Recent breaches show data theft prevention basics lacking

Two recent cases of data theft once again demonstrate the importance of basic security measures, including encryption and employee-awareness training.

Two new cases of stolen information this week underline the need for basic security measures; both data loss incidents could help bolster the case of security professionals struggling to justify their budget.

The first theft involves a laptop computer stolen from an NHS training body last November. The machine, which belonged to NHS Education for Scotland (NES), was being used to test a new medical recruitment website. In order to carry out the tests, the developer had copied the records of 6,377 people who had applied for medical posts. Since the machine was never intended to leave the premises, the information was left unencrypted. Under the policy that applied at the time, it did not qualify as a 'mobile device' and therefore was not protected as such.

Lessons learned

The NES case highlights the importance of these security practices: 
*Encrypt personal files on any mobile or portable device ·        

*Train staff to understand why security is necessary, and to follow policy

*Monitor the security of testing systems and files just as you would production systems  

Note: The ICO is likely to be able to impose fines by next April.
This week, the chief executive of NES, Malcolm Wright, was forced to issue a public apology and undertaking through the Information Commissioner's Office (ICO), both admitting what went wrong and pledging to employ better data theft prevention practices in the future.

In the statement, Wright said: "This incident involved the theft of a laptop, belonging to NES, from an office within NES premises at Ninewells Hospital at some time between the evening of November 28 2008 and the morning of December 1 2008. NES staff is confident that this office was locked at the close of business on November 28. A police investigation into the incident has proved inconclusive; Tayside Police does not expect any further progress."

Wright went on to explain that the laptop contained the personal data of 6,377 individuals, all held within an SQL database file. "This personal data consisted of summary descriptions of applications for medical training positions, and included information such as the names, addresses, phone numbers and General Medical Council reference numbers of the data subjects. The personal data also included equality and diversity monitoring information. This information was a superseded data set that was being used to test a development version of a medical recruitment website," he said.

The ICO took the view that the information was sensitive enough to warrant more protection, but agreed not to take further enforcement action against NES in exchange for assurances that it will tighten up its data theft prevention procedures.

The assurances are outlined in the NES's public undertaking and include a commitment to encrypt all personal data held on portable and mobile devices, as well as other portable media.

In addition, NES undertakes to ensure that "staff are aware of the data controller's policy for the storage and use of personal data and are appropriately trained on how to follow that policy."

Lessons learned

The stolen database case illustrates the following:

*The emergence of the insider threat

*The value of classifying sensitive data and files. 

*The importance of technology that prevents confidential information from being emailed out, copied on to portable media, or even sent as an attachment to an instant message.

*The need to protect a company's collateral, including its domain name.

*The power of the Copyright and Rights in Database Regulations 1997.      
Running with the database
The second case involves the theft of customer data from a commercial database by an employee who was leaving to start his own company.

The High Court this week heard the case of Richard Braachi, who had emailed his company's customer file to his private email account before leaving to start his own conferencing company.

Braachi had worked for First Conferences between 2006 and 2008. The company claimed he took sales and contact information from its databases and used the data to organise a rival conference.

The court agreed, and found that in copying the contacts and sales information to his private email account and using them as the basis of his own business, Braachi breached article 16(1) of the Copyright and Rights in Database Regulations 1997.

The court also found that Braachi had transferred the domain name from First Conferences to his new business without permission.

Read more on Application security and coding requirements