US banks suffer most database breaches

Database software developers in the banking and finance industries reported more security breaches than database developers in...

Database software developers in the banking and finance industries reported more security breaches than database developers in any other industry, according to the results of a new survey.

In a poll of 700 database developers working for US-based corporations and software development firms, 12% said the databases they support experienced a security breach within the last year, according to market research company Evans Data.

The survey, which was conducted in December, characterised security breaches with three general definitions: a computer virus that successfully corrupts or erases data in a database, a human error that leaves a database corrupted or an unauthorised break-in to a database.

Of these, computer viruses were the most common problem, said Joe McKendrick, an analyst with Evans Data.

Some 27% of the developers surveyed in the banking and financial services industries said they had experienced a security breach last year. In the medical and health care industry, 18% of database developers said they had experienced a breach. An equal percentage of developers in the telecommunications industry reported breaches.

Meanwhile, 12% of the developers working for electronic commerce and other Internet companies reported security problems. Breaches occurred among 9% of those developers polled from the government and military sector.

The database developers who took part in the survey used software from a variety of vendors. The most used applications included Microsoft 's SQL Server, IBM 's DB2 and database software from Sybase and Oracle. Roughly 70% of the developers who took part in the survey said they support databases from two or more of these vendors.

In addition to security protection with firewalls and network authentication, databases typically include built-in security features such as data encryption. However, only 37% of the respondents said they make use of the built-in security features.

"Major vendors have done a fantastic job of incorporating various levels of security features and tools," McKendrick said. "If these features are used, it provides a good level of security."

During the year, some reported database security glitches included a hole in Microsoft's SQL Server that left it vulnerable to hackers during a short period after a user logs off of the database. Another hole was found in Microsoft's database software in December that left it vulnerable to a denial-of-service attack.

Also in June, the Covert Labs division of PGP Security discovered a flaw in Oracle's Oracle8i database that left it vulnerable to attacks from hackers.

Of the 700 developers polled by Evans Data, one quarter work at companies with more than 1,000 employees. Some 70% of the database developers work in-house at corporations; the other 30% work for software development companies.

Read more on IT risk management