"The complaint alleges that Certegy and FIS failed to implement and maintain adequate security measures to protect consumers’ confidential financial and personal information. Their failure to properly monitor and supervise their employee subjected consumers to risk of data theft and other fraudulent actions."

Also, "The complaint alleges that a senior database administrator misappropriated the confidential information of millions of consumers and then sold the data to direct marketing firms and data brokers who may have resold it to others."

In an earlier blog post, DB2 Magazine Editor Kim Moutsos asked "Is anyone getting information security right?"

Perhaps there are a few organizations getting it right, but these are probably the exception to the norm. Information security is a "cost" that conflicts with "profitability". Meanwhile, the data buffets are still open to vast populations of internal users who are not held accountable for their use or abuse of data privileges. It's much easier to commit data crimes when no one is watching, or auditing, database activities. Read my open letter to Oprah Winfrey for more details on information security history and the data buffet.

At the Gartner IT Security Summit, I spoke with several State CISO's about their data security initiatives. Unfortunately, they all told a sad tale about how difficult it was to get approval for data security projects. They are in good company, for private sector security executives told me similar tales of woe. It seems that only when the cost of security initiatives is actually substantially less than the costs of legal actions (albeit SOX compliance or the threat of class action lawsuits), then maybe organizations will create budget to fund the lesser security expense. This is quite unfortunate for all of us.

I spent about $250K on credit cards last year thanks to business and personal expenses. I'll confess I'm a "loyalty points and miles whore". News like this makes me think about switching to the anonymity of cash, but I imagine I'll still be over exposed by my bank and mortgage company. One thing you can do is to post a free fraud alert with the credit reporting companies; instructions on how to do this are detailed in my DBI blog.

To wrap up, I'll close with a question--- In the wake of weekly data breaches and lawsuits like this, are organizations ready to get serious about auditing database activity?

Well, one more thought. I think it stinks that an industry of so many professional good DBA people are now tarnished and branded as "privileged insider threats". At least with database auditing active, it should be possible to prove that it wasn't you that misappropriated valuable data. Surveillance works both ways.

With kindest regards,
Scott

Scott Hayes
President & CEO, DBI
IBM GOLD Consultant
Easy and Accurate Database Auditing solution for IBM DB2 LUW and Oracle: www.Brother-WatchDog.com