The 21st annual report from the Data Protection Commissioner’s office has been released. As usual it makes for some very interesting reading. The report notes that the number of breaches reported to the office has doubled since the previous year. Most of these reported breaches are from organisations within the public sector. While the first reaction may be to say the public sector is not taking due care of the personal data entrusted to it, I would argue that the public sector is no better nor worse than the private sector.
One of the main reasons for the increased number of reported incidents from the public sector is most likely due to the guidance issued by the Department of Finance in late 2008 “encouraging” government departments to report breaches to the Data Protection Commissioner. See section 4 on page 23 of the guidance.
In my opinion the Data Protection Commissioner’s report reinforces the argument that Ireland should introduce mandatory data breach disclosure laws. My own thoughts on that particular issue are in this presentation that I gave at the last NITeS seminar;
I strongly urge that you take the time to read the report and to ask yourself the question, “How effective are my security controls in protecting the personal data entrusted to my organisation?” If you find it hard to determine how to answer the question there is a very good self assessment checklist available on the commissioner’s site.
It has been an interesting week to say the least with regards to information security breaches in Ireland. First we heard of the responses to Ruairi Quinn’s question as to how many portable devices belonging to government departments have gone missing this year. So far over 45 devices have been lost. Damien Mulley has a breakdown as to what was lost. Then on Friday the HSE reports that it lost another laptop which reports claim leaves the personal details of thousands of HSE staff at risk of identity theft.
To cap it all the Irish Timesreports that the Minister for Justice Dermot Ahern is now considering introducing mandatory breach disclosure laws. Having been an advocate for the introduction of such laws I welcome these moves. However, as Digital Rights Irelandpoints out the proposed laws appear to have a number of shortcomings such as being restricted to only portable devices. This means that breaches such as the exposure of people’s CVs on the Jobs.ie website earlier this year would not need to be reported. Also it appears the minister wants to concentrate on major breaches. It will be interesting to see what a major breach is defined as. Will that be dependent on the type of data exposed or the number of records?
I attended the Irish ISACA Chapter’s conference on Friday and a number of people asked me for my reaction to the above. So let me take this post as an opportunity to share my thoughts on breach disclosure;
Thanks to Digitial Rights Ireland for pointing me in the direction of today’s Irish Time’s editorial calling for the introduction of Data Breach Disclosure laws. It is good to see this issue get such a public platform and raise the awareness as to why I and Digital Rights Ireland have been calling for such laws to be introduced.
The editorial was written by Karlin Lillington. If you have not visited her Blog I recommend you do, Karlin provides some excellent coverage on technical issues and their implications to society.
Following on from last week’s announcement that the office of the Comptroller Auditor General lost a laptop containing sensitive data at a bus stop, today the CAG announced that it lost a laptop in April 2007that contained information from the Department of Social and Family Affairs on over 380,000 welfare recipients. The laptop was stolen from the office of the CAG and to compound the problem further, while the data was send to the CAG from the Department of Social and Family Affairs in encrypted format it was subsequently stored on the CAG laptop in plaintext form. The compromised data included personal details such as bank account numbers, names and addresses of people, in fact the perfect data an identity thief would pay a lot of money for.
Questions have to be asked why did it take so long for those affected to be informed of the breach? It is nearly 17 months since the laptop was stolen but details are only being made public now. Why were those affected not made aware that they were at risk of identity theft? And by the way the argument that the data has not yet been abused is not a valid one.
Yet again this is another example of why we need mandatory breach disclosure laws in this country. While we have had a number of good examples of how to deal with breaches too often we have had too many bad examples. The time of people relying on organisations to do the right thing is over and we need to introduce regulations organisations that mandate the appropriate steps an organisation should take in the event it suffers a breach.
Digital Rights Ireland have a post that covers some of the legal aspects regarding this breach. If you feel as strongly about breach disclosure as I do then they also have details on how you can add your voice to the debate.
The Irish Examiner broke the news this morning that an Irish online retailer’s computer security was breached by criminals who managed to compromise an undisclosed number of credit card details belonging to Irish customers. The breach was apparently discovered after the criminals tried to test if the cards were active by making small online purchases against a New York based online food retailer. Most major Irish banks are in the process of reissuing credit cards to those affected by the breach. While most people who hold credit cards are frantically checking with their provider to see if they have been victims.
At the time of writing there are no public details as to which retailer was compromised, how that compromise happened nor how many people affected. This is one of the reasons I believe that we need Data Breach disclosure laws here in Ireland.
Knowing who the retailer is could save a lot of unnecessary worry for people who may think their cards have been compromised. Knowing how the attack happened will also be useful for other companies so that they can ensure they have appropriate mechanisms in place to prevent and detect a similar attack, be that an attack via the Internet or an insider using the information.
It will also be interesting to know if the retailer was PCI DSS compliant. And if not what steps the credit card companies and the acquiring bank will take? My experience in dealing with a lot of companies is that many are not yet compliant with PCI DSS. With all its various faults at least PCI DSS provides organisations with the minimum best practises and standards that they should have in place. Despite many of the vendor hype PCI DSS should not be that hard for most companies to achieve. Indeed if a company is serious about protecting their customers’ data the PCI DSS standard should be a by product of their own efforts.
Lets keep a close eye on this case and see what lessons can be learnt from it.
The latest edition of the Sunday Business Post has an article on Identity Theft titled Good Management is Essential for Security. What is interesting about this particular article, apart from quoting me in it (even though they spelt my name wrong), is the focus on the article to corporate ID Theft.
Corporate ID theft is an area often overlooked and can cause companies major issues ranging from reputation damage to financial loss. I covered some of the issues that can face a company in a previous post, Pure Mule.
Anyway the article is an interesting read and also has some discussion about breach disclosure laws for Ireland. Something I alsodiscussedpreviously.
The Thursday the 29th of May edition of the Irish Independent had an interesting article in its Digital Ireland supplement discussing whether or not Ireland should have mandatory data disclosure laws similar to those in the United States. I am quoted in the article in support of the introduction of such legislation while Owen O’Connor and Paul C Dwyer highlight some reasons why they feel we do not need it.
The Irish Times on Friday the 30th of May includes an article where the Data Protection Commissioner, Billy Hawkes, acknowledges that Ireland is likely to see data disclosure legislation being introduced.
A recent poll at the 2008 Infosec show also shows that over 70% of IT Managers surveyed believe UK companies should be required to disclose security breaches exposing personal information.
I will post at a later date outlining the reasons I believe we should have such laws introduced and countering some of the points that Owen and Paul make. In the meantime I would be interested in hearing your opinion as to why you think data disclosure laws should or should not be introduced.
Lots of conversation on boards.ie claiming that a number of CVs have been illegally downloaded from the Jobs.ie website. No details of what happened have appeared yet but the below is supposed to be an email from Huw Taylor the General Manager of Jobs.ie to affected users.
Dear ……….
I am writing to bring your attention to a security breach on Jobs.ie which occurred yesterday evening. Although this breach was identified and stopped quickly, a small number of CVs were illegally downloaded. Unfortunately your CV was one of the records taken. I understand and apologise for the concern this will cause you and I want to assure you that we are taking steps to prevent this happening again.In the meantime I urge you to exercise extra caution while conducting online activity.
To help you avoid risk, please follow these key online safety tips:
Reputable companies do not request personal details by email, if a company contacts you do not give any personal information until you have established they are legitimate
Never give out personal banking information
Do not share your passwords with anyone
Do not open email attachments if you are suspicious, especially .exe files.
A dedicated 24 hour customer helpline has been set up to deal with any further questions or concerns you may have. Please call +353 (0)1 680 8699 or email info@jobs.ieAgain, please accept our apologies for any inconvenience or distress caused.Yours sincerely,
Huw Taylor
This is not the first time an online recruitment site has been the victim of an attack, Monster.com suffered a major breach last summer. So before you upload your CV or any personal details to an online recruitment site make sure that you provide the minimum information required and delete those details once you no longer need the services of the site.
This is not the first time an online recruitment site has been the victim of an attack, Monster.com suffered a major breach last summer. So before you upload your CV or any personal details to an online recruitment site make sure that you provide the minimum information required and delete those details once you no longer need the services of the site.It will be interesting to see what other details come to light over the coming days. If you have any additional information please feel free to share it via the comments feature.
UPDATE 30/03/08:
Jobs.ie have posted the above note onto their website which confirms the breach did occur. If you look at that notice you will see that the breach occured on Thursday evening. Given the time that would be taken to detect the breach, determine the amount of damage done and get people in place to respond to the breach, Jobs.ie should be commended for getting their notifications out within 24 hours of the incident happening.
Also as we have discussed on this Blog before that there are no mandatory breach disclosure laws in Ireland, so again Jobs.ie should be commended for coming clean about the incident.
If you are one of the affected individuals of this breach I appreciate it is not a nice experience to have happened, however at least Jobs.ie have notified you of the problem so that you can take steps to protect yourself against identity theft. Both the makeITsecure and Garda websites offer advise on how to protect against identity theft.
As discussed last month The Irish Blood Transfusion Board suffered a security incident whereby a CD containing encrypted information on blood donors was stolen in New York City. This was the first major publicly reported data loss incident that we have seen in Ireland. As promised in earlier posts, now that the dust has settled I would like to highlight some of the key lessons learnt from this incident. Hopefully these lessons can be applied to your own situation to ensure that your next incident can be handled well.
Lesson 1 – Know Where Your Data Is. Careful thought went into the process of sending the CD to New York in the first place and it was evident that the IBTS clearly knew what data was on the lost CD and who it impacted. When the CD was lost the IBTS knew exactly the potential impact of the loss.
If you do not know where your data are then you will spend a lot of time in your incident handling trying to determine what the impact of the incident is. Time better spent dealing with the actual incident itself. Remember that in an incident time can be your biggest enemy and it is a very finite resource so spend it wisely.
Below is a round up of news stories relating to information security that we have collated from the past few days. For ease of use we have categorised the stories under the most appropriate headings. If there are other stories that may be of interest please let us know via the comments feature.
As 
Below is a round up of news stories relating to information security that we have collated from the past few days. For ease of use we have categorised the stories under the most appropriate headings. If there are other stories that may be of interest please let us know via the comments feature.