Dereliction of Data Protection – By a Law Enforcement Union

If you are not from the San Francisco Bay Area, you may not know that hackers gained access to the website operated by The Bay Area Rapid Transit (BART) Police Officers’ Association, then stole and posted personal information on more than 100 officers. The officers’ home and email addresses were leaked along with passwords.

This is an extremely serious breach. With two officer-involved shootings in the last couple of years, there is a lot of controversy surrounding the organization, and activists and criminals now know where officers and their families live.

This is a breach that did not have to happen. I cannot think of any reason why extremely confidential information was on the web in the first place. What rationale could there be for anyone to be able to login to a public-facing website and look up the names and home addresses of law enforcement officers?

So let’s assume that the home addresses were not on the web server, and just the officers’ passwords were disclosed. For me to login to a website, the web server needs to validate my user name and password. I enter them into my browser, and they are sent from my computer to the server (I hope that the link is encrypted!) and the server validates them.

The server does not need to store my password, but can store a “hash” of it. When I first create my account, a one-way encryption algorithm takes my password, runs it through a mathematical transformation and then stores the result in the user database. Every time I login after that, the password that I enter into my browser is sent to the server where it is hashed and compared to the stored hash. If they match, I am granted access.

A good hash algorithm will prevent “working backwards” to discover the original password if the hash is known. The downside of hashing passwords is that if I forget my password, the system cannot email it to me, which is a breach unto itself! Instead, the site will need to implement a password reset mechanism whereby I will need to prove who I am in order to select a new password.

Do you know how your passwords are protected? You may want to check in with your IT department or the services provider that is hosting your website.

Data disclosure is just one type of data loss. Your homework is to write a short paragraph on what data loss means to you and enter it into the comments below. I will discuss data loss in general in my next article.

2 Comments to “Dereliction of Data Protection – By a Law Enforcement Union”

  • Thomas Burg says:

    To quote Larry Ellison: “privacy is dead, get over it”. I don’t like Larry much, but I think he is perfectly right on this one; especially in the USA: As long as private data is not protected by (strong!) law, it will loose in the battle of profit vs. money spent on securing the data.

    Even in Europe, where privacy laws are much stronger, I think we consumers (and that includes law enforcement, politicians, …) are on the loosing end.

    It is kind of ironic that this discussion started on Facebook- I don’t trust Facebook A BIT and still I am putting all this stuff out there because it is convenient and free…

  • Randall Becker says:

    Data loss also occurs when your information is stored somewhere on the net (call it The Cloud), and your provider is no longer accessible. It’s fine for them to have backups, but what if they go out of business? You lose. What ever there’s a war and the lines to them are cut. You lose. There is an inherent loss of control to storing data “elsewhere” that has been overlooked in the public eye.

Post a Comment