While on twitter last night I was alerted by @_Aella to a breach at NUI Galway. According to the information posted on the college’s website they appear to have recently been advised that a file containing the contact details of students who registered or were pre-registered to the college in September 2008. The statement goes on to say that the breach was dues to “ a security issue with the NUI Galway Clubs and Societies computer system.”
The information accessed, while it may be annoying to those impacted, is of relatively low threat to them. It is their personal details such as their name, student ID, phone number and NUI Galway email address. The college assures people that “no other personally identifiable information that you have supplied to the University was at risk.” and that “we encourage you to be aware of common text/ email scams that ask for personal or sensitive information.”
The issue has been reported to the Data Protection Commissioner under the Data Security Breach Code of Practise. It will be interesting to hear will their be any additional details released as to how the breach occured and whether this was due to an external attack or due to lax internal security controls.
As someone who has been campaigning for mandatory data breach disclosure laws in Ireland for a number of years I am pleased to see the proposed Data Security Breach Code of Practise from the office of the Data Protection Commissioner. I have long argued that organisations need to realise that the data they hold on staff and customers is not theirs but rather has been entrusted to them by those individuals. The purpose of breach notification should not be to punish the organisation that suffered a breach but rather to help the affected individuals take appropriate steps to protect themselves, especially nowadays with identity theft and financial fraud being so rife.
The proposed code strives to reach a balance whereby organisations that have taken appropriate measures to protect sensitive data, e.g. encryption etc., need not notify anybody about the breach, nor if the breach affects non-sensitive personal data or small amounts of sensitive personal data. Yet, companies who have not taken the appropriate measures will indeed be obliged to admit to their shortcomings and shoulder the responsibility for same.
The other benefit I see from this proposed code is how as an industry we all can learn from the mistakes or misfortunes of those who suffer a breach. I believe we would not have as many encrypted laptops and other mobile devices that we do today were it not been for the widespread publicity of lost unencrypted devices in the past. While you can argue that encryption alone is not the answer and may simply be a knee jerk reaction it is at least a step in the right direction. Those attacking our systems are sharing the potential exploits and weaknesses amongst each other, having breach disclosure laws in place helps those of us tasked with defending those systems to better shore up those defences and potential weaknesses.
Ireland has shown itself to be a leader in introducing legislation to benefit its citizens, the smoking ban and plastic bag tax being two that come to mind. The introduction of the Breach Code of Practise is another example of how Ireland can better protect her citizens and provide an effective information security governance framework for businesses to follow.
I would be interested in your thoughts on the matter. Why not share them below in the comments or indeed submit your feedback to the Data Protection Commissioner.
The 21st annual report from the Data Protection Commissioner’s office has been released. As usual it makes for some very interesting reading. The report notes that the number of breaches reported to the office has doubled since the previous year. Most of these reported breaches are from organisations within the public sector. While the first reaction may be to say the public sector is not taking due care of the personal data entrusted to it, I would argue that the public sector is no better nor worse than the private sector.
One of the main reasons for the increased number of reported incidents from the public sector is most likely due to the guidance issued by the Department of Finance in late 2008 “encouraging” government departments to report breaches to the Data Protection Commissioner. See section 4 on page 23 of the guidance.
In my opinion the Data Protection Commissioner’s report reinforces the argument that Ireland should introduce mandatory data breach disclosure laws. My own thoughts on that particular issue are in this presentation that I gave at the last NITeS seminar;
I strongly urge that you take the time to read the report and to ask yourself the question, “How effective are my security controls in protecting the personal data entrusted to my organisation?” If you find it hard to determine how to answer the question there is a very good self assessment checklist available on the commissioner’s site.
Thanks to the Privacy and Information Security Blog I became aware of a very interesting development within the Germany with regards to amendments to German Data Protection legislation. On July 3rd the German Federal Parliament passed a number of changes to the German Federal Data Protection Act and will come into force on the 1st of September 2009.
Some of the key items are regarding data breaches and the requirements now facing German companies. Any such companies suffering a security breach relating to the following;
Sensitive data as defined in the German Federal Data Protection Act
Personal data that is subjected to professional or official confidentiality requirements
Financial information such as credit card or bank details
Information relating to criminal offenses
Data held on cusotmers by Telcommunications companies
Should a breach on any of the above be deemed to “likely to have a serious impact” on the affected individuals and notification of the breach will not affect any criminal proceedings and the appropriate measures have been taken to secure the data then the affected organisation will be obliged to notify the affected people. This notification should be made to both the Data Protection Authority and to the affected individuals. Should the breach affect a large number of people then the notification should be made by placing a half page advertisement in daily national newspapers or other media that would provide similar coverage.
More information on the changes can be found here (PDF file). Hopefully Ireland will soon follow suit.
RTE‘s Prime Time Investigatesprogram ran a piece on 2nd of July on the extent of Cyber Crime in Ireland. The program is now available online and it has me contributing to it. The segment starts about 18 minutes into the program.
Interesting take aways from the program for business owners;
You have legal obligations under the Data Protect Act to protect your staff and clients’ personal information.
Good security is not difficult to implement
Other areas discussed in the program, and in particular during the panel discussion, relate to the effectiveness of the current Data Protection laws, whether or not we should have mandatory breach disclosure laws (something which I have spoken aboutbefore) and how is Ireland as a nation dealing with cybercime. Items which I shall blog about soon.
It has been an interesting week to say the least with regards to information security breaches in Ireland. First we heard of the responses to Ruairi Quinn’s question as to how many portable devices belonging to government departments have gone missing this year. So far over 45 devices have been lost. Damien Mulley has a breakdown as to what was lost. Then on Friday the HSE reports that it lost another laptop which reports claim leaves the personal details of thousands of HSE staff at risk of identity theft.
To cap it all the Irish Timesreports that the Minister for Justice Dermot Ahern is now considering introducing mandatory breach disclosure laws. Having been an advocate for the introduction of such laws I welcome these moves. However, as Digital Rights Irelandpoints out the proposed laws appear to have a number of shortcomings such as being restricted to only portable devices. This means that breaches such as the exposure of people’s CVs on the Jobs.ie website earlier this year would not need to be reported. Also it appears the minister wants to concentrate on major breaches. It will be interesting to see what a major breach is defined as. Will that be dependent on the type of data exposed or the number of records?
I attended the Irish ISACA Chapter’s conference on Friday and a number of people asked me for my reaction to the above. So let me take this post as an opportunity to share my thoughts on breach disclosure;
The Irish Examiner broke the news this morning that an Irish online retailer’s computer security was breached by criminals who managed to compromise an undisclosed number of credit card details belonging to Irish customers. The breach was apparently discovered after the criminals tried to test if the cards were active by making small online purchases against a New York based online food retailer. Most major Irish banks are in the process of reissuing credit cards to those affected by the breach. While most people who hold credit cards are frantically checking with their provider to see if they have been victims.
At the time of writing there are no public details as to which retailer was compromised, how that compromise happened nor how many people affected. This is one of the reasons I believe that we need Data Breach disclosure laws here in Ireland.
Knowing who the retailer is could save a lot of unnecessary worry for people who may think their cards have been compromised. Knowing how the attack happened will also be useful for other companies so that they can ensure they have appropriate mechanisms in place to prevent and detect a similar attack, be that an attack via the Internet or an insider using the information.
It will also be interesting to know if the retailer was PCI DSS compliant. And if not what steps the credit card companies and the acquiring bank will take? My experience in dealing with a lot of companies is that many are not yet compliant with PCI DSS. With all its various faults at least PCI DSS provides organisations with the minimum best practises and standards that they should have in place. Despite many of the vendor hype PCI DSS should not be that hard for most companies to achieve. Indeed if a company is serious about protecting their customers’ data the PCI DSS standard should be a by product of their own efforts.
Lets keep a close eye on this case and see what lessons can be learnt from it.
Corporate ID theft is an area often overlooked and can cause companies major issues ranging from reputation damage to financial loss. I covered some of the issues that can face a company in a previous post, Pure Mule.