Businesses risk compromising critical information by using customer data for the development and testing of applications, a report has revealed.
Issued by Compuware and the Ponemon Institute, "Test Data Insecurity: The Unseen Crisis", says of the European companies surveyed, 64% use customer data instead of disguised data to test applications during development. Of these companies, 63% use customer files and 45% use customer lists.
Live data that is used to test can includes employee records, vendor records, customer account numbers, credit card numbers, social security numbers and other credit, debit or payment information, says the report.
Organisations need to realise that despite the fact that testing occurs in a non-production environment, privacy threats still exist and these environments are less secure than the production environment, the report warns.
Test data may pass through a number of unauthorised hands, such as in-house testing staff, consultants, partners and offshore personnel, says the report. Its research shows 42% of companies surveyed outsourced their application testing, and 60% of those respondents shared live data with the outsourced organisation.
Dr Larry Ponemon, chairman and founder of the Ponemon Institute, says large customer data files represent an easy, accessible and cheap source of data to use when testing applications. This practice, he continues, increases the risk of compromising the integrity of sensitive information, particularly when third-parties and offshore resources are involved.
"The report shows a need for increased awareness and accountability over how sensitive data is used within organisations. The risks associated with using live data to test with must be assessed and safeguards must be implemented to ensure data security," explains Ponemon.
The report says 50% of the companies using customer data for testing purposes do not take steps to protect that information. In addition, neither do 17% of respondents using live customer data in software development.
Of the respondents, the report indicates 35% do not know if the data used in testing had been compromised, and 45% said live data that was used in their organisation for testing or development had been lost or stolen.
There seems to be no clear ownership for sensitive test data, according to the report. Seven percent of respondents said they did not know who was responsible for securing test data, 25% believed the development organisation was responsible, and 21% said the business units sponsoring the development was responsible.
"Few people realise how much is at risk during the development and testing of applications," says John Williams, senior VP of product solutions at Compuware.
All commercial organisations have an obligation to protect the privacy of consumer data, he concludes.
Related story:
Lock up your data
Share