Once more unto the data breach…

21 Aug 2023
Author Lily Thompson
Data breach

Continuing from Brian's two recent articles about the PSNI data breach(es), I am very acquainted with this type of incident. Throughout my extensive experience in the field of Freedom of Information and Data Protection, I have conducted numerous training sessions. Unfortunately, the participants in these sessions often seem uninterested and unengaged. They would prefer to spend the hour and a half watching paint dry than be lectured about the intricacies of GDPR or why it is crucial to always lock their computer screens by pressing the "Ctrl-Alt-Delete" keys when they step away from their desks.

Data breach - Figure 1
Photo sluggerotoole.com

Similar to retirement funds or taxes, the topic of "information governance" may not be the most captivating or thrilling subject out there. However, it has a significant impact on our daily lives, something that I always emphasize in my training workshops.

You may think that understanding the details of schedule 2, article 1, section 2 of the Data Protection Act or processing activities for the sake of public welfare, or distinguishing between a data controller and a data processor or the prerequisites for handling "special category" data is unnecessary. However, have you ever considered:

• The message you received from a staffing company that you've never interacted with before, asking you to apply for a job in a sector where you lack qualifications.

• The electronic message received from "Amaz0n Prome" (incorrect spelling) containing numerous errors in spelling and language usage in three distinct languages, informing you about the imminent end of your membership, despite the fact that you are not registered with them.

• The unexpected phone conversation you received from the purported insurance company inquiring about the specifics of the non-existent car collision

• A phone conversation initiated by HMRC/IRS/Revenue Commissioners (whichever applies to your jurisdiction - although sometimes international boundaries aren't a concern for the caller), informing you about an arrest warrant due to unpaid taxes. Surprisingly, they suggest that you can evade imprisonment by providing your credit card information over the phone. Strangely enough, they request your name, even though they should already possess your personal information on record.

• The message you received on Whatsapp from an individual referring to you as a parent who had lost their phone and required an immediate transfer of funds into their bank account to repay a debt they owed.

• Allegedly, you receive a phone call claiming to be from the Technical Support department of Microsoft. They inform you that your computer is infected with a virus, and in order to resolve the issue, they request access to your device utilizing remote access software such as Teamviewer or Anydesk (note that other providers of remote access software exist).

• The electronic message you obtained from the shipping company requesting payment for a non-existent package

Even though the PSNI data breach (or the two PSNI breaches to be more accurate – the publication of the spreadsheet and the previous event involving the robbery of the laptop) has received a lot of media attention, it is actually the third occurrence of this kind to be documented in Northern Ireland within the past few weeks.

Only last week, the UK's independent regulatory body, the Information Commissioner's Office (ICO), released reports concerning data breaches at two other public sector organizations in the country. These organizations are the Patient and Client Council (PCC) and the Executive Office. They committed the common error of using the CC or "to" field instead of the BCC option while sending sensitive emails to numerous recipients.

Recently, the ICO has been heavily criticized and many people who dislike it claim that it is ineffective and lacks power. The results of the PCC and EO cases have only reinforced this perception. Instead of imposing a more severe monetary punishment, considering the importance of the data in question, the ICO has merely issued a minor reprimand.

Moreover, these occurrences will not contribute at all in eradicating the widely held belief that the public sector in Northern Ireland is a massive and ineffective administrative system filled with individuals who either exert minimal effort or engage in tasks that hold no real significance except to maintain employment statistics. This aligns with the perspective shared by the late anthropologist David Graeber (1961-2020), who referred to such jobs as "nonsense jobs". By the way, his book exploring this topic is highly recommended for reading.

However, this recent violation by the PSNI is on an entirely different magnitude.

What's truly unsettling and concerning is that this was such a straightforward fundamental mistake that could have been easily prevented.

The common mistake of having a spreadsheet with hidden tabs that hold sensitive information is only slightly worse than accidentally sending an email to the wrong address, like [email protected] instead of [email protected] I have also encountered this issue. As people have mentioned in the comments section of this website before, if someone with expertise had reviewed the spreadsheet before sending it, this catastrophe could have been avoided. Alternatively, it would have been just as easy to convert the spreadsheet to a PDF to guarantee that no hidden information was present.

In just a few weeks, there have been numerous notable occurrences, such as the mentioned incidents along with the Scottish adoption records situation, the Coutts/Farage adventure, the Suffolk/Norfolk police information breach, and the cyber-attack on the Electoral Commission. During this time, the Information Commissioner, John Edwards, has been tirelessly working to defend his salary of £200,000, although it still pales in comparison to what the BBC pays Stephen Nolan!

PSNI officers and staff are currently experiencing an extremely distressing period. However, a positive outcome will be the heightened recognition of data protection and cybersecurity within the public sector of Northern Ireland and the broader United Kingdom. As a result, professionals in this domain might possess stronger leverage to negotiate for better salaries.

Occasionally, a colossal mistake is needed for situations to improve – ideally, this shouldn't be the case, but unfortunately, we reside in an imperfect world.

It will be intriguing to observe the response of the Information Commissioners Office as well.

Ciaran Ward hails from Co. Tyrone and currently resides in the bustling city of London, where he is employed in the realm of data protection and cybersecurity. His most recent publication, titled "On Square Routes," presents a captivating medley of personal reminiscences, captivating travel accounts, compelling short stories, and evocative poetry. This delightful literary compilation has recently hit the shelves and can now be purchased from the well-known online retailer, Amazon.

He sporadically shares blog posts and tweets on https://dreamingarm.wordpress.com/ and @CiaranWard73

Read more
Similar news
This week's most popular news