New Year is coming, and usually, during this period, people assess what they did during the previous year. As a person with skills and experience in the defensive part of cybersecurity, I am always quite sensitive about sharing information, contracts, and legal documents with anyone, including institutions. During the last year on multiple times, I had to present official documents and explanations of why and how I did something. On one of the occurrences, I had to deliver around 20, again 20 papers to prove my right. Some of the documents did not relate to the right I wanted to execute, but the institution tried to enforce on me their policy. The representatives in the office even told me that I should trust the institution and that this was the first time someone asked for their data retention period, how they will assure that they will destroy the documents after that period and why they need the data at all.

During the last year, all of these experiences triggered the following questions in my mind – Is my data safe in any institution? Will it be in a safer place if I take care of my data, but not an institution? Can an ordinary person achieve a better level of security than an institution? 

The diagram shows a standard SSD storage system architecture used in almost all database systems. Because of its unique way of storing information, the standard secure delete procedures do not erase the data securely. Special tools are needed for this action, and we could only hope that the institution SysOps department is qualified enough to erase the information properly

For all of these questions, the answers are usually – it depends on the level of expertise of the defending side. So it largely depends on the professionals the institution hired. To strengthen my statement, I can list several case studies that showed how attackers could penetrate even institutions and leak data:

  • Bank Hack: During a regular penetration testing exercise, a team of white hats managed to penetrate multiple office branches of a substantial French bank. Only in one of the offices did the employees ask the penetration expert to identify himself and ask the headquarters whether they sent anyone.
  • Government Taxes Authorities Hack: A couple of years ago, a hacker managed to leak multiple gigabytes of data from the Bulgarian Taxes Agency. The security hole had been opened for an extended period, reported numerous times, and no one took action to close it.
  • Universities Hack: At the beginning of 2021, multiple US universities, including members of the Ivy League, were hacked, and the personal information and documents of their students, lecturers, and professors were leaked to the public.

In conclusion, I think we could safely assume that taking care of our data is our right and responsibility. I am happy to delegate this responsibility only to legal professionals (lawyers, notaries, and judges). They work with confidential documents every day and know how a data leak can affect people. In any other case, sharing data with 3rd parties must come with at least a declaration for their data retention practices and how they destroy the data (there are security practices for doing that correctly).