Security implications of storing passport documents online

Hi all,

I have been asked to look into the implications of storing photocopied identification documents online on our dedicated server (around 10,000 to start but will grow each year). These id documents will be of passports, driving licenses etc.

What would the security implications be for this?

My feeling is...
1. If it is not essential part of your business process, don't do it. Keep them remaining in the locked draws on paper at work.
2. If we do, I feel we are opening ourselves to attack for identity theft. By the documents not being there, we are leaving much less of a reason for attack.
3. If we do keep them online and online security is compromised, we could be sued (maybe, I don't know)

Basically, I feel like we will be making ourselves attractive for targeted attacks because the identity information has value.

Your help and opinion is greatly appreciated.
MonCapitanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
Here's a reference for you: http://business.ftc.gov/privacy-and-security   Yes, you definitely can be sued if the documents are compromised.

From that page:

For many companies, collecting sensitive consumer and employee information is an essential part of doing business. If you collect this type of information, it’s your legal responsibility to take steps to properly secure or dispose of that data.
0
ahoffmannCommented:
it all depends on the laws of the country you do that
for example in most countries in europe you'll be sued just by putting the (personal) data into public
0
nociSoftware EngineerCommented:
I agree with ahoffman....
additional: how about your clients, what is their opinion on having their Social security numbers "published", also for some services it suffices to [e-]mail a photocopy of some identifying documents... This would/might assist in fraud using such stored documents.

For me personally,  if a became aware of having this much disregard for the privacy of others, this would mean i would stop being a customer period.

Besides this I know that for dutch law: you may only record the BSN (dutch for Social security Number) if you are ordered to do so by law, otherwise you may not record the BSN.
And you are required to have this as a confidential part of your administration.

As the BSN is on all identifying documents you first need to process the images to remove all parts of the documents you may not be in the "public" domain.
(With respect to employers, anything outside of the HR department is considered public).
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

MonCapitanAuthor Commented:
Thanks for your replies.

We are looking at storing this information for our business use on our online backend system. We would never intentionally show publically these files. The only way this would get exposed is by an external attack.

By storing these documents online (as securely as our Web Developers know how) what are the risks/consequences of doing so?

Is it generally regarded as bad practice?
Is it, in the IT world, a bad thing to do?
Is it maybe normal for a company to store this information?
Have we just magnified the risk of attack 10 fold/20 fold?
Does there have to be a darn good reason to store documents like this online, risk vs reward. etc.

Thanks for any further advice.
0
ahoffmannCommented:
> The only way this would get exposed is by an external attack.
then you're responsible also

> .. (as securely as our Web Developers know how)
hmm, do they know the threats, attacks, vulnerabilities and risks at least as described in OWASP top 10 and SANS top 25? ask them, they should explain each and how to mitigate  out of memory

> Is it generally regarded as bad practice?
IMHO yes

> Is it, in the IT world, a bad thing to do?
yes ( http://www.verizonbusiness.com/about/events/2012dbir/index.xml )

> Is it maybe normal for a company to store this information?
IMHO no
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nociSoftware EngineerCommented:
> The only way this would get exposed is by an external attack.
And so what, exposed is exposed. Also note the risk of "internal" attack.
ie. External to HR department, internal to company.

> .. (as securely as our Web Developers know how)
Better test for that (see ahoffman)

> Is it generally regarded as bad practice?
yes, IMNSHO you should not store into computers stuff that is not needed there.
Convenience is the worst factor to take into consideration.

> Is it, in the IT world, a bad thing to do?
If it is bad in general, that it would also be bad in the IT world. For some reasons IT is seen as the panacea for all kinds of stuff.
Like voting, to get all the requirements right [ esp. on auditing ] an IT solution is the worst possible way to go.

> Is it maybe normal for a company to store this information?
Depends..., if you are required to do this by law it might be needed but then you do need to take precautions like: not even your system administrators being able to reach that information.
Given that this is very hard to do, a more effective way might be a stack of photocopies in a good old vault. Also a lot easier to audit.
0
ahoffmannCommented:
> > Is it maybe normal for a company to store this information?
you're talking about "passport documents", I'm not aware of any country where such data is supposed to be controlled by private companies
this fact solely should answer this question: no go, without any exception!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.