January 9, 2006 at 8:19 am
Hi - I'd like to start off by saying that I am not a database expert, so please excuse my ignorance!
I am running MS SQL 2000 on Windows 2003 with about 30 or so databases for various websites. I set up a Database Maintenance Plan to backup all the databases every day at 2am, deleting any backups older than 7 days. All seems to be working great.
Recently, a client asked for a database backup, so I sent it to them. They opened the backup using MS Excel (they couldn't open it with any other software). Most of it was unreadable, but in some readable parts, they noticed content that was not theirs.
After opening the file with Excel, I noticed content from another database in the file. I tried restoring the file into SQL, but the content was not there.
When I tried opening the original backup of the database (that I created before uploading the database to our production server), the content was not there.
I also opened backups from other sites that were created via the maintenance plan, and found the leaked data in some of them as well. Finally, I manually backed up the database (Database - complete), opened it with Excel, and noticed the data from a different database in the file.
I am not sure why the database backup contains data from a different database. I scoured the database tables to make sure the data I am seeing in the backup is not in the current database, and I can assure you that it's not there. The table that the data is coming from does not even exist in this database.
Has anyone noticed this type of behaviour or know why it's happening? My client now thinks that there's a security risk here..
Any help would be appreciated!
F.
January 9, 2006 at 8:58 am
I haven't see data leak like that, but the backup files themselves aren't encrypted in SQL Server 2000. The password may stop someone from restoring the file, but there are even techniques around that. So yes, if the data is sensitive and there are stringent requirements on keeping the data safe, there may be a need to encrypt the backup files.
However, the data leak across databases is concerning, but there may be a reasonable explanation. In the backups created with a maintenance plan, is each database being backed up to a file only containing backups for that particular database? It's entirely possible to use a single backup device (file) for backups of multiple databases. The maintenance plan may be set up to do this.
K. Brian Kelley
@kbriankelley
January 9, 2006 at 9:32 am
In the maintenance plan, each database gets backed up into their own file.
However, even when I manually backed up this particular database, I could still see the data from another database when I opened the file in Excel. When I restore it, the leaked data is nowhere to be found.
January 9, 2006 at 9:47 am
Hrm. I've not seen that. I'll have to play around and see if I can recreate the issue.
K. Brian Kelley
@kbriankelley
Viewing 4 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply