"Many web applications and APIs do not properly protect sensitive data, such as financial,
healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit
card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra
protection, such as encryption at rest or in transit, and requires special precautions when
exchanged with the browser."
So saith OWASP.
This is not just GDPR (which is a significant compliance issue), but a much larger problem associated with a general malaise in the industry.
We worry more about patching the latest patch than thinking and preventing the issue.
No wonder the issue came from nowhere (OWASP 2013 to #3 OWASP 2017)
How about not exposing the data just because it is "easier to keep all the data in one file" (ie data structure).
There are hundreds of "How about?"'s, but if we restructure our thinking on the issue as a whole there are better solutions.
I predict that it (Sensitive Data Exposure) will be #1 or #2 next year on the OWASP Top 10, and I predict the cost in 2018 will approach $1 billion to resolve breaches, compensate the afflicted, and patch. I predict that at least 1, but possibly 2 very highly compensated CISO's and even other CxO's will lose their position in 2018.
We need solutions, not palliatives (go ahead look it up).
What say you?
"Not exposing the data" is difficult, because it was probably gathered for a valid reason, and nowadays customers expect to be able to interact with it through the same UI.
Online shopping? "Please phone us if you want to confirm or change your card or address details" is another way of saying "We want to lose market share". Exceptions and complaints? "Please fill in form 37/b and post it to our head office..." is very 1980s, but not viable today. 🙂
Easy solutions are scarce, alas.