Getting to know your data breaches

Luke Peach Headshot
Luke Peach
Head of Compliance Services
12th April 2019

Know your breaches

Since GDPR came into effect, people tend to be a lot more aware of their personal data or rather, data breaches containing their personal data. Most data breaches that appear on the news tend to be what I call ‘big boy breaches’. These refer to massive breaches from the big companies consisting of millions and millions of data records. A prime example would be when Uber got hacked and data of 57 million data subjects, consisting of names, email addresses and phone numbers, was compromised. To make matters worse, rather than come clean about the whole thing, the ride-sharing company paid the hackers to delete the data before anyone found out. Then, everyone found out. The firm was fined a record $148 million.

In January 2019, it was revealed that hotel chain Marriott had been compromised as far back as 2014 and hundreds of millions of records were stolen. Elsewhere, Morrisons suffered a breach at the hands of an ex-employee and a USB stick was found at Heathrow airport which contained security details of the Royal family.

People tend not to know how many different types of breaches there are. They are not always caused by a hacker.

Tip of the iceberg

These are the breaches you hear about, however there are countless other breaches that go relatively unnoticed. When you went to work yesterday, in those 7.5 hours or so, an average of almost 2 million data records were stolen. If we do the maths, over a working year of 261 days, that’s 522 million records, and that’s just whilst you’re at work. The point I’m trying to make is, those stories you see on the news aren’t the only breaches. They’re just big enough to be considered ‘news worthy’.

As a GDPR consultant, data breaches make up a massive part of my day-to-day activities and I spend a lot of time talking to clients about them. One interesting point I’ve noticed from my travels is that people tend not to know how many different types of breaches there are. They’re not always caused by a hacker.

Let’s look at some of the less obvious data breaches and the best practices that can be used to avoid them.

A Breaking news screen shot
Not all data breaches make the news.

Expert analysis

People make mistakes all the time, but the worst one I've ever seen was bad access control, which meant that anybody could find anything on any employee. Obviously that information should only be available to HR. Losing data or not disposing of it correctly is also a data breach, even if it hasn’t led to any negative consequences.

One data breach I see on a regular basis is where someone accidentally uses the CC field instead of the BCC field when they're sending an email. That means basically if you email 100 people at once using the CC field, all the other people in that email thread are going to get the same email and of course the same email addresses will be on show.

Another common data breach is where databases are migrated to new system software, but the data in that database wasn’t originally collected for that purpose. These ‘technological’ data breaches usually go unnoticed until someone in GDPR or compliance starts asking questions.

Data being used for a purpose it was not originally collected for will also not be risk assessed and can raise trust issues with clients. If there’s a data breach affecting data subjects, and an investigation shows your company has been misusing data, well, it certainly won’t work in your favour. You can expect a fine, and depending on the severity of your misuse, the fine might be a large one.

Losing data in any way counts as a data breach. This is because you can’t account for its whereabouts, so cannot say who has access to it.

Ditch dead data

Not disposing of data correctly may sound like a minor problem, but it can have quite profound consequences. In a worst-case scenario, someone rummaging through bins could find enough information to steal someone’s identity. You might be rolling your eyes now, thinking that no one is going to rummage through the bins for discarded financial records, but it happens.

Businesses more commonly make the mistake of not wiping and disposing of old hard drives properly. If a hacker gets a hold of one of these, they can cause all sorts of mayhem. The problem is more widespread than you might think, as hard drives bought on eBay are often found to be stuffed with personal data. Dispose of both paper files and hardware components appropriately and consider engaging the services of a reputable secure data destruction company.

Losing data in any way counts as a data breach. This is because you can’t account for its whereabouts, so cannot say who has access to it or what someone may do with it. There are so many ways this can happen. Just look at the Heathrow airport incident. Someone just happened to lose a USB drive and suddenly there’s a data breach. If data or email information is stored on an employee’s work phone, and that phone is lost or stolen, then that is a data breach (assuming you can’t remotely wipe the device).

The best practices to follow here would be:

  • Only ever use data for the purpose it was collected and nothing more
  • Have a data disposal policy and procedure in place and make sure it’s being followed
  • Put rules in place that set out a data perimeter and train your staff

What do we mean by a data perimeter? Set a limit past which data should never leave. This should be physical and digital, and allows you to keep track of personal data at all times. Never email data to external contacts, for example. Never take financial or HR documents outside of their respective departments or folders. Put controls in place and train your staff. Limit or outright ban the use of USB sticks for example.

Data on the move

Data is forever on the move, both in the sense of hard copies and hardware (such as servers and data tapes) and digital copies. There are numerous risks that come with data in transit. Man-in-the-middle attacks are all too common. This is where a malicious actor manages to exploit an application vulnerability or intrude on a network to intercept data as it’s sent.

Physical documents can be at risk when on the move too. They can be misplaced or stolen or otherwise read by unauthorised people. If documents are posted, there’s the chance they could be delivered to the wrong address or lost somewhere along the way.

With more businesses giving staff mobile phones and laptops, data is essentially on the move at all times. If a staff member leaves a laptop containing sensitive and personal information on a train, then that’s a data breach. There’s no telling who might have access to it. Lost devices are a problem everywhere. In the span of four years, the government lost more than 600 devices (including laptops, phones and USBs).

Once something finds its way onto the public web, you have to assume it’s out of your hands for good.

Accidental web exposure

There are lots of different ways that data can accidentally get exposed on the web, particularly as more businesses migrate towards cloud platforms. All it takes is someone to move data onto a personal cloud drive, or store something in the wrong folder and before you know it, it’s been accessed over and over again by unauthorised personnel. Security misconfigurations or a lack of encryption can also come into play here. The biggest problem is, once something finds its way onto the public web, it can be copied and shared so many times that you’ve got to assume it’s out of your hands for good.

Even something as innocent as taking an office selfie with Chaz the intern can turn into a data breach if there’s readable data in shot. For example, that new starter form on the desk with some poor data subject’s contact details, D.O.B and address.

The best practice here would be to be to introduce policies to reduce the chances of this happening, such as compulsory data awareness training.

A man taking a selfie
Selfies in the office? Take care to not share more than your beautiful face.

Unauthorised use or losing access

People should only have access to the data they need to do their job. Sharing information accidentally, such as attaching the wrong document to an email, could lead to the wrong person reading confidential HR data.

So, to stop things like this from happening, make sure staff are trained and aware of their responsibilities when it comes to personal data. Always double check emails before hitting send and implement strict data access controls.

Even though you haven’t technically lost the data in the sense that physical documents have gone missing, losing access to it is on the same level. There’s no telling who could potentially be taking a peak at it. It could be that certain files are stored in a location that, due to a technical error, no one can get to. Alternatively, it could be that a ransomware outbreak is preventing anyone from being able to read the files.

Up-to-date virus protection and cyber awareness is key. Investing in basic cyber training for all staff is always recommended.

Cyber awareness is key. Investing in basic cyber training for all staff is always recommended.

Bulletproof your compliance

Knowing what constitutes a breach is the first step in proactively preventing them. If keeping track of all this personal data seems like a full-time job in itself, it’s because it is. Having an appointed Data Protection Officer can take away a lot of the strain as far as data protection is concerned. They can conduct data mapping exercises and data protection impact assessments (DPIAs) to ensure you’re doing everything right and have the appropriate controls in place. They will be the first point of contact for all data subjects and regulatory bodies. In short, they will ensure everything is being done to keep personal data safe and highlight areas for improvement to reduce the chances of a breach. Under GDPR, certain companies are required by law to appoint a DPO.

If you’re struggling with your responsibilities concerning data protection, but don’t have the time or resources to appoint a dedicated DPO, consider outsourcing this role. Outsourcing a DPO gives you access to a data protection specialist at a fraction of the cost of a full-time in-house employee. You can simply pay for the hours you require, getting all the actionable advice you need, ultimately helping you keep your data safe.

Luke Peach Headshot

Meet the author

Luke Peach Head of Compliance Services

Luke is Bulletproof’s Head of Compliance, and can often be found coming up with new, innovative, and entertaining ways to evolve our compliance services portfolio. His passion for compliance and business insights always comes through in his articles.

10 Steps to Cyber Security

Find out how to secure your business in 10 steps with our free best practice infographic.

Download now

Related resources

Trusted cyber security & compliance services from a certified provider

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.