Solved

Security implications of storing passport documents online

Posted on 2012-03-22
7
426 Views
Last Modified: 2012-06-27
Hi all,

I have been asked to look into the implications of storing photocopied identification documents online on our dedicated server (around 10,000 to start but will grow each year). These id documents will be of passports, driving licenses etc.

What would the security implications be for this?

My feeling is...
1. If it is not essential part of your business process, don't do it. Keep them remaining in the locked draws on paper at work.
2. If we do, I feel we are opening ourselves to attack for identity theft. By the documents not being there, we are leaving much less of a reason for attack.
3. If we do keep them online and online security is compromised, we could be sued (maybe, I don't know)

Basically, I feel like we will be making ourselves attractive for targeted attacks because the identity information has value.

Your help and opinion is greatly appreciated.
0
Comment
Question by:MonCapitan
7 Comments
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 100 total points
ID: 37755777
Here's a reference for you: http://business.ftc.gov/privacy-and-security   Yes, you definitely can be sued if the documents are compromised.

From that page:

For many companies, collecting sensitive consumer and employee information is an essential part of doing business. If you collect this type of information, it’s your legal responsibility to take steps to properly secure or dispose of that data.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37756010
it all depends on the laws of the country you do that
for example in most countries in europe you'll be sued just by putting the (personal) data into public
0
 
LVL 39

Expert Comment

by:noci
ID: 37756528
I agree with ahoffman....
additional: how about your clients, what is their opinion on having their Social security numbers "published", also for some services it suffices to [e-]mail a photocopy of some identifying documents... This would/might assist in fraud using such stored documents.

For me personally,  if a became aware of having this much disregard for the privacy of others, this would mean i would stop being a customer period.

Besides this I know that for dutch law: you may only record the BSN (dutch for Social security Number) if you are ordered to do so by law, otherwise you may not record the BSN.
And you are required to have this as a confidential part of your administration.

As the BSN is on all identifying documents you first need to process the images to remove all parts of the documents you may not be in the "public" domain.
(With respect to employers, anything outside of the HR department is considered public).
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:MonCapitan
ID: 37756594
Thanks for your replies.

We are looking at storing this information for our business use on our online backend system. We would never intentionally show publically these files. The only way this would get exposed is by an external attack.

By storing these documents online (as securely as our Web Developers know how) what are the risks/consequences of doing so?

Is it generally regarded as bad practice?
Is it, in the IT world, a bad thing to do?
Is it maybe normal for a company to store this information?
Have we just magnified the risk of attack 10 fold/20 fold?
Does there have to be a darn good reason to store documents like this online, risk vs reward. etc.

Thanks for any further advice.
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 200 total points
ID: 37756659
> The only way this would get exposed is by an external attack.
then you're responsible also

> .. (as securely as our Web Developers know how)
hmm, do they know the threats, attacks, vulnerabilities and risks at least as described in OWASP top 10 and SANS top 25? ask them, they should explain each and how to mitigate  out of memory

> Is it generally regarded as bad practice?
IMHO yes

> Is it, in the IT world, a bad thing to do?
yes ( http://www.verizonbusiness.com/about/events/2012dbir/index.xml )

> Is it maybe normal for a company to store this information?
IMHO no
0
 
LVL 39

Assisted Solution

by:noci
noci earned 200 total points
ID: 37756808
> The only way this would get exposed is by an external attack.
And so what, exposed is exposed. Also note the risk of "internal" attack.
ie. External to HR department, internal to company.

> .. (as securely as our Web Developers know how)
Better test for that (see ahoffman)

> Is it generally regarded as bad practice?
yes, IMNSHO you should not store into computers stuff that is not needed there.
Convenience is the worst factor to take into consideration.

> Is it, in the IT world, a bad thing to do?
If it is bad in general, that it would also be bad in the IT world. For some reasons IT is seen as the panacea for all kinds of stuff.
Like voting, to get all the requirements right [ esp. on auditing ] an IT solution is the worst possible way to go.

> Is it maybe normal for a company to store this information?
Depends..., if you are required to do this by law it might be needed but then you do need to take precautions like: not even your system administrators being able to reach that information.
Given that this is very hard to do, a more effective way might be a stack of photocopies in a good old vault. Also a lot easier to audit.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37756845
> > Is it maybe normal for a company to store this information?
you're talking about "passport documents", I'm not aware of any country where such data is supposed to be controlled by private companies
this fact solely should answer this question: no go, without any exception!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now