Lessons to learn from a year of data breaches
In the year since the HMRC data breach, many more have been made public – here’s a roundup of 11 lessons (we should have) learned.
It was the data breach that kicked it all off a year ago this week, the government admitted HM Revenue and Customs had lost two discs containing records on 20 million people.
The tax body had dumped data on a third of the population including children onto a pair of unencrypted discs and sent them off with a courier, not once, but twice.
In the uproar that followed, more and more stories about data breaches in the public and private sector began to be noticed and reported. Indeed, since the mess at HMRC, some 277 such mishaps have been reported to data watchdogs at the Information Commissioner's Office (ICO). Lost USB drives, stolen laptops and even papers left on a train have left millions of people in this country open to identity theft and fraud not to mention, a bit pissed off.
The government responded with amusingly ignorant debates in Parliament and massive reports two were released in one day offering reams of advice on how to avoid another HMRC.
But it's not exactly rocket science, now is it? In case you haven't been paying attention, we've gathered up the top 10 lessons to be learned from this year of data breaches.
Lesson One: The public wants to know about data breachesIt's no surprise newspapers jumped all over the HMRC incident. Uncovering a massive government error, caused by funding cuts and incompetence, is the stuff of happy dreams for journalists trust us on this one.
The tale of millions of records including banking details going missing because of such complete and utter foolishness didn't sit well with the public at all. And it shouldn't. Everyone affected faces identity theft and fraud because of incidents like this one; phishing attacks based on the HMRC debacle have already occurred, and those didn't even require the discs to fall into the hands of criminals.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
So HMRC became a watershed. The odd big data breach was covered by the press before last November, but usually only if the story was connected to a large fine. Now, every lost laptop or misplaced memory stick was cause for a headline and outrage. The public you, me and everyone else had learned that poor data management could hurt them.
Unsurprisingly then, people have started calling for data breach notification laws. Companies are not legally required to tell their customers and citizens when data goes missing, but surveys have suggested the general public want such legislation, even if IT directors aren't so enthusiastic. Lesson Two: People can be sackedIt's something many people have called for over the past year someone to be held responsible for data losses. While the head of HMRC Paul Gray did step down after the breach, it was also for overall organizational concerns, which were certainly highlighted by the breach, but not the only symptom of troubles at the tax body.
But since then, laptops and USBs and discs have disappeared, and no one has been publicly sacked except in one case, involving Colchester Hospital.