|
It was the data breach that kicked it all off – a year ago this week, the government admitted HM Revenue and Customs had lost two discs containing records on 20 million people.
The tax body had dumped data on a third of the population – including children – onto a pair of unencrypted discs and sent them off with a courier, not once, but twice.
In the uproar that followed, more and more stories about data breaches in the public and private sector began to be noticed and reported. Indeed, since the mess at HMRC, some 277 such mishaps have been reported to data watchdogs at the Information Commissioner’s Office (ICO). Lost USB drives, stolen laptops and even papers left on a train have left millions of people in this country open to identity theft and fraud – not to mention, a bit pissed off.
The government responded with amusingly ignorant debates in Parliament and massive reports – two were released in one day offering reams of advice on how to avoid another HMRC.
But it’s not exactly rocket science, now is it? In case you haven’t been paying attention, we’ve gathered up the top 10 lessons to be learned from this year of data breaches.
Lesson One: The public wants to know about data breaches
It’s no surprise newspapers jumped all over the HMRC incident. Uncovering a massive government error, caused by funding cuts and incompetence, is the stuff of happy dreams for journalists – trust us on this one.
The tale of millions of records – including banking details – going missing because of such complete and utter foolishness didn’t sit well with the public at all. And it shouldn’t. Everyone affected faces identity theft and fraud because of incidents like this one; phishing attacks based on the HMRC debacle have already occurred, and those didn’t even require the discs to fall into the hands of criminals.
So HMRC became a watershed. The odd big data breach was covered by the press before last November, but usually only if the story was connected to a large fine. Now, every lost laptop or misplaced memory stick was cause for a headline and outrage. The public – you, me and everyone else – had learned that poor data management could hurt them.
Unsurprisingly then, people have started calling for data breach notification laws. Companies are not legally required to tell their customers – and citizens – when data goes missing, but surveys have suggested the general public want such legislation, even if IT directors aren’t so enthusiastic.
Lesson Two: People can be sacked
It’s something many people have called for over the past year – someone to be held responsible for data losses. While the head of HMRC Paul Gray did step down after the breach, it was also for overall organizational concerns, which were certainly highlighted by the breach, but not the only symptom of troubles at the tax body.
But since then, laptops and USBs and discs have disappeared, and no one has been publicly sacked… except in one case, involving Colchester Hospital.
A manager from that hospital took a laptop with him to Edinburgh, where it was stolen from the back of his vehicle. Removing the laptop from the hospital was considered a breach of policy, so the manager was duly fired.
While some might say the manager was made a scapegoat, others clearly hope such disciplinary action becomes more common. Either way, keep watch of those laptops, or risk your career.
Lesson Three: USB drives don’t stay in pockets
Memory sticks are great – you can transfer data easily and quickly, stick it in your pocket, and then lose it all on a pub floor.
Back in May, the MoD did just that. A USB was discovered on the floor of a Newquay nightclub. The unencrypted stick contained data on military personnel, training exercises, and soldiers’ accommodations.
Thankfully, whoever discovered the roving USB did the right thing, and rather than hand it over to terrorists, turned it into responsible authorities – a tabloid newspaper.
And just this month, the government lost a memory stick in a pub car park; this time, it held passwords to Government Gateway, a massive online public sector portal.
So while USB drives might seem a cheap and cheerful data transfer tech, they can be costly. Just ask PA Consulting. That firm mislaid a memory stick containing the details of all 84,000 prisoners in England and Wales. For that, the Home Office ended its £1.5 million contract.
Lesson Four: Laptops are easy to steal
Laptops and portable hard drives are not only easy to carry around, but relatively pricey equipment. Unsurprisingly, if it’s worth stealing and it isn’t nailed down, it’s going to get stolen.
So don’t leave laptops near open windows, in unlocked car boots or anywhere a devious member of the public could spy it and snatch it. The MoD, the NHS and other government agencies can all attest to this, though they don’t seem to be learning the lesson very quickly.
A Tooting-based hospital saw six laptops vanish in one incident this year, while two were stolen from a hospital in Brent.
Thieves nicked a laptop belonging to secretary of state for communities and local government Hazel Blears through a smashed window, while a MoD laptop holding details of 600,000 people was stolen from a car.
Laptops aren’t the only theft-friendly devices. A few drives containing Royal Air Force personnel data went missing from a military base earlier this year.
And it’s not just public sector organisations losing laptops. Associated Newspapers lost one computer containing bank account details.
Lesson Five: Encrypt everything
With all the roving USB drives, stolen laptops, discs lost in the post, isn’t it time encryption became the norm?
Some have learned the lesson. The NHS is in the process of rolling out encryption across its portable computer estate, with one hospital holding a “USB amnesty” to get employees to turn in insecure sticks.
MI5 uses the tech as well – which is handy, as it lost a portable computer through an open window in October.
And while the General Teaching Council failed to pay attention to the moral of the HMRC story – don’t put important things in the post – its lost disc was helpfully encrypted, meaning the 11,423 affected teachers could sleep a little easier.
The majority of the other cases in the past year haven’t involved encrypted media – but why not? The tech is cheap and relatively easy to roll out. The point could become moot in the next few years, as the next version of Microsoft’s Windows operating system is expected to have encryption built-in – though does anyone want to wait that long or depend on Microsoft to keep us safe? Didn’t think so.
Lesson Six: People are the weak link
No matter what tech you use, or what policies you put in place, it all comes down to people and their skills – do they know about data security and are they even capable of keeping things safe?
Indeed, speaking at a Gartner security summit, Martin Smith, chairman of the Security Awareness Special Interest Group (SASIG), said that no matter how shiny and cool and secure a firm’s tech was, “the people screwed you in the end.”
With that in mind, the government has announced all civil servants handing private data are to get security training – a good first step, but it needs to be expanded. Is there any arm of the government which doesn’t handle people’s private data?
Lesson Seven: Hold less information
One of the problems with the HMRC case was how much information was on the discs. After the breach, reports revealed that less information was actually requested by the intended recipient – the National Audit Office – but the tax body didn’t have the time or money to strip fields out of the data base, so more information was sent than necessary.
And as the government looks to collect more and more data on its citizens, for projects like the national identity card scheme, this problem will only grow.
This point was hammered home in a report from none other than the Home Affairs Committee, which said the government should keep watch on “function creep” and adopt a principle of what it called "data minimisation", collecting only essential information.
"What we are calling for is an overall principle of 'least data, for least time'," said committee chairman Keith Vaz at the time. "We have all seen over the past year extraordinary examples of how badly things can go wrong when data is mishandled, with potentially disastrous consequences."
The ICO has also repeatedly called for less information to be held, but the government doesn’t seem to hear its own watchdog barking…
Lesson Eight: Don’t sell kit on eBay
Reselling equipment on auction site eBay might seem like a good idea, but the few quid you earn back isn’t worth the possibility of a data breach.
Or that’s what a few organisations learned this year.
An Oxford man bought a computer on eBay for just £35. Quite a bargain, given it held the banking details, credit card numbers and even signatures of a million people. Apparently, the device was sold by an “ex-employee” of digital document company Graphic Data.
Kirklees Council found itself the subject to a potential data breach after a virtual private network (VPN) server a supplier previous used was sold on eBay for just 99p. Not only did the buyer win the Cisco equipment for one heck of a discount, but security codes were still programmed onto the device – when it was hooked up, it reconnected to the council’s private servers without any prompting. Whoops.
Another savvy shopper got more than they bargained for via the auction site after successfully bidding on a second-hand camera for just £17. Not only did the buyer win a Nikon digital camera, but also a memory card complete with photos and documents relating to suspected terrorists being investigated by the device’s previous owner, MI6. James Bond would be ashamed.
Lesson Nine: Shopping online isn’t perfectly safe
No, it’s not time to panic. The vast majority of online transactions are carried out without any trouble at all. But when it goes bad, it can be ugly, as mail order clothing retailer Cotton Traders found this summer.
Hackers managed to steal the credit card details of as many as 38,000 customers from the online clothing shop, including enough information to leave people open to ‘card not present’ fraud.
And although the attack happened in January, customers were not alerted to it until June. How many of them do you think will do their Christmas shopping online this year?
Indeed, a survey by Symantec suggested 93 per cent of people wouldn’t hand over the details to a firm which had already had a breach – makes you wonder what the other seven per cent are thinking?
Lesson 10: Data breaches can cost you. A lot.
According to research by the Ponemon Institute, the average cost of a data breach by record is £47.
About half of that cost is from lost business, with the rest from detection, notification, and cleaning up after the fact – such as issuing new account cards or helping victims avoid fraud. Based on the study, the 25 million records lost by HMRC cost some £625 million.
At the time, Quocirca’s Bob Tarzey said: “There is no evidence that the HMRC data loss last year cost anything it terms of the data actually being use to exploit tax payers as it is not even clear that the data reached the public domain, however, the cost to HMRCs reputation was immense, if it had been a company this may well have led to a share price drop.”
Financial firms didn’t need the research to realise data breaches can be costly, however. As such companies are governed by the Financial Services Authority – which has the power to fine – they know all too well the costs associated with such mishaps.
Merchant Securities Group was fined £77,000 even though it didn’t even have a security breach, but simply because its methods risked enabling one.
At the time, Margaret Cole, the director of enforcement at the FSA, said: “It is unacceptable that despite increased awareness of data security issues, a firm should be so careless about its systems for protecting customers’ personal details. People have a right to expect their details to be kept secure and firms should be committed to treating their customers fairly in all aspects of their business.”
Right on, Margaret. Right on.
Lesson 11: The ICO needs more power
Of the 277 data breaches the ICO has investigated over the past year, it’s taking action against 30 organisations. That’s not a lot.
The actions it can take generally consist of sending an angry letter demanding changes to processes, to ensure the guilty body learns to comply with the Data Protection Act. For the most part, this means deleting unnecessary data and encrypting portable media devices – which is what the watchdog made Virgin Media do in the wake of a lost disc.
Under the threat of prosecution, most organisations seem to just buy some encryption software and get on with business. Not really much of a deterrent, is it?
Members of the government and the information commissioner himself have all called for stronger powers. Thomas said last year that his limited powers were a "very bizarre situation, unlike virtually all the other data protection authorities around the world and most other regulatory bodies, such as the Financial Services Authority."
Indeed, until the watchdog gains the power to fine like the FSA or data breaches become criminalised, it’s going to continue to be little more than a source of good advice often ignored – and some nasty letters now and then.
|
