News broke yesterday that a data breach at Newcastle City Council has led to the details of adopted children being exposed. Names, addresses and birth dates of 2,743 adopted children, alongside details of parents, social workers and former adoptees, were included in a spreadsheet attached to the city’s annual adoption summer party. As many as 77 people received the attachment. IT security experts commented below.
Andrew Clarke, EMEA Director at One Identity:
“One of the key security measures in an organisation is to ensure that the access control policies are deployed effectively. It is really important that a solution is in place that protects an organisation by giving access control to the business owner rather than the IT staff. In the case of unstructured data such as a spreadsheet which provides important information across the business it is really important that access controls are coupled with data governance. In this context, governance translates to ensuring that: the right people – have the right access – to the right stuff – at the right time – in the right way. And that all the right people know about it and agree it is right.
Data governance enables the business owner to grant access to sensitive data and restrict access functionality by defining appropriate organisation-wide access policies. With the right governance tool in place; an organisation then has the power to analyze; approve and fulfill unstructured data access requests to files; folders and shares across NTFS; NAS devices and Sharepoint. This approach ensures that sensitive unstructured data is only accessible to approved users. An Identity Manager can then be used to automate the request-and-approval workflow, ensuring security and reducing the burden on IT staff. Beyond this the sophistication of a data governance tool can be enhanced with classification of data which helps an organisation understand the contents of the unstructured data, thereby ensuring that sensitive assets are properly secured. And if no classification level has been assigned then the risk level of the governed resource can be raised appropriately to prevent inappropriate data sharing.”
Ken Spinner, VP of Global Field Engineering at Varonis:
“The loss of personal information is becoming commonplace. In this case, the personal information that was released was those of children – which is particularly concerning if it gets into the wrong hands. It’s important for companies to secure their data, and educate their employees and contractors to ensure they have good cyber hygiene and take the steps to automate the prevention of human error – in this case preventing inappropriate access to personal information and incorporating utilities to prevent the exposure.
The way that personal data is collected and stored is a huge privacy concern, particularly in light of the upcoming GDPR: organizations (and individuals) need to keep an eye out on privacy policies and data gathering in order to consistently meet business policy and security requirements.
Exposed personal data can be a huge vulnerability – not only an abuse of personal data privacy, but can be leveraged to breach more secure systems and put critical data at risk.”
Carl Leonard, Principle Security Analyst at Forcepoint:
“While organisations tend to invest first and foremost in protecting critical business data from external cyber-attacks, the recent data breach impacting Newcastle City Council has highlighted the importance of considering an ongoing human-centric security approach in every data protection strategy.
It’s no secret that maintaining complete control over critical business data is a significant challenge facing businesses from all sectors today. In a shifting technology landscape, organisations have little visibility into how and where their critical business data is used as it sprawls across company-owned, employee-owned devices and hosted applications. When that data relates to vulnerable children, the importance of maintaining control of the data is even higher.
It’s good to see that Newcastle City Council is instigating a review of processes, and we encourage businesses to anticipate all scenarios of how data can leave an organisation, and implement the necessary mitigatory controls. This will be a mix of regular, enforceable employee training and security technology. Attaching the incorrect file to an email is a common mistake, in fact the ICO’s most recent report shows that 11% of data breaches were caused by just this scenario, one of the top six most common causes.
The council will likely have asked employees not to send out confidential data out via email attachments, but human error does occur, and accidents will happen. By adding data loss prevention technology to enforce these principles, you can manage the human point of weakness in the security chain and can make informed decisions on security whilst safeguarding critical data and personal data, such as the adopted children’s database in this case.”
Dr. Jamie Graves, CEO at ZoneFox:
“There is no malice in this breach; the data was leaked by accident, but the ramifications are significant.
This reiterates, for both the private and public sectors, that as critical as focusing on hunting active threats and malicious insiders across the network is – a significant number of insider threats are inadvertent and accidental.
Therefore, all businesses need to have a balanced and holistic approach to security that prioritises visibility into what data is being moved around the network, who is accessing that data and why. This coupled with a regular training and a security-aware culture, will support and safeguard employees to enable best practice and good decision making.”