Personal Data encryption in DB

[The Old Man]

Hi,

Re storage of personal information (aspects of member data)

Do you think for security and best practice reasons (and Data Protection compliance) that Personal Data* in the form of email address, date of birth (birthday) and possibly IP Address should ideally be encrypted when stored in the IPS database? I noticed they are not encrypted, whereas other items are encrypted although using MD5 which seems out of date.

We hear about website user's personal information being obtained and stolen through hacking of websites and database theft all the time, and site owners are often held to account (in the UK and Europe, not sure about the US) if personal information is stolen or used for fraud or identity theft, especially if it has not been encrypted.

It may be best practice and could strengthen a website owner and end users confidence if a review of what could or should be improved by encryption or stronger encryption, as part of a security audit, Privacy Impact or RIsk Assessment.

Just putting it out there, food for thought.

 

* defined as an example by the DPA 1998 as "any data that can be used to identify a living individual and/or sensitive personal data that concerns the subject's race, ethnicity, politics, religion, trade union status, health, sex life or criminal record".

[Ohio Guns]

I don't think it's a requirement that data be encrypted, is it?

[Cyrem]

Firstly, encryption and hashing are very different, yet people get them confused.

MD5 is hashing, it is one way only. This means you cannot, as the website owner, know what information your user has entered. If you say, wanted to send out emails and your user's email address was hashed, you cannot send them an email as you have no idea what his email is and no way of reversing the hash. This also means you cannot even show the user what information they have entered onto your forum. Not to mention MD5 being very much out of date, and not safe for true sensitive data. Hashing isn't perfect either, any anyone trying to steal the identity of anyone is probably running bruteforce software as well as a rainbow table comparison. Eventually, they will get the information, only a matter of time.

Encryption is two way, and is in many ways "weaker" than hashing. You can decrypt sensitive information, and it is possible to encrypt the entire database as a whole (depends on your database type, this is your responsibility and outside the scope of IPS). Encrypting specific data in your database would have a huge impact on your website, suddenly you need to decrypt user data before it is usable to the suite. You would loss a lot of server performance depending on the size of the forum.

• IP Address does not identify an individual, it is not sensitive data. Many IP's are shared throughout your entire neighborhood.
• DOB is pretty much useless unless you have other sensitive information, such as a full name & address.  No point on hashing this, a substandard PC could defeat the hash in no time, it's just numbers.
• I wouldn't call an Email address sensitive data, at one point or another it's going to be harvested or sold by some other site/company.

Quite simply, its not practical to protect the information you've mentioned.

Just my view on it.

 

[Joy Rex]

PII (personally identifiable information) is a growing concern in the commercial space, but personal website owners should be cognisant of it as well - if your site gets hacked and user data is stolen, you could be potentially liable (a stronger case if any money changes hands between you and your users).

Also, it should be noted that PII can be constituted as something simple as a first and last name, email address, and personal address. Combined, this meets the definition of PII and is a potential risk if you store this data in your IPS database, especially in Commerce/Nexus.

The general rule is if you do not need to store it, don't.

[Ohio Riders]

You could use MariaDB 10.1 with at-rest InnoDB encryption. Doesn't help against SQL injection or unauthorized DB access, but does help against stolen backups and such. 

https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/

[The Old Man]

Thanks for the various view points everyone, much appreciated. Some good points there.

There are very steep fines in the UK if the Data Protection Act applies to you as a business or organisation operating in the UK and you don't do everything you reasonably can to safeguard an individual's personal data if you opted to collect and process it and it later becomes stolen or lost, and whether such data was encrypted (where able to do so) as best practice is one of the first things the ICO check.

Just for info if anyone's interested further in the UK legalities: 

Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –(a) at least one of the conditions in Schedule 2 is met, and(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Things are changing again next year with the introduction of further EU legislation with the General Data Protection Regulation (GDPR) is a new law that will replace the Data Protection Act 1998.

Further bed-time reading:

https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/

Some really interesting content in this guide, I was surprised to see mention of technologies such as use of Memcached etc:

https://ico.org.uk/media/for-organisations/documents/1042221/protecting-personal-data-in-online-services-learning-from-the-mistakes-of-others.pdf

https://ico.org.uk/media/for-organisations/documents/1600/social-networking-and-online-forums-dpa-guidance.pdf