Almost 16,000 cases of coronavirus in the UK went unreported because of a glitch caused by an Excel spreadsheet, it has been reported. Public Health England (PHE) said 15,841 daily COVID-19 cases between 25 September and 2 October had been left out of UK totals. The error has caused delays in tracking the contacts of people who tested positive. On Monday, the Press Association (PA) news agency reported that the problem was caused by a Microsoft Excel spreadsheet reaching its maximum file size.
Commenting on the news are the following cybersecurity experts:
How storing information on medical information in excel files which are then circulated to a wide audience can be seen as anything apart from the outmost temporary solutions is surprising given the rather strict opinions on data privacy voiced within the European Union over the last few years. It is not strange if this was the solution day one, week one, month one, but to see that it’s still in use and has hit the limits of its capacity is more than embarrassing. And to see that the solution has been to “split the file in batches” rather than finding a proper solution to an actual problem even more so.
Excel is an excellent tool to report and filter data. It’s not unheard of that organisations today use common tools to process data using desktop tools, however, it’s evident that there is a limit to how much data these tools can handle before it becomes unresponsive and potentially produce reports that may have missing data.
Desktop tools such as Excel should not be used for large datasets, and investment should be made into technology that can securely process large datasets to ensure data integrity and accurate results. Additional problems around spreadsheets are around resiliency and potential data loss, with limited controls on what can be deleted and restored if lost. Backups of this data are harder to manage if in constant use, and security controls need to be adopted to ensure access to the spreadsheet data is not readily available to anyone.
Don\’t be fooled by the slight improvement in weather… in a minute we\’ll find those extra raindrops were misplaced in an excel file in the cloud and come thundering down on us… I make no apologies for mixing metaphors! If indeed the Government was using Excel to track COVID cases, it is a wholly inappropriate use of the tool. Excel is a very good spreadsheet, but it has its limitations and in no way ever intended to be used as a database. Procedures around using end user-developed applications are well-understood and mature within the industry. Sarbanes Oxley (SOX) incorporates End User Computing Controls as a key accountability. That is, where end user-developed applications, like using Excel to perform a critical function should have confidentiality, integrity, availability, and recoverability built-in. However, the best approach would be to select the appropriate technologies for the job. There are well-developed databases and technologies, both on-prem and in the cloud that would be far more secure and appropriate to use. For such projects, a culture of security needs to be cultivated from the beginning so that the right security decisions are made and enforced throughout the development and running of a platform.
In an ideal world, Excel would not be used to correlate the track and trace information. While Excel would be an excellent tool for this, it is missing some vital components that would make this viable in the long term. The main benefit of track and trace technology is rapidly being able to notify somebody of any potential exposures. I would speculate that PHE is looking to move to a more suitable technology that can provide more granular permissions for users who are creating, reading, updating, and deleting information on the current system. Excel may be used to refine the process for implementation into another more suitable technology. The main concerns are, who has access to the data, do they need access, is their access audited, and do they have access to only the data that pertains to them being able to perform their tasks in a timely manner. Track and trace is very new for most countries, there will be a bedding-in period where these questions must be answered.