Post reply

missing backups with interesting data

  • December 28, 2005 at 1:12 pm

    #188761

    This brings up a couple of issues:

    1) how/why store credit card numbers and/or social security numbers

    2) how to protect backups or when to destroy them..

    .. see below..

    In the news today:

    "The timeshare unit of Marriott International Inc. is notifying more than 200,000 people that their personal data are missing after backup computer tapes went missing from a Florida office.

    "The data relates to 206,000 employees, timeshare owners and timeshare customers of Marriott Vacation Club International, the company said in a statement Tuesday. The computer tapes were stored in Orlando, where the unit is based.

    "The company did not say when the tapes disappeared. They contained

    Social Security numbers, bank and credit card numbers, according to letters the company began sending customers on Saturday."

    The article is here:

    http://news.yahoo.com/s/ap/marriott_missing_data

    Greg

  • December 28, 2005 at 1:47 pm

    #611783

    This is MY take on these sort of issues.

    If you need to store credit card numbers or SSN you need to encrypt them before storing them. To retrieve you will need a hash function made up maybe with part of the CDNumber or SSN and let's say zip code then that function has to be hardcoded in the app and the output is what is saved on the DB.

     

    On the Backup end you can use Third party programs like SQL Lite speed where the backup gets compressed and encrypted Of course the key has to be safely guarded

    Cheers,

     


    * Noel

  • December 28, 2005 at 4:29 pm

    #611818

    And the key should be periodically changed. Wouldn't want someone to "crack" last year's backup and then be able to use the key to get current card numbers.

    With that, be sure that you store the keys somewhere for history. We've had great luck with Password Safe as a place for keeping keys. Setup a few dbs, and keep the people with the password limited to a few. Change the pwds everytime someone quits.

    For the CC#s in the db, I'd purchase 3rd party encryption, Netlib or Protegrity. Put the burden on them for a good, solid solution and since they've had experience, it's worth the $$.

  • December 29, 2005 at 10:33 am

    #611973

    It just goes to show you that "Locks only keep honest people out" ...

    RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply