One more file-related security breach. According to reports, the personally identifiable information (PII) of 3,000 US Airways pilots was compromised. This included names, addresses, social security numbers, and conceivably passport details. The source of the breach seems to be an Excel file which was sent to an external party. The file was supposed to contain only the names of the pilots so this unnecessary exposure of PII is being investigated.

In fact, many enterprises face similar issues where sensitive data inadvertently appears in files which are later disseminated and distributed. Keeping track of, and monitoring, sensitive information is challenging many companies. According to IDC, 80% of business information is stored in files and this number is expected to grow by 60% annually. Furthermore, our recent survey of security professionals has shown that 65% of those polled were unsure who has access to sensitive files at their companies.

It is important to recognize that the heart of this information lies at the data center. It is from there that the sensitive data is disseminated in different ways. Accordingly, a solution should be put in place for tight monitoring and control at the data center. Once this control is set up, it is possible to address the following questions:

• Who accessed the data and with what application?
• When was the data accessed?
• What, and how much, data was retrieved?

In the case of the pilots' breach, such controls could have been used to alert that sensitive information regarding the pilots was extracted from the database. Similarly, if the file containing the exported PII was stored on a shared file server, an audit trail of who accessed the file would also be available. Classifying the file to indicate that it held sensitive information would have helped as well, and appropriate alerts could have been issued based on access patterns.