Own Goal: The most serious self-inflicted data breaches

If you thought your data was in safe hands, you may want to think again – here are some instances of devastating data leakage that could have been easily avoided.

Heroes...

Security officers, CISOs and entire IT departments have their work cut out for them as they fight to fend off data breaches and enforce data compliance.

… And Villains

But for every hardworking IT specialist, there seems to be someone happy to sleepwalk into the kind of data leakage that has worrying ramifications for the future of our public sector data security if important lessons are not learned.

A 'Quick' Exit

In April, 2009, Police Chief Bob Quick strode along Downing Street to attend an important meeting about a clear and present danger to national security. In one hand, he clutched a top secret document; one which only hours before would have been locked down and red-flagged on a government server.

Unfortunately, Quick had the document open, and the page on display was snapped by the attending press photographers. The resulting shots showed top secret information detailing a major terrorist threat, plus sensitive locations and the names of officers working on the case. The data leakage saw the arrests of the 12 terrorist suspects rushed forward to the next day – and Quick’s resignation within 24 hours...

(Source: http://www.guardian.co.uk/uk/2009/apr/09/bob-quick-terror-raids-leak, http://www.thesun.co.uk/sol/homepage/news/2368511/Bob-Quick-has-resigned..., http://www.number10.gov.uk/news/cyber-security-strategy/)
 

NHS Misstep

During an office move at Eastern and Coastal Kent Primary Care Trust in September 2011, a seemingly innocuous CD was left in a filing cabinet, which in turn was taken to a landfill for disposal. It was only after the cabinet had been removed that someone remembered that the CD contained the medical records of 1.6 million patients – all unencrypted. Despite a desperate search by the trust, the CD was never recovered.

In another incident, Brighton and Sussex University Hospital’s NHS Foundation managed to leave 69,000 patient records on hard disks that were meant to be destroyed. The distinctly intact drives soon turned up for sale on an internet auction site; again, all unencrypted.

[Source: http://www.publicservice.co.uk/news_story.asp?id=17467, http://www.theregister.co.uk/2011/09/20/kent_nhs_data_loss/, http://www.dailymail.co.uk/health/article-2224580/NHS-lost-track-1-8m-pa...
 

Children At Risk

Security mistakes made by employees continue to hound government authorities. In October, 2012, Stoke-on-Trent Council was fined £120,000 by the Information Commissioner's Office (ICO) for breaching the Data Protection Act after a solicitor working for the authority sent out 11 emails in December 2011.

Said emails contained highly sensitive information concerning a child protection lawsuit plus confidential details about two adults and two other children. Unfortunately, the missives were sent to the wrong person and while the recipient was identified, the individual failed to respond to requests to delete the offending items.

Such a breach followed a previous data leak by the council in 2010 where a USB stick was lost that contained confidential, unencrypted data on several childcare cases.

If this data had been encrypted then the information would have stayed secure. Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure. Stephen Eckersley, head of enforcement at the ICO Systems, Inc.
[Source: http://www.ico.org.uk/news/latest_news/2012/penalty-highlights-need-for-..., http://www.computerweekly.com/news/2240169287/ICO-hits-Stoke-on-Trent-Ci...
 

So remember...

  • Think before you leave the house clutching a top secret document
  • Encrypt hard disk drives and dispose of them securely
  • Check that items to be destroyed have actually been destroyed
  • Don’t send highly sensitive data by unencrypted snail mail

Further reading

To learn more about ensuring your company doesn't end up facing public embarrassment and a loss of trust, download our free eGuide: How to Implement and Nurture a Security Compliant Culture

or join the debate: What steps would you take to ensure that your company's data security is kept safe from tech-unsavvy employees?