Personal Data Breaches Are Unforgivable

This week I’m in New York on a short visit but my attention has been grabbed by events in the UK HM Revenue and Customs, i.e. the announcement of a loss of discs containing personal data on 25 million citizens.

Following on from so many high profile data breaches earlier this year it seems quite incredible that such a breach could occur. But such mistakes will happen from time to time in any organisation that does not maintain an aggressive campaign of user education, mandatory controls and regular auditing.

This is unlikely to be an isolated incident. It’s well understood in the safety world that behind every major incident, there are likely to be on average 29 minor incidents, three hundred near misses and perhaps thousands of bad practices. A similar pattern can be expected for security incidents.

Unfortunately UK Government has been slow off the mark at catching up with the better practices of industry. In particular they have for too long resisted proven measures such as accredited certification, which is the only effective way of “closing the loop”, i.e. checking that corporate policies and standards are actually implemented in practice.

So it’s understandable and not really surprising to hear about a breach of this kind. But given the well publicized citizen concerns and learning points from previous breaches, it’s not forgivable. Action must be taken urgently to raise the bar on security standards for the public sector.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

The law requires the Data Controller (in this case, HMRC) to take appropriate measures to ensure the security of the data. Even the most rudimentary of information security risk assessments would identify the danger of someone attempting to extract some or all of this data. Appropriate counter-measures should therefore, and rather obviously, include removal of any technical capability to 'burn the database to a disc'. The supervisory failure that allowed a junior member of staff to export this data to a disc and then mail it, unencrypted, outside the organization is merely sympomatic of a deeper failure to make any effort whatsoever to comply with the DPA. It seems to me that the time has come, not only for executives and ministers to be dismissed and prosecuted, but for two other steps: 1. All public sector organizations that deal with personal data should be required to achieve certification to the international information security standard ISO/IEC 27001 - and should be given no more than two years to complete certification; 2. The UK now needs a data breach law that brings significant financial penalties and criminal charges against those - from the top of the organization down - who fail to take security measures appropriate to the nature of the personal data being protected.
What was interesting in this case was that the information wasn't mailed through the post as people are commenting but used a courier service operated by TNT. Surely as a small operator TNT should have the simplest of tracking systems in place and could find out where the breach occured - it wasn't as if it was one of zillions of letters but placed in an internal pouch with a small number of other items. What is interesting for me on this one was that in an electronic world things can be made pretty secure - similarly in an offline world it is unlikely that 25 million names, addresses etc. would have been mailed - and it would probably have been too onerous to do anything with them if they had been. the real issue here is when the online and offline world collide. At the moment I am carrying around in my pocket - with no security systems in place - a USB key with 16GB capacity - enough data capacity for billions of records. With the advent of these massive storage systems which seem to be following the ubiquitous Moores Law then the risk of loosing massive amounts of data become more real. What security should I put in place in case I leave the key on the train or in my computer in the office over night?