Information security experts commented below on the news about the government being fines £500,000 by the ICO after a data breach which exposed the addresses of over 1000 New Years honours recipients, and how bad identity management practice was the cause of this breach.

Experts Comments

December 06, 2021
Chad McDonald
VP of Customer Experience
Arxan

The exposure of New Years Honours recipients’ home addresses is another example of poor process for the governance of identity data. While it may seem trivial to some to post home addresses, for those in the public eye, this presents a legitimate security concern. A robust data classification and handling process should have identified this information as personal information and triggered a number of controls that would have prevented not only the disclosure of the data, but also certain

.....Read More

The exposure of New Years Honours recipients’ home addresses is another example of poor process for the governance of identity data. While it may seem trivial to some to post home addresses, for those in the public eye, this presents a legitimate security concern. A robust data classification and handling process should have identified this information as personal information and triggered a number of controls that would have prevented not only the disclosure of the data, but also certain groups from even being able to see the data.

While this is a less traditional example of identity data, that is exactly how this information should be classified. In a better controlled scenario, only certain elements of this information would have been presented to the group posting honorees to the web, sequestering the other perhaps more critical elements away from that group. A strong identity management program would present views of identity data based upon a clearly established need-to-know protocol. In this case, the web team may simply need to know the names of the recipients while an operations team may need addresses to deliver awards or invitations. Mature identity management programs will define access levels to individual identity elements based upon risk and justifiable need. In the case of this particular exposure, it is clear that such a program was not in place. The ICO was right in its imposition of this fine as it sends a clear message that more robust identity governance measures should be established within the UK Government.

  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.