SQLServerCentral.com Community Update for {date}

Problems displaying this newsletter? View online.

The News Onslaught

I receive multiple newsletters, (I know, newsletters- how quaint!) each day in my inbox that provide me with incredible opportunities to create insomnia or induce nightmares. On today’s menu is one from Cymulate, who has demonstrated the vulnerabilities in Claude Code, which is a well-known AI coding assistant and how it’s able, when turned on itself, able to sidestep restrictions and execute unauthorized actions- meaning it can be used to hack itself!

What I love about these articles is that they’re rarely high-level content that leaves you with more questions, but often step-by-step explanation of what was done and why the vulnerability in the topic tech is of concern. There’s often a list of recommendations that are made to both secure the system, as well as validation the current vulnerabilities that have been addressed by the product. Yes, some are just reporting on the vulnerability, breach that’s already happened or warning to lack of insight into how the feature may be used, but I’m morbidly fascinated by this type of information in the technical world we live in.

I also believe as data professionals, it’s our job to have awareness of how vulnerable our data is when it resides internally to our RDBMS of choice or what could happen once it leaves our relational database system. So much is demanded of data these days, even if we can’t stop a poor choice, we should have it documented and signed off by management that the risk was known and understood.

Am I asking a lot of DBAs?

Maybe, but I believe the greatest skill DBAs have that adds the most value to an organization is our protective mindset around critical data. Organizations need to revisit the priority of this value, not just setting priorities around profits to be made from innovation, often without asking important questions about data protection. Better, as well more laws that hold organizations accountable for our critical data are needed, too. Many of the current data breaches from the last couple of years have prompted significant legal action, primarily in the form of class action lawsuits against the affected organizations where negligence is concerned. We’re finally seeing a major change in how fines are levied against organizations, moving from a set dollar amount to a percentage of the damage, which is a major improvement so an organization guilty of negligence, (often in the hope of innovating quickly and putting data protection at risk) doesn't just view potential lawsuits as the cost of doing business.

The Lawsuits

Some of the most recent and notable data breach lawsuits/settlements include the following:

AT&T is facing a $177 million settlement to resolve claims from two separate data breaches. I find this one interesting, as of this June, there was a suspected third breach, but discovered it was most likely data from the previous two breaches, reprocessed via AI to create “proof data” to appear like a third breach. No, you can’t make this stuff up.
HCA Healthcare settled a class action lawsuit over a July 2023 breach of affected patient information.
Infosys McCamish Systems settled multiple class action lawsuits for around $17.5 million stemming from a 2023 ransomware attack that compromised 6 million individual data.
Boston Children’s Health Physicians and ATSG Inc. agreed to pay $5.15 million to settle a lawsuit from a cyberattack in September 2024 that affected just short of 1 million people.

Now remember, these are only a few of the most notable ones, but many that I read about making waves in the legal community for infosecurity and data breaches occurred back in 2018, so AI damage from data breaches is still quite new and they haven’t started down the legal process at this time. Healthcare and finance continue to be prime targets for cybercriminals right now. Healthcare breaches, including those impacting Yale New Haven Health, Blue Shield of California, and Harvard Pilgrim Health Care have exposed millions of patient records and led to substantial settlements. The finance sector also experienced significant breaches involving companies like Allianz Life and Western Alliance Bank, highlighting vulnerabilities in third-party vendor systems

Emerging Trends

The future of critical data isn’t looking so bright if we continue to bypass the need for data administration and expect users or developers to pick up the necessary mindset on top of their [already] demanding roles. Some of the upcoming risks that I expect more lawsuits to be based on:

Third-Party Vendor Risks, both AI and other tech: Breaches like those affecting Hertz and WK Kellogg due to vulnerabilities in the Cleo file transfer platform underscores the importance of robust third-party security protocols.
AI and Data privacy: As the use of AI increases, along with related data issues, we should expect a risk in cybersecurity and data privacy disputes. There was a great article just this week about how Perplexity is using undeclared crawlers to evade website no-crawl directives, (we may need a bit of ethics here… )
Growing Litigation: The plaintiffs bar is actively pursuing cases related to data breaches, biometrics and other privacy violations, but the sheer volume of breaches is increasing at an unprecedented rate, compelling companies to change policies around data access to limit their vulnerability to future lawsuits.

Summary

Data breaches continue to be one of the top threats to organizations across all sectors, leading to considerable financial losses and legal repercussions, and yet, many are removing those technical specialists who were at the heart of data security for decades - i.e, the Database Administrator. Proactive cybersecurity measures, robust vendor vetting processes and automated AI tools will only take an organization so far. An increased focus on data privacy regulations, higher scrutiny of penalties to organizations and a better grasp of the technical roles required for full scope functionality and data protection is required. Yes, I’m saying you need your database administrators back. If not just for the protection of critical data but to fend off the future we face around data breaches in the age of AI.

And if you are interested in these types of data protection, infosecurity and AI stories, like me, I recommend signing up for TLDR newsletters in those three categories. There’s some incredible and disturbing stories around the world of data and security EVERY DAY. It can’t just be me that doesn’t like sleep!

dbakevlar

Join the debate, and respond to today's editorial on the forums

Featured Contents

Working with index on SSMS

sabyda from SQLServerCentral

Overview: In SQL Server, indexing is a technique used to improve the performance of queries by reducing the amount of data that SQL Server needs to scan. You can think of it like a table of contents in a book—it helps SQL Server find data more quickly. In this article, we will cover the following […]

SQL Server Threats

J P Mehta from SQLServerCentral

Is your SQL Server truly secure? Here are the top cyber threats targeting it. Learn how you can stop them before it strikes.

Question of the Day

Today's question (by VastSQL):
	Data recovery From An Index
Is it possible to recover data from a non-clustered index on the `firstname` and `lastname` columns in case of corruption?
Think you know the answer? Click here, and find out if you are right.

Yesterday's Question of the Day (by dbakevlar)

Page Compression, Unique Identifiers and Speed

Would using a UNIQUEIDENTIFIER as a clustered primary key improves page compression and speeds up inserts compared to INT IDENTITY?

Answer: False

Explanation: The answer is (commonly) FALSE. A UNIQUEIDENTIFIER as a clustered key is usually slower for inserts and causes more fragmentation than INT IDENTITY, due to its random nature. The uncommon situation this may not be true is when NEWSEQUENTIALID() is used.

Discuss this question and answer on the forums

Database Pros Who Need Your Help

Here's a few of the new posts today on the forums. To see more, visit the forums.

SQL Server 2019 - Administration

What the best ways to create an AG and do failovers with 8TB databases? - Hello. I've been working with AGs for a few years now. However, in my latest position, I am now working with a company database that is 8TB. Are there best practices or anything you could or should do differently when working with large databases and performing AG failovers? I usually add the database to the […]

Recommended Extended Event that will send an email - I'm looking for an extended event recommendation that will send an email when a transaction runs longer than 5 minutes. Thanks in advance

SQL Server 2008 - General

Direct Connection running Fast,Linked Server running Slow - Scenario 1 (Direct Connection - Fast): On Server B, when using SQL Server Management Studio (SSMS) to connect directly to Server A by specifying its IP address and using a valid SQL Server login and password, executing the view vwA in database DB01 completes in approximately 1 second. Scenario 2 (Linked Server - Slow): A […]

SQL Server 2008 Performance Tuning

Reporting Services

Multipage report using Graphs - I don't know how to do this and I apologize if I don't explain it well. I have a report that shows data and a graph by month, but right now it is only for one job at a time. Create table #MyTempTable2 (Job varchar(6), Mth date, profit numeric(6,2)); Insert Into #MyTempTable2 (Job, Mth, profit) […]

Editorials

The Double-Edged Sword of AI and Data Democratization - Comments posted to this topic are about the item The Double-Edged Sword of AI and Data Democratization

The Problem with AI Job Loss Headlines? - Comments posted to this topic are about the item The Problem with AI Job Loss Headlines?

Article Discussions by Author

Deprecated but Forgotten: Why SQL Server’s Text, NText, and Image Data Types Still Haunt Your Systems - Comments posted to this topic are about the item Deprecated but Forgotten: Why SQL Server’s Text, NText, and Image Data Types Still Haunt Your Systems

Why CQRS and Event Sourcing Are Gaining Ground in High-Concurrency Web Systems - Comments posted to this topic are about the item Why CQRS and Event Sourcing Are Gaining Ground in High-Concurrency Web Systems

Page Compression, Unique Identifiers and Speed - Comments posted to this topic are about the item Page Compression, Unique Identifiers and Speed

Yet another Date Dimension - Comments posted to this topic are about the item Yet another Date Dimension

Always On Availability Groups and Capabilities - Comments posted to this topic are about the item Always On Availability Groups and Capabilities

Advanced SQL Server Page Forensics: Detecting Page Splits and Allocations with DBCC PAGE - Comments posted to this topic are about the item Advanced SQL Server Page Forensics: Detecting Page Splits and Allocations with DBCC PAGE

How to Access and Use Azure Key Vault Secrets in an Azure Devops Pipeline - Comments posted to this topic are about the item How to Access and Use Azure Key Vault Secrets in an Azure Devops Pipeline

SQL Server 2022 - Administration

How to configure Index maintaince plans in PAS server - Hi , i have configured PAS server but sql agent is not there how can i configure index rebuild and update stats automcatilly run. can anyone please suggest asap i need asap.

This email has been sent to {email}. To be removed from this list, please click here. If you have any problems leaving the list, please contact the webmaster@sqlservercentral.com. This newsletter was sent to you because you signed up at SQLServerCentral.com.