Earlier this summer, online invitations company Evite admitted that hackers had accessed "an inactive data storage file” associated with its user accounts.
Evite, which currently has more than 100 million users, did not say how many accounts were affected, but that they all dated from no later than 2013. This April, however, hackers put data from 10 million Evite accounts up for sale on the dark web.
It didn’t get a lot of public attention, but the Evite breach stands out because it involved the kind of data many companies forget about -- old data, sitting around in old, often obsolete systems.
Active data has obvious business value to a company and gets the highest level of defense. The old data may not hold a lot of immediate value to the business but it may contain a lot of sensitive information, such as birth dates and social security numbers, which hackers can easily convert to bitcoin on the dark web.
The first step in protecting it is getting a handle on where the data is located, but many companies don't know where all their data is, and don't have good processes for tracking it.
This keeps a lot of security professionals up at night, said Dominic Sartorio, senior VP of products and development at Protegrity, a Stamford, Connecticut-based cloud and data security company.
"Often the breach is not in the environments that you're already protecting, but a system or application where you didn't even know there was sensitive data there," he said.
Data, Data Everywhere
"When you ask people, you generally hear, 'Yes, we have a general idea of what data we have,'" said Avinash Ramineni, CTO at Kogni, an Arizona-based security vendor. "Every place where we went and scanned, people were surprised to see what kind of data they had that they did not have an understanding of."
For example, every company knows about the big customer databases they have in their data center or their ERP database.
"But when you have freeform text, such as when a customer rep is making notes about a conversation, that's an area where a lot of sensitive data is stored," he said. "And it's almost impossible to keep track of."
Sensitive data can also end up in log files, due to a programming mistake or just a lack of proper attention, he said.
According to a study released this spring by Integris, 77 percent of companies use manual processes like surveys or spreadsheets to track sensitive data.
"But the surveys are based on people's best guesses of what's in a repository," said Kristina Bergman, founder and CEO at Integris Software. "And the data is constantly changing. There's no way in this day and age that any human being can possibly have their arms around what data is sitting in their data center or how long it's been sitting there. It's just not a realistic expectation."
Since manual processes are so time consuming, they're often infrequent. According to the Integris survey, 45 percent of companies do a data inventory no more than once a year, or in response to an audit.
Manual processes also have a hard time discovering data in places where the data shouldn't be, such as in unapproved online file shares or in email attachments -- or in log and temp files.
A better approach, she said, is to use automated tools, especially ones built around machine learning or artificial intelligence, to automatically scour a company's infrastructure to identify sensitive data. Plus, these tools can collect other information, such as whether the data is encrypted and who has access to it.
But the situation is beginning to change for the better. According to the Integris survey, 52 percent of companies are already using some form of automated data discovery technology, and another 39 percent are planning to use it.
The High Cost of Technical Debt
Old systems, especially ones that are forgotten about and are no longer maintained, can be a significant security risk.
But taking care of cleaning up old technology is a thankless task that many companies keep putting off.
"If you're running a large environment, your need to innovate is so strong that you never go back and solve the technical debt," said Brian Johnson, CEO and co-founder at DivvyCloud, an Artlington, Virginia-based security vendor. "You just don't have time, because you have other things you have to do."
It's an even harder problem to address when the data center's current security team had nothing to do with creating the old systems.
When business units move from one platform to another, they often leave the old one running in parallel for a while, just in case something goes wrong. Turning off the old system and deleting the old data might not feel like a high priority.
"But when it comes to protecting data about your customers, technical debt is simply not acceptable," said Johnson. "You need to always be focused on protecting customer data, whether it means rearchitecting systems or pulling everything down."
With cloud-based options proliferating, business users are more and more likely to adopt technologies on their own, without input from security managers. Then, when one platform doesn't work out, they can just as easily switch to another one, and forget about the old accounts and the old data that they've already uploaded.
"Security teams need to figure out how to be more aligned with the engineering and business needs of the organization," said Johnson. "They need to realize that today's vision of security is different from yesterday's vision of security."
Getting a handle on records you've shared with third parties is difficult. When you no longer have a relationship with those third parties, the difficulty level goes up dramatically.
One example was the leak this spring of 22,000 Facebook users’ plain-text passwords from the third-party app At the Pool. Not only was At the Pool no longer a Facebook partner when the breach was discovered, but it had been out of business since 2014.
According to security company UpGuard, which discovered the leak, the information was stored in yet another unsecured Amazon S3 bucket.
There's isn't much a security team can do about data it doesn't know ever existed that was shared with business partners who may no longer be around.
However, a company can use security research services to look for instances of private data showing up in publicly accessible locations, be they unsecured online storage buckets or Dark Web marketplaces, take immediate steps to get those data sets taken offline, and then find the source of the leak and plug it before the problem gets even worse.