On May 4 the United Kingdom’s Information Commissioner’s Office (ICO) announced a £185,000 fine against a health trust for inadvertently publishing the personal details of 6,574 staff members on its website.
Blackpool Teaching Hospitals NHS Foundation Trust is required to post annual equality and diversity metrics. Unfortunately, the published spreadsheets contained “hidden data.” Simply double clicking on the posted tables revealed the sensitive information behind them. This included employees’ names, pay scales, National Insurance numbers and dates of birth as well as other volunteered information such as ‘disabled’ status, ethnicity, religious belief and sexual orientation.
The incident is just one of many examples of data breaches resulting from the inappropriate sharing of data within an organization. In fact, the ICO recently published a guide about how to safely disclose information due to a string of similar incidents.
One of the drivers behind those breaches is business intelligence moving away from a locked-down, data-silo approach and back towards the the freewheeling, self-serving nature of the early 1990s as tools like Tableau empower analysts, said Datawatch chief product officer Jon Pilkington, who was a guest on this week’s Cyber Chat podcast.
In its monetary penalty notice to Blackpool Teaching Hospitals NHS Foundation Trust, the ICO noted that the trust:
- Did not have any procedure governing requests for information around electronic staff records
- Did not provide the team with training on the functionality of the Excel spreadsheets
- Had no guidance in place for the web services team to check those spreadsheets for hidden data before making them public
“[Analysts] are offloading data from its originating source for the purposes of getting their job done,” Pilkington said, adding that this approach is revealing potential data governance gaps within organizations.
The Big Concern is a Data Breach
Internally sharing data without the proper precautions may result in a highly publicized exposure, said Dan Potter, chief marketing officer at Datawatch, which helps businesses users prepare and analyze data from a variety of sources.
“The big concern, the big risk, is around data breach because now you’ve got data being moved from governed systems — like a database or data warehouse that are well-managed and well-governed and controlled — to something that is now living on the desktop of an analyst and therefore being shared with other people in a non-governed way.”
Take the recent breach at retailer Kiddicare. Earlier this month the company notified nearly 800,000 customers that their names, addresses and telephone numbers may have been stolen after a test website using real customer information was compromised.
However, using real data on a test site tends to be a bad practice, noted security blogger Graham Cluley. As a test site, things are expected to go wrong, and in the case of Kiddicare, they did.
“Unfortunately, time and time again it’s seen that companies can be sloppier about the security of their test sites than their official sites — opening opportunities for data thieves and hackers,” Cluley wrote. “For that reason it’s usually much safer to generate fake data for testing purposes – just in case.”
Importance of Data Masking
Redaction and data masking can provide the best of both worlds: analysts across all departments are free to examine the data they want, and the sensitive information is removed or replaced with innocuous data.
This can help ensure you’re staying compliant with both government regulations and corporate policy. For example, if the employees names and insurance numbers had been masked in the data behind the trust’s equality and diversity metrics, the mistaken disclosure of that information would have been much less significant.
Potter added, “There’s a whole host of other kinds of data that people need to be very, very careful with in making sure that they’re masking it in some way because as you move to self-service analytics it does create more risk.”
Listen to the full conversation with Datawatch for more about business intelligence and data masking.
About the Podcast
In early May Blackpool Teaching Hospitals NHS Foundation Trust was fined £185,000 by the United Kingdom’s Information Commissioner’s Office for inadvertently publishing the personal details of 6,574 staff on its website. And last week retailer Kiddicare announced that 800,000 customers were impacted after a test site using real customer information was compromised by hackers. The incidents highlight a growing problem. Organizations have more data than ever, and that sensitive data is often being shared with other departments or with third parties for a variety of purposes.
On today’s Cyber Chat we talk with Datawatch chief product officer Jon Pilkington and chief marketing officer Dan Potter about business intelligence, the importance of data masking and how businesses can protect their sensitive information when it’s being shared both inside and outside of the organization.
3 thoughts on “Will Your Internal Sharing of Data Cause a Breach?”