News broke today that the University of East Anglia in Norwich accidentally leaked an employee’s confidential and sensitive health information in a mass email sent to hundreds of postgraduate research students. The email was sent on Sunday (5 November) afternoon to about 300 students in the social science faculty which included the personal health information of a member of staff. Andrew Clarke, EMEA Director at One Identity commented below.
Andrew Clarke, EMEA Director at One Identity:
“Throughout 2017, we have seen a dramatic increase in the number of data breaches – either malicious or through accidental actions. When personal information is released it is harder to recover the situation unlike in a case where a credit card is compromised and the card can just be replaced. One of the primary factors where organisations fall short is by not making security part of their everyday operations. Through experience we know that security is a continual process and goes beyond the basics of installing a firewall or a AV tool. With the fast changing world that we live in, and changes brought about by digital transformation, security has to be embraced by the overall business and consideration to all activities with respect to security. Questions to be asked such as “How do we provision new users?”; “What applications are users allowed to access?”; What is the process to change access rights when a change of job occurs?”; “What controls are in place for administrators and remote contractors?” and “Who is allowed to access specific data records?” – will go a long way to addressing this situation. In the case of UEA, questions that determine how a person accesses an employee’s confidential and sensitive health information; will be a step in the right direction to avoid a repeat of such an accidental case of attaching to an outbound email. Identity & Access Management coupled with Data Governance tools are the right way to get this addressed.”
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
