It’s become common for websites and software systems to be hacked. Just this past week I read about Google production servers being hacked. It’s not just the Googles of the world. Reports indicate that about 30,000 sites are hacked each day. Personal information about users is regularly being leaked as well. While there were big examples like Adobe, where millions of users information came out, there is a long tail of sites being hacked and user information getting out.
This information is more commonly known as Personally Identifiable Information (PII). There are laws, court precedents, and personal safety issues that surround this information. It’s not something to be taken lightly.
Then there is the reality of this information. While a single website or service might not have much information, when information is combined from numerous sources a great deal can be learned. For example, one system might know about your home (belongings and valuables), another system know your location data, and a 3rd system know your work meeting schedule. If someone were to combine those they’d know a lot about your habitual coming and going.
Stored As Plain Text
A lot of systems store this data as plain text in databases. There are two reasons to make this assessment.
- A lot of systems are built on open source software where we can read how this information is stored as plain text. It’s not a mystery.
- When we read about systems being compromised the information was readily accessible. If it were encrypted we’d hear about the keys needed to decrypt the information. We don’t.
Let’s Make It Harder For Malicious Hackers
There is a solution here. Encrypt all PII. Everything. Do it in a way that keeps the encryption keys separate from the data storage. This isn’t just a matter of making the information hard for someone to get to. Given how often we hear of high profile hacking success stories you can’t make it impossible for someone to get in. Make it hard for them to read if they are able to get at it.
When we want to put our users first we need to take care with their personal information. Remember, this is your personal information, too. Odds are you’re a user of these systems and your information is leaking all over the place. Taking care of your users PII helps to take care of the information about you, your family, and your friends.
Is It Time To Encrypt All User Data? It’s already overdue.