Home : Security : Features

Lessons to learn from a year of data breaches

In the year since the HMRC data breach, many more have been made public – here’s a roundup of 11 lessons (we should have) learned.

By Nicole Kobie, 17 Nov 2008 at 15:03

A manager from that hospital took a laptop with him to Edinburgh, where it was stolen from the back of his vehicle. Removing the laptop from the hospital was considered a breach of policy, so the manager was duly fired.

While some might say the manager was made a scapegoat, others clearly hope such disciplinary action becomes more common. Either way, keep watch of those laptops, or risk your career.

Lesson Three: USB drives don’t stay in pockets
Memory sticks are great – you can transfer data easily and quickly, stick it in your pocket, and then lose it all on a pub floor.

Back in May, the MoD did just that. A USB was discovered on the floor of a Newquay nightclub. The unencrypted stick contained data on military personnel, training exercises, and soldiers’ accommodations.

Thankfully, whoever discovered the roving USB did the right thing, and rather than hand it over to terrorists, turned it into responsible authorities – a tabloid newspaper.

And just this month, the government lost a memory stick in a pub car park; this time, it held passwords to Government Gateway, a massive online public sector portal.

So while USB drives might seem a cheap and cheerful data transfer tech, they can be costly. Just ask PA Consulting. That firm mislaid a memory stick containing the details of all 84,000 prisoners in England and Wales. For that, the Home Office ended its £1.5 million contract.

Lesson Four: Laptops are easy to steal
Laptops and portable hard drives are not only easy to carry around, but relatively pricey equipment. Unsurprisingly, if it’s worth stealing and it isn’t nailed down, it’s going to get stolen.

So don’t leave laptops near open windows, in unlocked car boots or anywhere a devious member of the public could spy it and snatch it. The MoD, the NHS and other government agencies can all attest to this, though they don’t seem to be learning the lesson very quickly.

A Tooting-based hospital saw six laptops vanish in one incident this year, while two were stolen from a hospital in Brent.

Thieves nicked a laptop belonging to secretary of state for communities and local government Hazel Blears through a smashed window, while a MoD laptop holding details of 600,000 people was stolen from a car.

Laptops aren’t the only theft-friendly devices. A few drives containing Royal Air Force personnel data went missing from a military base earlier this year.

And it’s not just public sector organisations losing laptops. Associated Newspapers lost one computer containing bank account details.

Lesson Five: Encrypt everything
With all the roving USB drives, stolen laptops, discs lost in the post, isn’t it time encryption became the norm?

1 2 3 4 5

Email to a friend

Print this page

4 comments

You need to Login or Register to comment.

Data Breaches and Theft - a Solution?

I like to pass along things that work, in hopes that good ideas make their way back to me. Data breaches and thefts are due to a lagging business culture – and people aren’t getting the training they need. As CIO, I look for ways to help my business and IT teams further their education. Check your local library: A book that is required reading is \"I.T. WARS: Managing the Business-Technology Weave in the New Millennium.\" It also helps outside agencies understand your values and practices. The author, David Scott, has an interview that is a great exposure: http://businessforum.com/DScott_02.html - The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action. In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a breach.

By Ip_johnfranks999 on Tuesday Nov 18

Data Breaches and Theft - a Solution?

By Ip_johnfranks999 on Tuesday Nov 18

RE:

Fudge and fear I\\\'m afraid. Of course it is wrong that data should be lost and the hints are common sense about what to do. But there is absolutley no evidence in the article or elsewhere that the data has been misused. Regulation should be commensurate with risk, and risk is not a matter of guessing but INFORMED judgment.

By cping5000 on Friday Nov 21

How about avoiding the problem in the first place?

All of the breaches mentioned have one thing in common; data being stored on a physical device that was \"portable\". Whilst a PC may not be seen as portable, it was still a \"local\" device that was able to be removed from a place of work with private data on it. As well as a security risk, locally stored data is also a massive headache for businesses attempting to achieve a \"single point of truth\" for the company data and records. Storing information locally leads to multiple \"versions\" of the truth, leading to confusion and inefficiency. The fact that the data can also find its way into the wrong hands is the icing on the cake. Centralised, cloud based platforms that offer data integrity AND data security are the way forward. They offer a single point of truth for all data, a complete audit trail of activity for all users and data and are easily accessed, but only by the relevant personnel.

By tristan66 on Monday Nov 24