back to article Fore-get about privacy, golf tech biz leaves 32M data records on the fairway

Nearly 32 million records belonging to users of tech from Trackman were left exposed to the internet, sitting in a non-password protected database, for an undetermined amount of time, according to researcher Jeremiah Fowler. Trackman is a technology company that uses Doppler radar to analyze golf swings and shots. The PGA Tour …

  1. Korev Silver badge
    Coat

    So a security hole in one?

    1. MiguelC Silver badge
      Angel

      Nicely putt!

      1. Korev Silver badge
        Coat

        Join the club!

        1. Blogitus Maximus
          Coat

          I knew about this because...a little Birdie told me.

    2. IanRS

      A complete balls-up, leaving their users tee'd off.

    3. Homo.Sapien.Floridanus

      Security wasn’t up to par.

      1. Pete 2 Silver badge

        Seems like they have a fair way to go.

  2. Anonymous Coward
    Anonymous Coward

    Data custodians + access key

    That's why most companies should be forbidden to collect or store personal identification data.

    Instead everyone should choose from a few reliable custodians. For example Apple, Google, etc. Those could also be national bodies, like tax authorities etc. But all must use a common standard to help compete and enable changing a custodian. A large data leak should make the custodian lose the data holding license. Governments should pay custodians for the service.

    Other companies should only have unique person's number, generated for a specific contract/service. And a key to access necessary data from custodians ONLY for specific transactions. The person should be messaged on each access. Data should never be shared with 3rd parties. Instead they will get keys as anyone else.

    Blockchain can be used to keep the data consistent: people do not change addresses, emails or phone numbers often. This will also protect from identity theft or reveal scammers. Users or custodians should not be able to modify or delete the data, unless for specific policy/reasons.

    1. IanRS

      Re: Data custodians + access key

      No! No! No!

      You want to give companies who are already the world's biggest trackers the information about where everybody is going for every site which is personalised enough to require an individual's data? And make it so that when their systems go down, nobody can get into anything at all? If you think they can make it 100% reliable, just consider Office364. And then store everyone's data on a blockchain? The whole point of a blockchain is that it is public so that data and changes to the data on it can be seen by all parties.

      1. Anonymous Coward
        Anonymous Coward

        ###

        > where everybody is going for every site

        They are already custodians. Every single service with PII asks for my email to send updates, to register etc. Your phone OS is a single point of virtually ALL your personal data.

        > when their systems go down

        With multiple custodians it is possible to create distributed database with fallback if one is down. As a user you would chose, say, 3 of them.

        1. Anonymous Coward
          Anonymous Coward

          Re: ###

          > They are already custodians

          and your PII is just unnecessary copied across vulnerable databases across the world.

        2. Anonymous Coward
          Anonymous Coward

          Re: ###

          > Every single service with PII...

          What about services with Personal Data?

        3. Valeyard

          Re: ###

          Your phone OS is a single point of virtually ALL your personal data.

          if you choose it to be; my nokia 2660 can't be lumped into that statement. In fact a deep analysis of my phone will only show the outgoing and incoming calls will have a 100% correlation with when my wife went into one shop while i went into another and we had to find each other again afterwards.

    2. Ian Johnston Silver badge

      Re: Data custodians + access key

      Blockchain can be used ...

      And that's where your argument completely collapsed. After all, if there is one thing I want from any store of my personal data, it's an inability to correct mistakes.

      1. DS999 Silver badge

        Re: Data custodians + access key

        Blockchain allows correcting mistakes just fine, what it doesn't allow is erasing old data. So not only would your current address be in that database, but all your previous addresses. If someone erroneously input your SSN in place of your telephone number, it will be stuck in that blockchain forever!

      2. Anonymous Coward
        Anonymous Coward

        > your argument completely collapsed

        Blockchain is not part of the main idea, just an option. The addition is so that data should be immutable.

        1. Richard 12 Silver badge
          Big Brother

          Immutable is wrong, though

          It is a core requirement that errors can be corrected, with the wrong values expunged entirely and irrecoverably - although not the fact that a correction was made.

          And of course one of the possible errors is that the user identity never existed, but was an unauthorised clone of some other identity.

          There is an argument for a "cooling off" period before permanently erasing, but not a long one.

          These are legal requirements, and if you think about it you'll realise why any immutable system is rightfully unlawful.

    3. DS999 Silver badge

      Putting all your eggs in fewer baskets

      Just means more eggs are in jeopardy when the basket gets swiped. Google, Apple, Amazon, Microsoft, etc. aren't immune to data theft, they just know that they have a lot of it so they have a bigger budget to protect it. Even if they had perfect protection against outside threats, I'll bet all are vulnerable to insiders. The more data they hold, the more someone on the outside would be willing to pay an insider to compromise it.

      Heck, even the NSA was vulnerable to an insider attack, and I wouldn't be at all surprised if they were still vulnerable - requiring "two in the box" for any access to sensitive data massively increases your costs, while making a few feel-good changes to your employee evaluations claiming that'll catch potential insider threats before they act is much less expensive!

      And the licensing? Please. Even if the political will existed to pull the license of a Microsoft or a Google, imagine the massive headache for a million apps to be updated to migrate their data to someone new. Some of those apps no longer getting updates, or maybe the developer thinks "pulling Google's license was a political hit job, I'm keeping my stuff there even if they aren't licensed!" Then what, does the government go after him for using an unlicensed custodian?

      And of course throwing in the magic "blockchain" word at the end, as if that helps at all. Blockchain does not protect against data theft in any way, its only benefit is allowing many people to update a common database without being able to overwrite the history. There is zero benefit to say Google using it to protect the data they are custodian of. Clearly you don't understand what blockchain is good for, and are behind the times with magic technologies - you should be claiming AI as the solution!

      1. Anonymous Coward
        Anonymous Coward

        Re: Putting all your eggs in fewer baskets

        > more eggs are in jeopardy

        I bet your PII flows through at least 100, if not 1000 companies and their partners. So purely probabilistically, it is impossible not to leak them. Especially that great majority have no clue how to manage data properly.

        Only a few data points need to be held by custodians: identifiers such as address, social security number, phone, passport data. Service-specific data, such as X-ray, or health history will be held by each company. But PII-stripped, with a unique person ID number, year of birth, first name, initials and user-chosen nickname maybe.

        Anyway, every person uses email daily, therefore why cannot a customer service use 3rd party socket to get your full name, when they need to call you.

        1. Anonymous Coward
          Anonymous Coward

          Re: Putting all your eggs in fewer baskets

          > I bet your PII flows through at least 100, if not 1000 companies and their partners.

          I assume you're in USA based on your use of the term "PII". in Europe data protection law uses the term "Personal Data" which includes more things than the USA-prevalent term "PII" covers.

          > Anyway, every person uses email daily

          I don't use it daily (i.e. EVERY day), am I the exception that proves the rule? I might use it most days or many days of the week however.

      2. Anonymous Coward
        Anonymous Coward

        Re: Putting all your eggs in fewer baskets

        > headache for a million apps to be updated to migrate

        Only new ones. One has to start somewhere.

        Custodian database should be distributed between several custodians. So if one is out - the rest will take over immediately, also for reliability of the system.

    4. Ball boy Silver badge

      Re: Data custodians + access key

      'That's why most companies should be forbidden to collect or store personal identification data.

      Instead everyone should choose from a few reliable custodians. For example Apple, Google, etc'

      Your opening salvo was a great start and had promise but I fear the cracks started appearing at choose from a few reliable custodians. For example Apple, Google, etc

    5. Anonymous Coward
      Anonymous Coward

      Re: Data custodians + access key

      Additional positive outcomes from using custodians: no PII duplication across companies; easy update; data access log with messaging to data owner.

    6. The Central Scrutinizer

      Re: Data custodians + access key

      Seriously, a "reliable custodian" like Apple, Google etc?

      What could possibly go wrong?

      You really haven't been paying attention, have you?

  3. This post has been deleted by its author

  4. Empire of the Pussycat
    Joke

    Golfers?

    Fuck 'em.

  5. Dutman

    Too many below par comments

    You were fore warned

  6. Terry 6 Silver badge

    Tech company

    You can sort of understand if a commercial organisation makes a mistake/is stupidly negligent in such a matter. If you are making shoes or peanut butter you may well not be too tech aware.

    But if you are actively doing tech stuff as your business then this should be bread and butter.

    A tech company not employing basic security is like a soft drink company not putting the lids on the bottles.

    1. Anonymous Coward
      Anonymous Coward

      Re: Tech company

      A tech company not employing basic security is business as usual.

      Fixed it for you.

      Almost all "tech" companies launch without any thought of security. They wait until a massive leak becomes public knowledge, then announce that "security is very important", and at that point usually do ... nothing much, unless they think they might be able to claim back the cost of developing the security they should have had in the first place.

      The real problem is that in most of the US, for most businesses the absolute maximum cost of abject failure appears to be around $1-5 per person for "one year of credit monitoring".

      In some other places it's much higher, but as most "tech" company CEOs think the US is the only place in the entire world...

      1. Anonymous Coward
        Anonymous Coward

        Re: Tech company

        When we live in a world where a company could "steal" its own data, sell it, pay the fine and still come out ahead, did we think the story would be different? Certain expensive security now or uncertain cheap fine later? What is a CTO to do?

        (Fortunately, my employers don't behave like this, but I'm still posting anonymously! There is cowardice and there is keeping your head below the parapet).

        1. Terry 6 Silver badge

          Re: Tech company

          "Expensive" seems to be a relative matter.

          Is it truly very costly to put your data in a safe place? Rather than an exposed folder on an unprotected server?

  7. GuldenNL

    Got them by their balls!

    Those pros are feeling light in their bags, and it really tees them off.

    It didn't take an Eagle eye to see their anger, especially when a little birdie told them just as they were at the ladies tournament and they hoped to to shag a few afterward.

  8. Ken Moorhouse Silver badge

    Which divot did that then?

    (sorry)

  9. Ken Moorhouse Silver badge

    use strong passwords, not the 1-2-3-4 variety

    Strong as in iron?

    How about 3, 4, 5, 6, 7, 8, 9?

  10. Ken Moorhouse Silver badge

    Azure Blob

    Hard drive in a caddy anyone?

  11. spireite Silver badge

    Will the final report begin with a fourwood?

  12. CowHorseFrog Silver badge

    Oh yes golf the favourite sport of many of the worlds arseholes.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like