Document Security In The Pet Industry

Document Security In The Pet Industry

Hey Pet Pros. I have something to tell you. Your documents...yeah, they're stored in an unsafe manner.

Secure, Encrypted Document Storage

Hey Pet Pros. I have something to tell you. Your documents...yeah, they're stored in an unsafe manner. A long term poll revealed an unsettling truth: pet pros tend to store sensitive documents in their pet software, and they consider it safe. Software companies of all kinds (not just pet service software) often advertise the strength of their security extensively, possibly overlooking one critical point - everyone is taking pictures of these documents and uploading them onto cloud servers with no access controls, and oftentimes no real security.

You Shouldn't Be Uploading Photos Of Sensitive Data

Well technically, you shouldn't be uploading photos of sensitive data into unsecured storage. If I were you, my first comment / question would probably be defensive; stating something along the lines of "well, my software has a padlock and uses https, so everything is secure". Lets have a look at that for a moment. Facebook has an entire team of coding drones working tirelessly to fight off the international community of hackers constantly looking for ways around their security. If you feel that Facebook has great security, I'd agree, to a point. The trouble is that their security is based around keeping people out of their system's core, but not necessarily based around keeping your data safe and private. This isn't really surprising, given their ongoing scandals with data mining, but it is certainly worth mentioning.

A Quick Exercise To Illustrate

Let's do a quick data access (security) check on your facebook page. Assuming that your profile is private (my god man, make it private!), open a photo in the profile (while logged in). Better yet, open one of your friends photos who has a private profile. When you've found the perfect photo, right click it and copy the link. Once you have the link, log out of Facebook and copy the link into the browser, then go. Holy cow man, Sara's photo is right there, without being logged in. This is what we consider a lack of data access security. If the asset is available online to anyone with the link, without being logged in, your data is potentially available to an attack (or exploit).

Who Else Has Open, Public Data?

Facebook, and nearly everyone else on the planet, barring the exclusive content paid service providers (usually [cough cough] "entertainment services"), uses what is called "security through obfuscation" (also security through obscurity), which is basically just a fancy way of saying that you won't be able to find the data if you don't know where to look. While technically true, security through obfuscation is not strong enough to hide sensitive data such as the address, key location, and ADT pin number for a client's house, or a passcode of any type.

If The Data Is Nearly Impossible To Find, It Must Be Safe

You're right, if you can't find the file or image, it becomes much harder to access it without permission, however as we found in our test above, if you know where the document or image is (having the link) you can quite easily SHARE that with others. You're likely in full denial at this point, wondering how in the world that would ever happen in your small-town grooming shop or kennel. The truth is, it only takes one disgruntled employee to access these documents and distribute them across the internet. This would give potentially anyone access to any link they've shared, likely out of spite toward you, their employer.

This Isn't News

While we've known about this potential situation for some time now, it became crystal clear to us here at Pawfinity that a new grade of secure storage was desperately needed when we received a request to import a client list at the end of November 2019. The new client was moving over from a well-funded software we've all seen at the trade shows. We'll call them "ABC Pet Software" to keep their identity protected a bit. As expected, this export file contained entire list of clients for our new pet pro with phone, email, address, and notes containing sensitive client information.

The pet pro was a mobile groomer, and she like nearly everyone, stored the client's home access information in the notes fields of their profiles. Hopefully ABC Pet Software encrypts their database information both in transit and at rest, which would protect this information while it was stored and used in their software, however this does absolutely nothing to protect this unencrypted, publicly available export file from potential theft or unauthorized access. I was able to download the file with ease and use it to complete an import into our system. It was at that moment when I realized the exceptional security exploit presented in their setup.

If we loop back to the disgruntled employee scenario above, the public availability of this client list could pose a serious privacy risk for your clients information and a potentially catastrophic situation for your business. If you operate in the EU, under GDPR jurisdiction, exposure of this data would mean certain litigation and growth-crippling fines could be looming.

How Can We Prevent Exposing Client Data?

The secure document storage at Pawfinity utilizes cutting edge 256bit AES encryption on the stored documents, protecting them at rest. We also use standard TLS encryption in transit (uploads and downloads) to keep the document from being collected and used while it is moving between your computer and our server. Additionally, these documents are only available through the dashboard, and cannot be accessed outside the system. This means that an employee sharing a link to the document with the outside world would do nothing. Of course, our disgruntled employee can still download the document and share it directly with the world, however, this is where true access control comes into action.

True Access Control

We always do our best to eliminate the opportunities for our pet pros to run into issues while storing client data. As such, we've introduced new access permissions which allow you to determine exactly which employees are able to upload, view, and download documents stored in our secure document storage service. This access control combined with the baseline security aspects mentioned above makes Pawfinity the only of it's kind in the pet service software segment, and the only fully GDPR document storage solution for pet businesses. Our malicious, disgruntled employee, now has no means to injure our business or expose sensitive client data, because they have no access to it.

Maintain Your Client's Trust

Pet service providers (groomers, trainers, pet-sitters, dog walkers, kennels, dog daycare, and the employees that work within these organizations) are trusted with potentially sensitive client information. This often goes overlooked since there are very few regulations controlling the use and storage of pet info. The firms overlooking this (everyone it seems) fail to realize that we also store client information, which is protected by law in most regions of the world. It is our job as software service providers to do better in protecting client data from exploit and theft, even when it seems unnecessary or "overkill".

Join us in leveraging technology to provide the best possible environment in which to store ALL client data and protect your client's pet, home, work, and family. I don't know about you, but I couldn't fathom learning that a client of mine experienced an incident at their home, let alone coming to find out that the information used to access the property (address, gate code, and security alarm passcode) was actually stolen from a leak in my business software.

Learn more about our Secure Document Storage solution.