Information security experts commented below on the news about the government being fines £500,000 by the ICO after a data breach which exposed the addresses of over 1000 New Years honours recipients, and how bad identity management practice was the cause of this breach.

Notify of

1 Expert Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Chad McDonald
Chad McDonald , CISO
InfoSec Expert
December 6, 2021 12:43 pm

<p>The exposure of New Years Honours recipients’ home addresses is another example of poor process for the governance of identity data. While it may seem trivial to some to post home addresses, for those in the public eye, this presents a legitimate security concern. A robust data classification and handling process should have identified this information as personal information and triggered a number of controls that would have prevented not only the disclosure of the data, but also certain groups from even being able to see the data.</p>
<p>While this is a less traditional example of identity data, that is exactly how this information should be classified. In a better controlled scenario, only certain elements of this information would have been presented to the group posting honorees to the web, sequestering the other perhaps more critical elements away from that group. A strong identity management program would present views of identity data based upon a clearly established need-to-know protocol. In this case, the web team may simply need to know the names of the recipients while an operations team may need addresses to deliver awards or invitations. Mature identity management programs will define access levels to individual identity elements based upon risk and justifiable need. In the case of this particular exposure, it is clear that such a program was not in place. The ICO was right in its imposition of this fine as it sends a clear message that more robust identity governance measures should be established within the UK Government.</p>

Last edited 11 months ago by Chad McDonald
Information Security Buzz
Would love your thoughts, please comment.x