Newcastle council data leak shows need for security automation

Newcastle City Council has blamed human error and a failure to follow procedure for a data leak that could have been prevented by the right security controls.

The leaked data related to 2,743 adopted children and their parents, adoptive parents and social workers, and included the children’s names, addresses and birthdates.

The data was leaked when a council employee accidentally attached a document containing the data to an invitation to the council’s summer adoption party that was emailed to 77 recipients.

The incident, on 15 June 2017, prompted an internal investigation by the council and the resignation of the employee concerned, according to the BBC.

The council notified the Information Commissioner’s Office (ICO), initiated a review of data protection across the authority to avoid similar data leaks in future, and set up a helpline.

Anyone who has had dealings with Newcastle’s Adoption Service and has concerns can call the dedicated helpline on (0191) 211 5562.

The ICO is investigating the incident and currently has the power to impose a maximum monetary penalty of £500,000.

However, after the EU General Data Protection Regulation (GDPR) compliance deadline of 25 May 2018, UK organisations will face fines of up to nearly £18m (€20m) or 4% of annual turnover, whichever is greater.

The GDPR is expected to force organisations take their responsibility for protecting personal data far more seriously.

Security commentators have said the Newcastle council data leak highlights the fact that employees can and will make mistakes, but there is no excuse for failing to deploy security controls to prevent data leaks.

Jason Allaway, vice-president for UK and Ireland at digital workspace technology firm RES, said organisations should introduce smart, context-aware security protocols to mitigate against the risk posed by both malicious and unintentional insider threats.

“If a company’s network can determine an employee’s seniority and role and understand their access rights, usual behavioural trends and common locations, then it can prevent, or at least warn against, something that doesn’t seem right,” he said.

Newcastle’s breach resulted from the wrong attachment being sent to a list of external people, but Allaway said this should have been flagged before the email was sent. “Similarly, with internal documents, only verified machines connected to a company’s network should be able to open such a sensitive file,” he said.

According to Allaway, in today’s world, information security must be intelligent enough to prevent incidents caused by human error.

Using encryption is another way organisations can ensure that data leaks like this are not a problem because even if data is leaked, if there is no way of decrypting it and the data is kept confidential.