Governemnt Data Breach Of New Years Honours Recipients

By   ISBuzz Team
Writer , Information Security Buzz | Dec 06, 2021 04:42 am PST

Information security experts commented below on the news about the government being fines £500,000 by the ICO after a data breach which exposed the addresses of over 1000 New Years honours recipients, and how bad identity management practice was the cause of this breach.

Subscribe
Notify of
guest
1 Expert Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Chad McDonald
Chad McDonald , CISO
December 6, 2021 12:43 pm

<p>The exposure of New Years Honours recipients’ home addresses is another example of poor process for the governance of identity data. While it may seem trivial to some to post home addresses, for those in the public eye, this presents a legitimate security concern. A robust data classification and handling process should have identified this information as personal information and triggered a number of controls that would have prevented not only the disclosure of the data, but also certain groups from even being able to see the data.</p>
<p>While this is a less traditional example of identity data, that is exactly how this information should be classified. In a better controlled scenario, only certain elements of this information would have been presented to the group posting honorees to the web, sequestering the other perhaps more critical elements away from that group. A strong identity management program would present views of identity data based upon a clearly established need-to-know protocol. In this case, the web team may simply need to know the names of the recipients while an operations team may need addresses to deliver awards or invitations. Mature identity management programs will define access levels to individual identity elements based upon risk and justifiable need. In the case of this particular exposure, it is clear that such a program was not in place. The ICO was right in its imposition of this fine as it sends a clear message that more robust identity governance measures should be established within the UK Government.</p>

Last edited 2 years ago by Chad McDonald

Recent Posts

1
0
Would love your thoughts, please comment.x
()
x