ICO denies bias against public sector organisations

The ICO has denied a bias in imposing civil monetary penalties against public sector organisations

The Information Commissioner’s Office (ICO) has denied a bias in imposing civil monetary penalties against public sector organisations at a security conference in London.

“The ICO treats the public and private sectors with the same importance,” Kai Winterbottom, group manager, good practice at the ICO, told the EuroCACS information security and risk management conference.

The perception that the ICO is unwilling to tackle private sector organisations such as Google on privacy issues is driven by the fact that these organisations are not handling extremely sensitive data, said Simon Rice, group manager, technology at the ICO.

UK legislation allows the ICO to levy penalties only where breaches of personal data could have a serious effect on the people involved, he said.

“Typically, public sector organisations such as the NHS handle personal data that is far more sensitive than private sector organisations,” said Rice.

Information about an individual’s HIV status, for example, is far more sensitive than information about what sports magazines they subscribe to, he said.

“It is more about the nature of the data, not about the data protection failings; the failings in public and private sector organisations may be as great, but the impact of breaches by public sector organisations tents to be much greater,” said Rice.

Security failures

Turning to trends identified by the ICO in its data protection investigations, he said UK organisations should learn from the failures of others, starting with failures related to passwords.

According to the latest Verizon data breach report, 76% of cases investigated related to weak or stolen passwords or credentials.

“This implies that just by fixing this issue alone, 76% of data breaches will go away,” said Rice.

According to the ICO, there are several common issues related to passwords. These include the failure by organisations to change default passwords, using passwords that are easy to guess, and sharing passwords across applications and services.

“We also see use of insecure logins where usernames and passwords are visible in URLs, and the sole reliance on passwords, where organisations do not use two-factor authentication or place any restrictions on what devices may be used to access data,” said Rice.

Organisations also commonly fail to store passwords in secure locations, they do not ensure that passwords are cryptographically hashed or they use poor algorithms that can be brute forced in under an hour, he said.

Data storage inadequate

Inappropriate locations for data storage and computer equipment storage is another common failing, the ICO has found, with data server rooms in some cases left open or unlocked.

“In many cases, no breach of the network is involved – data is in plain view or easily accessible,” said Rice.

A good rule to follow is that if data needs to remain private, some sort of authentication should be required before it can be accessed

Simon Rice, ICO

The ICO has found that many organisations ignore the fact that search engines are good at locating data, wherever it is stored, which includes FTP sites.

“A good rule to follow is that if data needs to remain private, some sort of authentication should be required before it can be accessed,” said Rice.

The ICO has found that data is often exposed when content is migrated from one system to another, and when systems draw data from multiple sources, such as backup systems.

“Organisations tend to forget that this may include personal data,” he said. They also tend to forget about old services that are not maintained from a security point of view, so it is good practice to remove all systems that are no longer required.

Technical measures

Encryption is an important technical control that is often overlooked, but one of the main principles of data protection requires “appropriate technical measures” be taken. “Good encryption is a simple means to achieve this,” said Rice.

Failure to keep all applications and systems up to date with security patches is another common failing by organisations. “It is important to update all systems, not just those at the perimeter,” said Rice.

Attack toolkits are updated just as fast as software is patched, he warned.

Finally, despite the fact that SQL injection is a well-known attack method, many organisations are failing to ensure that web applications are coded in a secure way that will prevent attackers using this attack method.

Rice said SQL injection is typically used to steal usernames and passwords, and then gain access to corporate systems. “This is easy to stop by ensuring good code, yet few organisations are doing it,” he said.

“Organisations should use these failings to audit their own systems to see they are vulnerable in the same way, and then fix any shortcomings they find,” said Rice.

Read more on Privacy and data protection