Cybersecurity experts from Lieberman Software and Tripwire are commenting on news of a data breach involving prison phone records maintained by Securus data storage system.
[su_note note_color=”#ffffcc” text_color=”#00000″]Jonathan Sander, VP of Product Strategy at Lieberman Software :
“People are saying the massive breach of Securus prisoner phone call data breaks the promise Securus made about a superior security platform, but looking at what’s happened and what they promised that doesn’t seem to be the case.
Securus promised that only authorized users of their platform, which records and catalogs millions of phone calls made to and from prison inmates, would be able to access the data in the system. Like so many other applications Securus built a great set of controls around the good guys walking into the front door, but it’s likely this breach was about bad guys sneaking in the back.
Did Securus practice safe coding practice at every step of the way? Did they ensure that any administrative functions for the application were as secure as the user interface used by the lawyers, law enforcement staff, and government officials?
The blame may not even be with Securus. Securus could have built an amazingly secure platform, but poor IT operations processes around that may have exposed it to exploits. If it was set up on systems or databases with unchanged default passwords (all too common) or being run on unpatched systems, then all the application security in the world may not have helped.
There will be a lot of finger wagging done at Securus for their role in this, but it would do us all good to step back and see this in the broader context of how we’re failing at every layer of cybersecurity.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Tim Erlin, Director of IT Security and Risk Strategy at Tripwire :
“We don’t know exactly how this data was taken, but it’s clear that there was a weakness somewhere. Any organization storing sensitive data should be diligent about how they protect it and also have a plan for their response in the case of a compromise.
Technology allows us to gather huge amounts of data, but there’s dwindling value in storing that data if it’s never analyzed and it may present a significant liability. It’s important, in any data gathering process, to place the value on the eventual objective, and to dispose of data as quickly as possible while meeting that objective. It’s simply not possible to steal data that’s been properly destroyed.
Though it may not appear to be a supply-chain cyber attack, Securus is part of the prison supply chain, and a weakness they exhibited may not have been adequately evaluated by the prison management. This will ultimately play out in a variety of ways, both legal and financial, but this is a wake-up call for prisons. These organization should actively look at other areas of their supply chain that might represent cyber security risks.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Ken Westin, Senior Security Analyst at Tripwire :
“This hack makes it crystal clear that the collection of all forms of sensitive personal information can be a liability to an organization.”[/su_note]