[BreachExchange] Newcastle council data leak shows need for security automation

Thu Jul 20 06:28:54 EDT 2017

http://www.computerweekly.com/news/450423001/Newcastle-council-data-leak-shows-need-for-security-automation

Newcastle City Council has blamed human error and a failure to follow
procedure for a data leak that could have been prevented by the right
security controls.

The leaked data related to 2,743 adopted children and their parents,
adoptive parents and social workers, and included the children’s
names, addresses and birthdates.

The data was leaked when a council employee accidentally attached a
document containing the data to an invitation to the council’s summer
adoption party that was emailed to 77 recipients.

The incident, on 15 June 2017, prompted an internal investigation by
the council and the resignation of the employee concerned, according
to the BBC.

The council notified the Information Commissioner’s Office (ICO),
initiated a review of data protection across the authority to avoid
similar data leaks in future, and set up a helpline.

Anyone who has had dealings with Newcastle’s Adoption Service and has
concerns can call the dedicated helpline on (0191) 211 5562.

The ICO is investigating the incident and currently has the power to
impose a maximum monetary penalty of £500,000.

However, after the EU General Data Protection Regulation (GDPR)
compliance deadline of 25 May 2018, UK organisations will face fines
of up to nearly £18m (€20m) or 4% of annual turnover, whichever is
greater.

The GDPR is expected to force organisations take their responsibility
for protecting personal data far more seriously.

Security commentators have said the Newcastle council data leak
highlights the fact that employees can and will make mistakes, but
there is no excuse for failing to deploy security controls to prevent
data leaks.

Jason Allaway, vice-president for UK and Ireland at digital workspace
technology firm RES, said organisations should introduce smart,
context-aware security protocols to mitigate against the risk posed by
both malicious and unintentional insider threats.

“If a company’s network can determine an employee’s seniority and role
and understand their access rights, usual behavioural trends and
common locations, then it can prevent, or at least warn against,
something that doesn’t seem right,” he said.

Newcastle’s breach resulted from the wrong attachment being sent to a
list of external people, but Allaway said this should have been
flagged before the email was sent. “Similarly, with internal
documents, only verified machines connected to a company’s network
should be able to open such a sensitive file,” he said.

According to Allaway, in today’s world, information security must be
intelligent enough to prevent incidents caused by human error.

Using encryption is another way organisations can ensure that data
leaks like this are not a problem because even if data is leaked, if
there is no way of decrypting it and the data is kept confidential.

Security education needed

Referring to the principle that security relies on people and process
as well as technology, Tony Pepper, CEO and co-founder of Egress
Software Technologies, urged organisation to pay more attention to
security education and security processes.

“We are handling more data than ever before and that means more focus
needs to be placed on better supporting staff,” he said.

According to Pepper, accidental loss contributed to nearly half of all
records breached in 2016. “We need to do more to reduce that entirely
unacceptable number,” he said.

“The first line of defence in any business is its staff and so
organisations, whether in the public sector or otherwise, need to take
a look at their security processes and provide more effective training
to anyone with access to potentially sensitive data. If employees are
better educated in security practices, they will then also be in a
better position to use security technology to their advantage.”