Newcastle City Council data breach: Saying sorry is not enough
It was supposed to be an enjoyable event, but a summer party recently turned disastrous for Newcastle City Council when an employee inadvertently attached a datasheet containing highly sensitive information to the invitation.
The incident involved the personal details of 2,743 individuals – both former and current foster children, and their parents – and included information such as names, addresses and birthdates. The member of staff emailed the invitation and attachment to 77 people in June this year.
For one mother, the distress caused by this incident has been immediate:
"When I found out what information had been sent out I felt sick inside. We have had two letters from the council reassuring us. But I don't feel reassured. The council can't guarantee that everyone who got the email has deleted it or that it won't get out further. These children were placed in care for their safety. Some have had horrendous things happen to them and you don't want the safety of your children put at risk. There are birth parents out there that try to get in touch with their children. It just worries me that one day they could end up on the doorstep." http://www.bbc.co.uk/news/uk-england-tyne-40648987
The Information Commissioner’s Office (ICO) is already investigating the incident and no doubt will mandate the council take steps to mitigate future similar breaches. It’s also likely the ICO will impose a considerable financial penalty.
Yet this is one in a long line of very serious leaks by organisations across the country, begging the question whether enough is being done to protect such sensitive data.
Time for more than an apology
In this case, responsibility for the data lies with Newcastle City Council, as does their duty of care to the citizens in the city. In the aftermath of announcing the breach, the council issued a statement, explaining they had attempted to put in place some level of procedure to prevent a breach – although such measures clearly fell short:
“The member of staff concerned was authorised to use the data. However, in accidentally attaching the spreadsheet they contravened the council's standard practice and guidance provided to members of staff."
The council also took remedial actions of contacting the 77 people who received the spreadsheet, requesting they delete the attachment and avoid circulating it further. They also contacted the individuals whose data had been contained within the document, setting up a helpline and counselling to assist those affected. The council has also stated they are reviewing current data protection procedures across the organisation and implementing refresher best practice training courses for staff.
However, it is an unavoidable fact that these actions fall short for the almost-three thousand people whose personal details were breached. The council should have taken a more proactive, less reactive, stance by putting in place measures to prevent the data breach from happening in the first place. Other organisations should also use this as a wake-up call to take similar steps, understanding that simply relying on process, procedure and training is not an adequate level of protection.
Tackling the real issue: Human error
Time and again we see incidents occurring because of staff error, or ‘the Insider Threat’ as it is termed by industry, and yet in many cases little if anything is being done from a technology standpoint to help protect both data and the users responsible for sharing this information.
A common misconception that this type of incident is too hard to mitigate against often sees technology investment directed towards malicious external threats such as cyber-attacks / hacks.
Yet there are three very achievable aims that can mitigate the risk of the ‘accidental send’.
- Engage effectively with end-users
Security technology needs to go beyond simply applying encryption and control to sensitive information, but must also drive understanding and adoption by end-users. Gamification can be used to increase engagement, with staff rewarded for their use of encryption when sharing sensitive data. Additionally, this information can become part of performance reviews, embedding data security into the heart of an organisation.
- Ensure information is shared with the right person
Both personally and corporately sensitive information can cause significant harm in the wrong hands. However, people will always make mistakes – they will attach the wrong document to an email or an invite, or put an incorrect recipient’s name in the ‘To’ / ‘Cc’ field. Technology needs to provide an immutable barrier between these two scenarios to prevent sensitive data from being incorrectly shared with unauthorised individuals.
Machine learning can be used to model data sharing patterns and generate real-time interactive prompts for end-users to avoid such mistakes. This can also provide additional protection through alerts for system administrators to indicate where malicious breaches may also be taking place.
- Apply appropriate levels of protection to sensitive data
Applying protection and control is the third piece required to contain the insider threat. On it’s own, it’s not enough for organisations to simply be confident that information is being sent to the correct recipients; they also need to be sure that any sensitive content is also be protected using Government and industry-certified encryption. In particular, rule-based policy management can be used to apply appropriate levels of security (such as protective marking or encryption) as information exits and enters the organisation. This can also be controlled at a centralised administration-level, reducing the risk of end-user error.
Let’s hope that in future organisations like Newcastle City Council look at and invest in this type of technology, rather than relying on inadequate processes and procedures that offer little protection to the data they share or their staff who are sharing it.