Lessons to learn from a year of data breaches

In the year since the HMRC data breach, many more have been made public – here’s a roundup of 11 lessons (we should have) learned.

By Nicole Kobie, 17 Nov 2008 at 15:03

gallery

It was the data breach that kicked it all off – a year ago this week, the government admitted HM Revenue and Customs had lost two discs containing records on 20 million people.

The tax body had dumped data on a third of the population – including children – onto a pair of unencrypted discs and sent them off with a courier, not once, but twice.

In the uproar that followed, more and more stories about data breaches in the public and private sector began to be noticed and reported. Indeed, since the mess at HMRC, some 277 such mishaps have been reported to data watchdogs at the Information Commissioner’s Office (ICO). Lost USB drives, stolen laptops and even papers left on a train have left millions of people in this country open to identity theft and fraud – not to mention, a bit pissed off.

The government responded with amusingly ignorant debates in Parliament and massive reports – two were released in one day offering reams of advice on how to avoid another HMRC.

But it’s not exactly rocket science, now is it? In case you haven’t been paying attention, we’ve gathered up the top 10 lessons to be learned from this year of data breaches.

Lesson One: The public wants to know about data breaches
It’s no surprise newspapers jumped all over the HMRC incident. Uncovering a massive government error, caused by funding cuts and incompetence, is the stuff of happy dreams for journalists – trust us on this one.

The tale of millions of records – including banking details – going missing because of such complete and utter foolishness didn’t sit well with the public at all. And it shouldn’t. Everyone affected faces identity theft and fraud because of incidents like this one; phishing attacks based on the HMRC debacle have already occurred, and those didn’t even require the discs to fall into the hands of criminals.

So HMRC became a watershed. The odd big data breach was covered by the press before last November, but usually only if the story was connected to a large fine. Now, every lost laptop or misplaced memory stick was cause for a headline and outrage. The public – you, me and everyone else – had learned that poor data management could hurt them.

Unsurprisingly then, people have started calling for data breach notification laws. Companies are not legally required to tell their customers – and citizens – when data goes missing, but surveys have suggested the general public want such legislation, even if IT directors aren’t so enthusiastic.
Lesson Two: People can be sacked
It’s something many people have called for over the past year – someone to be held responsible for data losses. While the head of HMRC Paul Gray did step down after the breach, it was also for overall organizational concerns, which were certainly highlighted by the breach, but not the only symptom of troubles at the tax body.

But since then, laptops and USBs and discs have disappeared, and no one has been publicly sacked… except in one case, involving Colchester Hospital.

1 2 3 4 5

Email to a friend

Print this page

< Previous Security : Analysis & Insight Next >

4 comments

You need to Login or Register to comment.

Data Breaches and Theft - a Solution?

I like to pass along things that work, in hopes that good ideas make their way back to me. Data breaches and thefts are due to a lagging business culture – and people aren’t getting the training they need. As CIO, I look for ways to help my business and IT teams further their education. Check your local library: A book that is required reading is \"I.T. WARS: Managing the Business-Technology Weave in the New Millennium.\" It also helps outside agencies understand your values and practices. The author, David Scott, has an interview that is a great exposure: http://businessforum.com/DScott_02.html - The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action. In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a breach.

By Ip_johnfranks999 on Tuesday Nov 18

Data Breaches and Theft - a Solution?

By Ip_johnfranks999 on Tuesday Nov 18

RE:

Fudge and fear I\\\'m afraid. Of course it is wrong that data should be lost and the hints are common sense about what to do. But there is absolutley no evidence in the article or elsewhere that the data has been misused. Regulation should be commensurate with risk, and risk is not a matter of guessing but INFORMED judgment.

By cping5000 on Friday Nov 21

How about avoiding the problem in the first place?

All of the breaches mentioned have one thing in common; data being stored on a physical device that was \"portable\". Whilst a PC may not be seen as portable, it was still a \"local\" device that was able to be removed from a place of work with private data on it. As well as a security risk, locally stored data is also a massive headache for businesses attempting to achieve a \"single point of truth\" for the company data and records. Storing information locally leads to multiple \"versions\" of the truth, leading to confusion and inefficiency. The fact that the data can also find its way into the wrong hands is the icing on the cake. Centralised, cloud based platforms that offer data integrity AND data security are the way forward. They offer a single point of truth for all data, a complete audit trail of activity for all users and data and are easily accessed, but only by the relevant personnel.

By tristan66 on Monday Nov 24