Monday 24 December 2007

Tis the Season to Discloses Data Breaches

It appears this time of year coupled with the spectre's shadow of the 25 Million unprotected records lost by the HMRC last month, makes an ideal time to disclose data breaches to the UK public. We really need proper California style data breach disclosure laws in this country.

So what's new in the last 7 days...

Well the NHS disclosed 10 (ten) data breaches at various NHS trusts around the country, one of which involved the loss of 168,000 records of which most were children’s records. In a statement they said "extremely high level of security", but typically do not explain any details about the security measures. It would appear it's the old recipe of sending data on discs again. Fair play to the NHS if proper encryption was used, but so far I haven't really seen any details about each of these 10 incidents and when they actually occurred. I suspect the NHS powers that be choose not to disclose these incidents when they were discovered, but have been forced to now in light of the government enquiry into the HMRC breaches. I really don't want to be pessimistic at this time of year, but these are the 10 incidents the NHS are aware of, and knowing the NHS and the generally poor management, budget cutting and bad organisation, especially within IT, I suspect these incidents are probably just the tip of the iceberg.

On the back of the high profile NHS story, on the same day the Post Office admitted to sending over 5000 account details to the wrong pensioners.

The Skipton Building Society lost sensitive personal details of 14,000 customers, thanks to the theft of a laptop. The data includes names, addresses, dates of birth, national insurance numbers and the amount of money invested. There was no hard disk encryption on the laptop, which was owned by an IT supplier. At least the FSA can hold them to account for this breach. It's worth noting Leeds Building Society lost information about it's own workforce in early November, this one went completely under media radar.

And of course last Monday Millions of UK Learner Driver details were lost by the Driving Standard Agency, after a hard disk holding 3 Million UK learner driver records was lost in the US of all places. This information was known to be missing back in May 2007, but was only disclosed to the public on Monday.

I was on BBC News 24 talking about this very issue, and to be completely honest, I had to work to get the newsreader to understand the importance of such breaches. Some people still don't realise the significance of large databases of information, even with populated with information "innocent on the eye" like names, addresses and phone numbers, the so called stuff you can get out of a phone book. Sure there was no bank details, but data included details about paid fees paid and Email addresses. In this case 3 million such records altogether has significant value to unscrupulous marketers and within the underworld. I mean how much would spammers pay for 3 million active Email addresses alone.


While on the BBC News 24, I found myself making an interesting point about the type of data being lost. I stated there was always a big focus and hype when personal bank information is lost or breached, and rightly so, however I can easily change my bank account, but it's not so easy to change my telephone, home address, and it's virtually impossible to change my National Insurance number, as lost by the HMRC.


SOAP BOX TIME: We are now living in the Information Age, in times where identity theft is the UK's fastest growing crime full stop. Now is the time for companies, organisations and us as individuals to wake up and start valuing information, information is an asset and it has value associated with it (Information=Money!), like with everything of value, it needs to be protected.

1 comment:

Anonymous said...

Some more scary security statistics:

http://securityabsurdity.com/failure.php