The seeping data problem

We all backup our data on computers, smartphones, and wherever else it is held.  That's a good thing - but an article on the StorefrontBacktalk blog entitled  Are Data Backups Unintentionally Expanding Your PCI Scope? talks about how payment card data can seep into places you don't want it to, which is then in turn backed up.  While the article focuses on payment cards, the issue could apply to any data.  The entire article is worth a read - whether you deal with credit and debit card information or not - but to get a flavour:

Are your automated backup systems expanding your PCI scope? Almost everyone agrees that backing up your important data is a smart thing to do. Except, that is, when it’s not. The problem starts when your sensitive data seeps into places you don’t expect.

Your backup systems then unintentionally spread cardholder data to locations you don’t suspect and expand your PCI scope in the process. Should you be concerned? I think you should be, and I’m not the only one–the PCI Council thinks retailers may have a problem, too.

The problem begins because cardholder data has a way of leaking into all kinds of unexpected places. Sometimes this leakage is from users violating company policy: They copy data to their laptops or local databases, sometimes synching to mobile devices. When these systems are backed up, the data is duplicated in new places, compounding the problem.


And another post on the same blog entitled iPhone Payment Peril: Mobile Mayhem Omen?  starts by saying:

The iPhone retains everything typed into it through its onscreen keyboard, including payment-card data, for as long as a year. And that penchant for holding onto payment-card data is only the latest in a long line of mobile data catastrophes that are slowly materializing as mobile deployments start in earnest.

Many apps are simply sloppy about the security of sensitive data.

The bottom line is that everyone who designs any kind of hardware or software, or is responsible for any kind of computer system, needs to think about this issue carefully, and limit the unnecessary duplication or storage of personal or confidential information.