But Where Was the Data Going?
I’m sure many of you have heard about the zero-day exploit that was used to hack into MoveIT, a data transfer tool used by many, many organizations, including some in the US government. I’m sure you’ve also heard that some states, like our very own Louisiana had data that was compromised.
It’s not a stretch to imagine that software has a vulnerability, that the vulnerability was discovered by bad actors prior to being found and fixed, and that data that happened to be in the process of being transferred was accessed and potentially stolen.
What I haven’t seen any information about is why the data was being transferred. Oregon and Louisiana, it appears, were transferring the entirety of their motor vehicle records based on the notifications about who was impacted by the data breaches. Why? Where did they need to transfer that data? If it was connected to coordinating with the Federal Government or other states why are they using a third party instead of a system that is directly connected to each other that wouldn’t be at the mercy of these kinds of exploits? It seems to me that would be more secure, at least in terms of limiting the number of places where the data can be breached.
If it wasn’t for the purposes of coordinating motor vehicle and driving records across states, where was it going?
Again, I return to a point I’ve made often. Data will eventually get breached. The best defense is not keeping it. That’s not an option for this data, which leaves us with making sure that we don’t have copies of it lying around or being left behind during migrations, etc. A large data transfer tool like MoveIT is a juicy target for hackers. They found an exploit and just sat there waiting for data to transfer across they could intercept. That happens and is something MoveIT is going to have to patch, while also doing damage control of their public image. That’s part of being in their business. The question for organizations who had data breached in this manner should be what is the purpose of the transfer, is it worth the extra risk involved in transferring it around, and if the purpose is worth it, is there a better way to share that information?
This is a good time for all of us to reconsider how we share data, who we share it with, and the process of cleaning up after data has been transferred. MoveIT is not the only data transfer service, they’re just the one who got breached this month. Next month it could be the one we use. Take steps now to limit the damage that could be done.
Follow these topics: Security
