Another week, another few million records lost

Even by the standards of the UK infosecurity industry, it's been a bad few days.

Last week, PA Consulting mislaid a USB thumb drive with the personal details of 84,000 prisoners as well as a further 43,000 serious ex-offenders. The thumb drive was unprotected, even though the Home Office, which supplied the data to PA for analysis purposes, had originally encrypted the information.

Then it emerged this week that a network storage drive containing bank and credit card account information, security details and even signatures belonging to around one million people has turned up on eBay.

Incredibly, an IT manager bought the system -- which had originally belonged to a company called Graphic Data -- for just 35. The firm, which specialises in processing digital copies of financial paperwork, has since admitted that a second machine has gone missing.

In a statement Graphic Data said the machine was sold by a former employee without its permission. The data breach came to light when IT manager Andrew Chapman contacted the Daily Mail. Mr Chapman told the paper that the hard drives in the system had not been erased, and contained thousands of credit card applications, requests for balance transfers and even scans of application forms with customers' signatures.

Cheap hardware, expensive data loss

According to Dr Guy Bunker, chief scientist at security vendor Symantec, the breach at Graphic Data values personal information at just one 268th of a penny per record. But he added that this latest case shows how it is all too easy for sensitive information to fall into the wrong hands, especially when equipment is disposed of at the end of its working life.

"Disposal of equipment is now governed by the [EU's] WEEE directive," he said. "But disposal of the data on the equipment isn't. Companies must put in place proper data disposal policies and procedures to prevent this type of error happening."

Banks and other organisations often go to extreme lengths to protect commercially-sensitive files, even going as far as drilling holes through hard drives to render them useless. Companies such as IBM and Seagate Recovery Services have plants that undertake secure equipment destruction; some clients even go as far as transporting obsolete hardware to such sites in armoured vans.

But even lower-grade, software security measures such as over-writing data multiple times, and deleting metadata records, can help. However, no such measures appear to have been followed in this case. "You do need a process, and you need to make sure is part of your standard hardware disposal procedure and information protection policy," warns Bunker. Meanwhile, Graphic Data has said it is taking steps to recover its NAS drive.

The situation around last week's loss of Home Office prison data is, if anything, even more complex. According to the Home Office, its data was originally encrypted, but somehow was kept in the clear by its external contractor.

It is understood that this was in breach of Home Office rules; Government data handling practices are supposed to have been tightened significantly following the loss of Child Benefit records on an unencrypted disk last November.

The Home Office is understood to be disappointed that the loss, which happened at a contractor's premises, was reported in some quarters as a Government data breach.

Penalties for breaches

Opposition politicians have called for criminal penalties for those who expose private data. A more realistic proposal might be to introduce legislation, along the lines of the Database Security Breach Notification Act, or SB-1386, which requires companies to tell their customers if their personal data has fallen into the wrong hands.

SB-1386 is generally credited with forcing US companies to tighten their data security measures, not least because data breaches are almost guaranteed widespread, negative publicity.

As a result, organisations doing business in the US have had to increase their use of encryption and other data protection technology, as well as updating policies on how data is handled.

These are measures that UK organisations would to well to copy, says Philip Wicks, a security expert at IT services firm Morse. "Policies and procedures should be put in place, as well as technology controls that either stop people being able to download sensitive information onto these devices or ensure that the data is encrypted," he warns. "At the moment there seems to be a culture of letting anyone download anything onto a memory stick. This simply isn't sensible."

But the loss of Home Office prison data, perhaps more than the appearance of Graphic Data's storage drives on eBay, raises the question of how much power companies and governments have to enforce security rules on employees, business partners or third party contractors. The tightest security policies will be of no use if they can be overridden or ignored.

Nor are sanctions, contractual, criminal or otherwise, of much practical value to either to individuals or organisations that suffer data losses. Although the board might be clamouring for penalties, the chief information officer (CIO) or chief information security officer (CISO) needs to think about how better to protect the organisation from further damage.

In many cases the key response of an organisation to a breach or non-compliance with data protection policies will be to understand what went wrong, to limit exposure and to ensure that it does not happen again, says Seamus Reilly, a director in the Technology and Security Risk Services team at Ernst & Young. "In many cases an organisation will be more interested in getting non compliances fixed rather than looking to penalise an outsource partner, if one has been involved," he said.

But CIOs also need to look at how systems, and quite possibly outsourcing contracts, are designed and whether data security has been given enough emphasis.

"As part of any outsourcing approach an organisation needs to ensure that it can convey to its outsourcing provider the type and value of the data that it is entrusting to it," added Reilly. "It also needs to ensure that the policies and security countermeasures in place in the outsource provider matches or exceed those the organisation uses providing internally."

Ultimately, compliance with data protection policies relies on everyone understanding the value of personal information.

That in turn depends on trust: trust between outsourcer and client, between employer and employee and between the public and those we allow to handle our data. After the events of the last few days, IT professionals will have to work even harder to rebuild that relationship.