Thursday, May 02, 2013

PII Problems in the Public Enron Data Set (aka "Industry Ouch")

Ride The Lightning - Wow. EDRM/FERC/Enron Data Privacy Breaches

It is a startling revelation when you learn that a dataset that has been public for years and contains over 7,500 instances of unredacted social security numbers, credit card numbers, dates of birth, home addresses and phone numbers. But that is precisely the claim of John Martin, the CEO and founder of BeyondRecognition.

The EDRM Enron Email Data Set v2 (EDRM Data) is a collection of documents originally gathered by the Federal Energy Regulatory Commission (FERC) as part of its investigation of Enron's energy trading practices and then made public by FERC. The EDRM data is a reworked version of the original documents which was available for download over an extended period of time at EDRM's website - it has since been transferred to Amazon Web Services for downloading, though there is a link from EDRM to the download site.

Why have so many people/teams worked with the data for years without discovering all the personally identifiable information (PII)? EDRM teams worked with it. The NIST-sponsored Text Retrieval Conference (TREC) Legal Track for 2010 and 2011 used that data set. Teams from around the world used it.

...

Putting motivation to one side, it is a real issue that publication of this data set necessarily meant that a data breach had taken place and it is astonishing that no one ever checked for PII. EDRM, in an e-mail I have seen, acknowledges that it is aware of the PII content and is working with an EDRM partner to make "a PII clean" version of the data available via EDRM.

...

Lessons from the EDRM/FERC/Enron Data Privacy Breaches

Background. The Electronic Discovery Reference Model (“EDRM”) is an e-discovery industry standards setting group, and the EDRM Enron Email Data Set v2 (“EDRM Data”) is a collection of documents originally gathered by the Federal Energy Regulatory Commission (“FERC”) as part of its investigation of Enron’s energy trading practices and then made public by it. EDRM Data is a reworked version of the original documents, with a label added to each email that reads,

“EDRM Enron Email Data Set has been produced in EML, PST and NSF format by ZL Technologies, Inc. This Data Set is licensed under a Creative Commons Attribution 3.0 United States License <http://creativecommons.org/licenses/by/3.0/us/>. To provide attribution, please cite to ZL Technologies, Inc. (http://www.zlti.com/).”

EDRM served as a direct download point for the EDRM Data for a period of time and later moved it to Amazon Web Services for downloading.

Breach Discovery. While working with the EDRM Data that we downloaded from the EDRM website, BeyondRecognition discovered that there were over 7,500 instances of unredacted social security numbers, credit card numbers, dates of birth, home addresses and phone numbers – a startling breach of privacy. Most of the data breach victims were Enron employees, but the victims also included spouses or children of the employees as well as third party contractors.

LESSONS

...

I've blogged about this data set a number of times. Many, many people in the LitSupport,eDiscovery industry use it (like about everyone), it's be available for almost a decade, and now this is found? Wow. I'd bet it's been seen before, but everyone assumed it was okay because the data was "public?" Anyway, if you use this data and you have a local copy, you need think long and hard about this finding.

Like I said... ouch

 

Related Past Post XRef:
And even more Enron (PST’s that is) We’re talking 107GB, compressed, of data…
EDRM Enron Reference Data v2 now available
Need a ton of email data (10’s of gig’s)? Need it in PST form? Need it to be public data? Want to look behind the curtain into Enron? The EDRM Data Set Project is for you…
Federal Energy Regulatory Commission (FERC) Enron Email Document Database

No comments: