, SQL injection threats, all of these overheads still have to be considered, addressed, and acted on if there is any data on the test system. Which begs the question:

If you aren’t using it and you are having to maintain it, really you should think about DISPOSING of it. In this case, it may have been a question of simply droppping all the user login information that was being used from the database but leaving everything else there. That would have eliminated the risk. The site code and other data would have remained in place but would not have been a timebomb likely to attract attention. There’s less hacker kudos in posting obsolete product data compared to emails and passwords.

Of course, this is not an isolated problem, and it is not just a case of test systems. In my career I’ve seen data migration teams declare “Mission Accomplished” and walk away from the project leaving the original source systems up and running and accessible and requiring support and maintenance that won’t be available because the ‘official’ enterprise systems architecture doesn’t have them on it any more… because they were migrated into “System X”.

When I put my feet into new shoes, I get rid of my old ones. That is the circle of the Asset Life Cycle. It’s time that organisations get it.

Daragh O Brien

Daragh O Brien

Daragh is the founder and Managing Director of Castlebridge. He brings over twenty years of experience in data strategy and regulatory operations to the table for clients. He lectures in the School of Law in UCD and in the Law Society of Ireland on Data Protection and Data Governance. He is a Fellow of the Irish Computer Society and holds CIPP/E and CIPM certifications from the IAPP and other data management qualifications.