Print This Issue

One Step Ahead: Privacy and Security Tips
November 7, 2006, Volume 53, No. 11

One Step Ahead

Another tip in a series provided by the Offices of Information Systems & Computing and Audit, Compliance & Privacy.

Carelessness with Consequences

Don’t let this happen to you; it could. Dave, a business administrator, discovered that dozens of his department’s employees’ salaries, SSNs, and performance appraisal ratings were publicly available on the Internet.

Dave was computer savvy and had been given responsibility for the department’s web accessible database. Though not an expert, he thought he knew enough to get the job done. However, in today’s complex web environment, he didn’t know enough about how to protect data. Thinking a database set up on a widely used database application would be accessible only to three of his colleagues, he was shocked to find some of the data accessible by Internet-based search engines. He assumed a hacker had stolen the data. 

In fact, no one had broken into the computer. Rather, while setting up the database, Dave had accidentally placed the private file in a public folder, available to anyone on the Internet. The entire file was indexed by two of the major search engines.

Two critical lessons can be learned from this situation:

• If you aren't knowledgeable about security-related practices and techniques in building web-based databases, then ask for help from your local computing support provider or consult with ISC Security (security@isc.upenn.edu).

• Do NOT store Social Security Numbers unless there is no alternative. Use the PennID instead. If you wish to convert your SSNs to PennIDs, please contact Vicki Fullam in ISC's Data Administration Group at (215) 746-6376 to get information about a new tool scheduled for pilot testing in December.

For additional tips, see the One Step Ahead link on the Information Security website: www.upenn.edu/computing/security/.

Almanac - November 7, 2006, Volume 53, No. 11