Lessons to learn from a year of data breaches

In the year since the HMRC data breach, many more have been made public – here’s a roundup of 11 lessons (we should have) learned.

By Nicole Kobie, 17 Nov 2008 at 15:03

gallery

Lesson Eight: Don’t sell kit on eBay
Reselling equipment on auction site eBay might seem like a good idea, but the few quid you earn back isn’t worth the possibility of a data breach.

Or that’s what a few organisations learned this year.

An Oxford man bought a computer on eBay for just £35. Quite a bargain, given it held the banking details, credit card numbers and even signatures of a million people. Apparently, the device was sold by an “ex-employee” of digital document company Graphic Data.

Kirklees Council found itself the subject to a potential data breach after a virtual private network (VPN) server a supplier previous used was sold on eBay for just 99p. Not only did the buyer win the Cisco equipment for one heck of a discount, but security codes were still programmed onto the device – when it was hooked up, it reconnected to the council’s private servers without any prompting. Whoops.

Another savvy shopper got more than they bargained for via the auction site after successfully bidding on a second-hand camera for just £17. Not only did the buyer win a Nikon digital camera, but also a memory card complete with photos and documents relating to suspected terrorists being investigated by the device’s previous owner, MI6. James Bond would be ashamed.

Lesson Nine: Shopping online isn’t perfectly safe
No, it’s not time to panic. The vast majority of online transactions are carried out without any trouble at all. But when it goes bad, it can be ugly, as mail order clothing retailer Cotton Traders found this summer.

Hackers managed to steal the credit card details of as many as 38,000 customers from the online clothing shop, including enough information to leave people open to ‘card not present’ fraud.

And although the attack happened in January, customers were not alerted to it until June. How many of them do you think will do their Christmas shopping online this year?

Indeed, a survey by Symantec suggested 93 per cent of people wouldn’t hand over the details to a firm which had already had a breach – makes you wonder what the other seven per cent are thinking?

Lesson 10: Data breaches can cost you. A lot.
According to research by the Ponemon Institute, the average cost of a data breach by record is £47.

About half of that cost is from lost business, with the rest from detection, notification, and cleaning up after the fact – such as issuing new account cards or helping victims avoid fraud. Based on the study, the 25 million records lost by HMRC cost some £625 million.

At the time, Quocirca’s Bob Tarzey said: “There is no evidence that the HMRC data loss last year cost anything it terms of the data actually being use to exploit tax payers as it is not even clear that the data reached the public domain, however, the cost to HMRCs reputation was immense, if it had been a company this may well have led to a share price drop.”

1 2 3 4 5

Email to a friend

Print this page

< Previous Security : Analysis & Insight Next >

4 comments

You need to Login or Register to comment.

Data Breaches and Theft - a Solution?

I like to pass along things that work, in hopes that good ideas make their way back to me. Data breaches and thefts are due to a lagging business culture – and people aren’t getting the training they need. As CIO, I look for ways to help my business and IT teams further their education. Check your local library: A book that is required reading is \"I.T. WARS: Managing the Business-Technology Weave in the New Millennium.\" It also helps outside agencies understand your values and practices. The author, David Scott, has an interview that is a great exposure: http://businessforum.com/DScott_02.html - The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action. In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a breach.

By Ip_johnfranks999 on Tuesday Nov 18

Data Breaches and Theft - a Solution?

By Ip_johnfranks999 on Tuesday Nov 18

RE:

Fudge and fear I\\\'m afraid. Of course it is wrong that data should be lost and the hints are common sense about what to do. But there is absolutley no evidence in the article or elsewhere that the data has been misused. Regulation should be commensurate with risk, and risk is not a matter of guessing but INFORMED judgment.

By cping5000 on Friday Nov 21

How about avoiding the problem in the first place?

All of the breaches mentioned have one thing in common; data being stored on a physical device that was \"portable\". Whilst a PC may not be seen as portable, it was still a \"local\" device that was able to be removed from a place of work with private data on it. As well as a security risk, locally stored data is also a massive headache for businesses attempting to achieve a \"single point of truth\" for the company data and records. Storing information locally leads to multiple \"versions\" of the truth, leading to confusion and inefficiency. The fact that the data can also find its way into the wrong hands is the icing on the cake. Centralised, cloud based platforms that offer data integrity AND data security are the way forward. They offer a single point of truth for all data, a complete audit trail of activity for all users and data and are easily accessed, but only by the relevant personnel.

By tristan66 on Monday Nov 24