Wednesday, July 12, 2006

Data security breaches: stuff happens

(Hat tip Ideal Government) Since the massive US ChoicePoint scandal in February 2005, the PrivacyRights organisation has been logging reported instances of data security breaches in the US. So far, 88,931,692 records containing sensitive personal information are involved.

It would be useful to have the same kind of figures for the UK - a particularly pertinent issue when the government is seriously contemplating putting the story of children’s lives on to databases.

Many assume that the greatest threat to data security comes from hackers, but they are overlooking the very serious problem of the ‘inside job’.

Sometimes there is deliberate, corrupt disclosure of data. For example, the Information Commissioner recently published a report giving the
price-list for information unlawfully obtained by private investigators. Women’s Aid say that they know of cases “where domestic violence perpetrators have been able to access information held by the Benefit Agency or the Child Support Agency in order to track down their victims.”

Disclosure also happens through carelessness. People nip off to get cups of coffee, leaving confidential files open on their computer, or they give their passwords over the phone to trusted colleagues because they’re away from the office and need urgent information. They get their laptops stolen. They forget to put 6” nails through the hard-drives of redundant computers – eg the
University of Glamorgan retrieved a school’s confidential record system from the hard-drive of a computer they purchased on ebay.

People work on the bus or tube going home, unaware of shoulder-surfers – an ARCH member reported idly obtaining sufficient information from a social worker’s file to engage in some serious blackmail, before she realised in horror that she was viewing a case-conference report. People make mistakes when they send out letters and appointments – we have any number of examples of that.

Truth is, it doesn’t matter how encrypted, fire-walled and multiply-authenticated a system is: when people are involved, stuff happens.

UPDATE 14.55: Ha! Must be something in the air today – B2fxxx has this from Computer Weekly:
The UK's largest NHS trust has discovered endemic sharing of passwords and log-in identifications by staff, recording 70,000 cases of "inappropriate access" to systems, including medical records, in one month.


Post a Comment

Links to this post:

Create a Link

<< Home