Reply to post: WHERE Postcode LIKE 'EC%'

TalkTalk attack: 'No legal obligation to encrypt customer bank details', says chief

Anonymous Coward
Anonymous Coward

WHERE Postcode LIKE 'EC%'

Encryption is a tool not a solution. Let's say all the customer information in the database is encrypted and a customer calls up to query their bill. Of course being a customer he doesn't know what his account number is, so the call centre worker has to go through Data Protection checks without that nice account number to use as a key into the encrypted database. So the call centre application needs to make an SQL query based on postcode, name, age mothers maiden name etc. to both verify the customer and find out the account number. Unfortunately this data is encrypted so the application needs the database keys to encrypt the customer supplied info into something that can be used to make a query. Possible, but a world of pain to secure once you have multiple applications that all need access to the key. The fun really starts when one of the business application needs to make wild card queries like the one in the title. Then you are screwed.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021