Full disclosure: The breach I'm going to discuss could end up affecting me personally. But I think the overall message is too important not to share.
Yesterday, Penn State University announced that, for the third time in six months, a cyber attack resulted in a breach exposing thousands of Social Security numbers. According to an article in the Pittsburgh Tribune Review:
Sometime before Wednesday, Penn State officials discovered that a computer in the Outreach Market Research and Data office was communicating with malicious software that enables attackers to control the target computer. The breach exposed 15,806 Social Security numbers, according to a statement released by school officials.
That nearly 16,000 is in addition to 9,000 Social Security numbers reported breached in May and another 30,000 reported in December 2009.
When I was a student at Penn State, and during much of my time as an employee there, everyone was identified by his or her Social Security number. It was on your ID card; it was written on every single piece of work turned in. If a professor posted computer-generated grades outside his office, students found their grade by the last four digits of their number. If there were two identical sets of digits, the middle two numbers were included. However, about 10 years ago, the university realized the risks involved with making Social Security numbers visible to everyone and switched to a different numeric identification system. For students, this switch happened in 2005; for employees the change had begun earlier.
Hence, these aren't new records, but old, archived data. The stories of breaches of 5-year-old (or older) information at universities (because Penn State is part of a growing problem across the country) should be a warning sign to enterprises: How secure is your archived data?
If the data must be kept on hand, Ed Ginty, in an article at Information Systems Security, wrote:
A key to remember is that data does not necessarily lose value with age. If five year old data is required for trial or audit purposes, that data is just as important as today's data. The bottom line remains that data needs to be well protected and highly accessible wherever and whenever properly authorized people require it. Technology is available to provide this and it's reasonably priced. There are few valid excuses left for executives facing courts and or auditors for why they cannot produce required data.
If there is no reason to keep the information on file, Kevin Mock provided some advice on destruction of data at SearchSecurity.com:
To begin creating a data destruction policy and awareness program for your company, first, identify the types of data your company has and where it resides. Your data retention policy should help you with this endeavor by indicating where both physical and electronic data is stored and for how long. The data destruction policy needs to address how to get rid of the data once it has met the expiration criteria in the data retention policy. You may want to investigate the legal aspects of the data as well by engaging your legal team, and this might also be a good time to discuss with them the processes of reporting a breach of data.