Lost in the woods – tales of wandering data
In an age of hyper-connectivity, it is almost refreshing to see that not all data breaches result from the compromise of networked devices. One of the most recent incidents is the loss of data from 5000 members of an exclusive club of Oxbridge graduates, including names, addresses, phone number and bank details. The information, which it is believed was not encrypted, was stored on a ‘back-up’ hard drive that has gone missing from a locked room within the club’s London HQ. This is the latest in a series of data losses resulting from physical storage media that has “gone missing”, including data from 46,000 Zurich clients lost from tape storage in South Africa and data from 25 million UK child benefit recipients (which included names and birth dates of the children of the recipients), stored on CD-ROM discs that were lost in transit from the UK HMRC to the Government audit office. In the Zurich incident, the company was fined $3.5 million for failings in data security by FSA (now FCA).
These incidents show that the traditional physical data storage practices still have the potential to lead legal liability and to damage to an organisation’s reputation. Although for many of us, the latest technology has inherent appeal, most data breaches result from a lack of basic cyber ‘hygiene’ and secure data lifecycle processes, including where and how data are stored. Any physical media containing sensitive data should be stored in a secure manner, and handled with pre-defined processes, including restricting physical access to the media on a needs-only basis. For the actual data, at rest, sensitive data should always be encrypted, and the decryption keys stored securely. An up-to-date inventory of in-use, backed-up and archived data, including their location and who has access to them, should always be maintained.
Whilst as standalone activities, these actions do not appear to be particularly onerous, they must be considered in the context of a modern corporation: with frequent regulatory and organisational changes (including from mergers, acquisitions and divestments), as well as staff churn, it is no wonder organisations sometimes lose track of data under their ownership or control. To succeed, dedicated information security resources must be able to integrate these processes as seamlessly as possible into the organisation’s standard operating procedures (SOPs). Without this, experience has shown that staff would start losing sight of the wood for the trees, and creative humans may find ‘shortcuts’ which could at least partially contribute to tales of wandering data. With GDPR around the corner, such each tale of lost data is guaranteed to be far more expensive than it has been to-date.
Dr Wendy Ng, CISSP, CCNP; 30th November 201730