G20 data leak highlights threat of human error, say experts

News that personal data of 31 world leaders was accidentally leaked before the G20 summit in November 2014, highlights the threat of human error

News that personal data of 31 world leaders was accidentally leaked before the G20 summit in Brisbane in November 2014, highlights the threat of human error to information security, say experts.

It has emerged that passport numbers, dates of birth and visa class details of 31 G20 leaders were emailed in error to the organisers of the Asian Cup in Australia by an employee at the Australian Department of Immigration.

The employee reportedly failed to notice that the autofill function of the email software had entered the incorrect recipient for the data.

Those affected included UK prime minister David Cameron, US president Barack Obama and German chancellor Angela Merkel, yet the Australian Immigration Department said nothing at the time.

"Given that the risks of the breach are considered very low and the actions that have been taken to limit the further distribution of the email, I do not consider it necessary to notify the clients of the breach," an unnamed division director at the Department of Immigration wrote to the Australian privacy commissioner in an email obtained by The Guardian.

The official said that the sender of the email and the recipient had deleted it shortly after it was sent, and the Asian Cup football tournament organisers said they did not believe the email was accessible, recoverable or stored anywhere else in their systems.

The official also said that no personal addresses or other contact details were included in the leaked data, that there was “nothing systemic or institutional about the breach", and that the personal details of most of those affected are already in the public domain.

Executive vice-president of content management and collaboration firm Intralinks, Rainer Gawlick, said that while malicious hacking attacks regularly make the headlines, most data breaches are the result of mistakes such as the one made by the Australian Immigration Department employee.

“Accidental data loss is common but usually goes unreported,” he said.

Negligent file sharing carries same risk as data theft

A recent report from Intralinks and Ponemon Research showed that data loss from negligent file sharing is now just as significant a risk as data theft.

The report revealed 61% of respondents confessed to accidentally forwarding files to unauthorised individuals.

“This begs the question: how do you try and contain it? Well, there are a number of answers to an incident like the one in Australia. Firstly, you can try to minimise human error altogether – by training, procedures and protocols,” said Gawlick.

“We often witness companies going down this route following any type of accidental data leak. But humans will always be prone to error – nothing can change that. Training isn’t enough,” he said.

Read more about the human threat to information security

According to Gawlick, the best approach is to combine the “human route” with technology that enables companies to cope with accidental errors more efficiently.

“There are now ways in which companies can ‘unshare’ files – that is, instantly revoke access to shared documents at the push of a button using cloud systems," he said. "This type of capability gives more control back to businesses when the inevitable occurs, as employees are always sharing confidential data with third parties."

Gawlick said that while eliminating human error is a “tall order”, there are ways in which government departments, highly regulated industries and any other company handling extremely sensitive data can control what information is shared and who sees it.

“This incident in Australia should prompt global companies and governments alike to tighten up technology controls in an attempt to control human error," he said. "Even a respected nation can have its reputation questioned as a result of a ‘small incident’, like sending an email to the wrong person.”

Egress Software Technologies chief executive Tony Pepper said while there are technologies to ensure only the right people can access sensitive information and restrict what they can do with such information, it is also important to allow for the fact that mistakes happen.

“Organisations need to ensure they give employees the right tools to work securely, while also providing a safety net should mistakes happen," he said. "Otherwise we will continue to see breaches of this kind."

Effective security places vital

The incident also highlights the importance of having appropriate and effective security policies in place.

Tripwire senior security analyst Ken Westlin said although the leak was due to human error, the employee at the Australian Department of Immigration should not have been using email to send sensitive personal information in the first place.

“Using email to transmit sensitive data is a serious systemic and institutional security failure,” he said.

According to Iron Mountain managing director of professional services Sue Trombley, organisations should start by making sure that employees cannot transfer electronic data out of the business on a portable device or walk paper out the door in a briefcase.

Next, employers need to realise that while robust guidelines and processes are important, these policies need to be enforced and, where necessary, improved upon.

“All too often the right policies are there, but they are just not monitored for effectiveness,” said Trombley.

Read more on Privacy and data protection