The Flip Side of a Breach: Data Integrity
The media tends to focus on the high-profile data breaches: OPM, Target, TJX, Home Depot, Equifax, the SEC (EDGAR), with the narrative typically centered on identity theft and/or credit card fraud. However, as we delve further into these, we cannot, and should not ignore the other side of the data breach coin — namely, data integrity.
We have numerous vendors, from A to Z offering information security services, intrusion detection, network anomalies, data exfiltration detection, user training, etc., etc. While these services are arguably important (and as the recent breaches show us, are rarely if ever fully implemented), we should be equally as interested in the integrity of our data as we are in the overall security of information. If we focus on a breach in the context of data exfiltration and identity theft, then we are only looking at a small piece of the pie. While criminal organizations are typically motivated by revenue, that comes in many forms.
Consider, the SEC hack, for instance, if that were focused on data manipulation then the effects could be far-reaching and significant. The prospect of modifying filings within SEC could make stock price manipulation possible and tremendously profitable. While there are controls in place and tracing transactions related to that are more likely to proceed in an investigation than a typical identify theft/card fraud hack, the fact remains that trying to implement data security while foregoing data integrity is exceedingly unwise.
When I was in software engineering we used source code control systems to ensure the integrity of our trunk and branches and to be able to “see” modifications to the code. This was a critical component of the software development process and it would be unimaginable for a large software project to forego such a system. The data that entities collect, and retain is often expensive to procure, to store, to retrieve, and to analyze. Thus, if the integrity cannot be guaranteed then all of those expenses may be for naught. Suffice it to say that, data is the foundation of the world we live in. Data that is missing or stolen causes a certain set of issues, however data that is tampered with is even more vexing since our current information security implementations may not even detect these.
Imagine a consumer that attempts to purchase a home only to find that they have multiple accounts that were flagged 90-days late. The herculean efforts that would have to be undertaken to rectify erroneous items on a credit report would be extremely onerous for an individual consumer. Now multiply that, and consider a scenario where a larger segment of the population is impacted. What would the economic effect be if those persons most likely to enter into new credit agreements were unable to do so for 60-90-120 days? What would the ramifications be if data from the credit agencies was deemed to be unreliable?
If we continue to take a point approach and look at each hack/breach as a discrete and distinct operation, we may fail to correlate joint activities, miss the bigger picture and altogether overlook the data integrity issues that we may already have been beset with.