A recently released survey finds 83% of financial firms use production data for testing. What this means (for the non-developers) is that your customer data is used unmasked and in its full form to test systems that, by the very fact that they should be TEST systems, have an unknown level of security and integrity.
Even though the study was commissioned by a company that works specifically with data protection in test environments (important to call out bias!), I believe the numbers on this one – especially when I go back and research the number of financial institution data breaches that have occurred because “live” customer data sets were in the hands of a third party contractor, or other employee off-site.
I have done development work on health data and I understand full well the challenges of creating meaningful data sets (as well as the enormous expense) for testing purposes. The bottom line comes to this: There is no excuse that justifies exposing personal data in this manner. Period.
In performing penetration tests a common tactic that we use during the “recon” phase is to look for servers that are obviously development systems. We do this because patch levels and security are typically at a minimum on these systems and they are usually the “low hanging fruit”.
So it makes me wonder – just what justification can possibly make these guys think this is OK?
Here are some more stats from the study that should give you pause:
- identity compliance procedures (used by only 56 percent of companies surveyed);
- intrusion detection systems (used by only 47 percent of companies surveyed);
- data loss prevention (DLP) technology (used by only 41 percent of companies surveyed); and
- Social Security number usage (88 percent of those surveyed still use this as a primary identifier)
Remember these findings the next time you read a news release regarding a financial institution data breach and some chuckle-head says that they are quite certain no sensitive data was taken or misused. The very next question to ask is: How would you even know?