Newcastle City Council has blamed human error and a failure to follow procedure for a data leak that could have been prevented by the right security controls.
The leaked data related to 2,743 adopted children and their parents, adoptive parents and social workers, and included the children’s names, addresses and birthdates.
The data was leaked when a council employee accidentally attached a document containing the data to an invitation to the council’s summer adoption party that was emailed to 77 recipients.
The incident, on 15 June 2017, prompted an internal investigation by the council and the resignation of the employee concerned, according to the BBC.
The council notified the Information Commissioner’s Office (ICO), initiated a review of data protection across the authority to avoid similar data leaks in future, and set up a helpline.
Anyone who has had dealings with Newcastle’s Adoption Service and has concerns can call the dedicated helpline on (0191) 211 5562.
The ICO is investigating the incident and currently has the power to impose a maximum monetary penalty of £500,000.
However, after the EU General Data Protection Regulation (GDPR) compliance deadline of 25 May 2018, UK organisations will face fines of up to nearly £18m (€20m) or 4% of annual turnover, whichever is greater.
The GDPR is expected to force organisations take their responsibility for protecting personal data far more seriously.
Security commentators have said the Newcastle council data leak highlights the fact that employees can and will make mistakes, but there is no excuse for failing to deploy security controls to prevent data leaks.
Read more about the insider threat
- Most organisations in Europe rely on outdated security technologies, exposing them to breaches by malicious or hapless insiders, a report reveals.
- Malicious employees are usually the focus of insider threat protection efforts, but accidents and negligence are often overlooked as data security threats.
- This report from analyst group Quocirca looks at the challenges faced by organisations when it comes to the insider threat and the protection of sensitive information.
Jason Allaway, vice-president for UK and Ireland at digital workspace technology firm RES, said organisations should introduce smart, context-aware security protocols to mitigate against the risk posed by both malicious and unintentional insider threats.
“If a company’s network can determine an employee’s seniority and role and understand their access rights, usual behavioural trends and common locations, then it can prevent, or at least warn against, something that doesn’t seem right,” he said.
Newcastle’s breach resulted from the wrong attachment being sent to a list of external people, but Allaway said this should have been flagged before the email was sent. “Similarly, with internal documents, only verified machines connected to a company’s network should be able to open such a sensitive file,” he said.
According to Allaway, in today’s world, information security must be intelligent enough to prevent incidents caused by human error.
Using encryption is another way organisations can ensure that data leaks like this are not a problem because even if data is leaked, if there is no way of decrypting it and the data is kept confidential.
Security education needed
Referring to the principle that security relies on people and process as well as technology, Tony Pepper, CEO and co-founder of Egress Software Technologies, urged organisation to pay more attention to security education and security processes.
“We are handling more data than ever before and that means more focus needs to be placed on better supporting staff,” he said.
According to Pepper, accidental loss contributed to nearly half of all records breached in 2016. “We need to do more to reduce that entirely unacceptable number,” he said.
“The first line of defence in any business is its staff and so organisations, whether in the public sector or otherwise, need to take a look at their security processes and provide more effective training to anyone with access to potentially sensitive data. If employees are better educated in security practices, they will then also be in a better position to use security technology to their advantage.”