Data breaches in the news
Data breaches have been in the news a lot recently. We’ve had the Panama Papers, which have caused so many unflattering headlines for many of our clearly above board and honest guv’nor world leaders. A large amount of data apparently from Qatar National Bank turned up online. There was also the breach of Beautiful People, the dating website exclusively for the good looking. All of these have been hugely damaging for the organisations holding the data (Mossack Fonseca in the case of the Panama Papers), and of course for the people whose personal information is contained in those leaks. These are just three of the highest profile data breaches. There are many more; in fact so many they frequently don’t make the headlines. I’d highly recommend haveibeenpwned.com for an overview of data breaches (and to check if you yourself have featured in any of them), and the blog of the owner Troy Hunt, who writes frequently and very well on this topic.
So what?
Anyone who reads my blog posts will know I like to focus on the so what. So what can you learn from these leaks of sensitive data? Well, firstly, you don’t want to be one of these companies. If you hold lots of sensitive data on your clients, they will not be happy if that is suddenly splurged all over the internet. There may be legal repercussions and certainly your reputation will be damaged. So ensuring this doesn’t happen to you is a very good idea.
Not all data breaches are equal – some are caused by external parties who exploit poor security. Hackers in other words. This certainly appears to be the case for Beautiful People, and Mossack Fonseca. Both seemingly had poor security which allowed hackers to access client data. It’s less clear how the QNB data turned up online. Remember that one the highest profile data breaches in recent years was not perpetrated by anonymous hackers, but by a trusted insider – Edward Snowden (sorry – the trailer that follows looks more entertaining). So there are two ways your customer data can end up on the internet – your poor security, or because of actions by someone you trusted. The two aren’t entirely separate of course – Snowdon should not have been able to do what he did, and certainly not undetected.
So there are two interrelated tranches to your response to this issue. The first is of course to improve your overall cyber security posture. Make it hard for people to break in – scan your internet facing IP addresses, run penetration tests, do all the usual good stuff I recommend on here. You can also then manage your internal risk by ensuring that not everyone has access to all of your data – segregate. Only allow people in finance access to financial information.
The second tranche is managing what is called the insider threat. CPNI (at that last link) have done a huge amount of work in this space. There is lots of guidance on the website, and you may be surprised to hear that one of the things they encourage employers to provide is a way for staff to whistle blow legitimately. Far better they raise their concerns internally, and you take action, than they go to the press.
Finally of course you should think about incident response! Include the loss, or sudden public revealing, of sensitive data in your incident response planning. Work it through as one of your test scenarios. It is of course much better not to be in the bad situation in the first place, but good incident response planning can mitigate the damage and help maintain your customers confidence.
As always, if you have questions please get in touch! Find us on twitter, or use the contact form.
Thanks for reading
Rob