Solved

Security implications of storing passport documents online

Posted on 2012-03-22
7
435 Views
Last Modified: 2012-06-27
Hi all,

I have been asked to look into the implications of storing photocopied identification documents online on our dedicated server (around 10,000 to start but will grow each year). These id documents will be of passports, driving licenses etc.

What would the security implications be for this?

My feeling is...
1. If it is not essential part of your business process, don't do it. Keep them remaining in the locked draws on paper at work.
2. If we do, I feel we are opening ourselves to attack for identity theft. By the documents not being there, we are leaving much less of a reason for attack.
3. If we do keep them online and online security is compromised, we could be sued (maybe, I don't know)

Basically, I feel like we will be making ourselves attractive for targeted attacks because the identity information has value.

Your help and opinion is greatly appreciated.
0
Comment
Question by:MonCapitan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 100 total points
ID: 37755777
Here's a reference for you: http://business.ftc.gov/privacy-and-security   Yes, you definitely can be sued if the documents are compromised.

From that page:

For many companies, collecting sensitive consumer and employee information is an essential part of doing business. If you collect this type of information, it’s your legal responsibility to take steps to properly secure or dispose of that data.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37756010
it all depends on the laws of the country you do that
for example in most countries in europe you'll be sued just by putting the (personal) data into public
0
 
LVL 40

Expert Comment

by:noci
ID: 37756528
I agree with ahoffman....
additional: how about your clients, what is their opinion on having their Social security numbers "published", also for some services it suffices to [e-]mail a photocopy of some identifying documents... This would/might assist in fraud using such stored documents.

For me personally,  if a became aware of having this much disregard for the privacy of others, this would mean i would stop being a customer period.

Besides this I know that for dutch law: you may only record the BSN (dutch for Social security Number) if you are ordered to do so by law, otherwise you may not record the BSN.
And you are required to have this as a confidential part of your administration.

As the BSN is on all identifying documents you first need to process the images to remove all parts of the documents you may not be in the "public" domain.
(With respect to employers, anything outside of the HR department is considered public).
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:MonCapitan
ID: 37756594
Thanks for your replies.

We are looking at storing this information for our business use on our online backend system. We would never intentionally show publically these files. The only way this would get exposed is by an external attack.

By storing these documents online (as securely as our Web Developers know how) what are the risks/consequences of doing so?

Is it generally regarded as bad practice?
Is it, in the IT world, a bad thing to do?
Is it maybe normal for a company to store this information?
Have we just magnified the risk of attack 10 fold/20 fold?
Does there have to be a darn good reason to store documents like this online, risk vs reward. etc.

Thanks for any further advice.
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 200 total points
ID: 37756659
> The only way this would get exposed is by an external attack.
then you're responsible also

> .. (as securely as our Web Developers know how)
hmm, do they know the threats, attacks, vulnerabilities and risks at least as described in OWASP top 10 and SANS top 25? ask them, they should explain each and how to mitigate  out of memory

> Is it generally regarded as bad practice?
IMHO yes

> Is it, in the IT world, a bad thing to do?
yes ( http://www.verizonbusiness.com/about/events/2012dbir/index.xml )

> Is it maybe normal for a company to store this information?
IMHO no
0
 
LVL 40

Assisted Solution

by:noci
noci earned 200 total points
ID: 37756808
> The only way this would get exposed is by an external attack.
And so what, exposed is exposed. Also note the risk of "internal" attack.
ie. External to HR department, internal to company.

> .. (as securely as our Web Developers know how)
Better test for that (see ahoffman)

> Is it generally regarded as bad practice?
yes, IMNSHO you should not store into computers stuff that is not needed there.
Convenience is the worst factor to take into consideration.

> Is it, in the IT world, a bad thing to do?
If it is bad in general, that it would also be bad in the IT world. For some reasons IT is seen as the panacea for all kinds of stuff.
Like voting, to get all the requirements right [ esp. on auditing ] an IT solution is the worst possible way to go.

> Is it maybe normal for a company to store this information?
Depends..., if you are required to do this by law it might be needed but then you do need to take precautions like: not even your system administrators being able to reach that information.
Given that this is very hard to do, a more effective way might be a stack of photocopies in a good old vault. Also a lot easier to audit.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37756845
> > Is it maybe normal for a company to store this information?
you're talking about "passport documents", I'm not aware of any country where such data is supposed to be controlled by private companies
this fact solely should answer this question: no go, without any exception!
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question