Posts filed under ‘data_breach’
When HMRC (Her Majesty’s Revenue and Customs) lost personal information of nearly half the UK population, I called it “mind boggling”. I also thought that it would be the last time I’d write about data breaches. What could top that?
Never underestimate the Brits. They’ve now pushed the bar even higher.
All it took was a flash drive found in the car park of a pub, The Orbital. It had user names and the hashed passwords of Government Gateway accounts, which provides centralised authentication to important online services such as tax returns. Worse, the flash drive had the source code, security software, and a step-by-step guide to how the Government Gateway works. And, the fact that it belonged to Daniel Harrington, an IT analyst at Atos Origin, the company which manages the Government Gateway.
The flash drive was lost about two weeks ago. Daniel must have just started to believe that his prayers had been answered with the flash drive forever lost. No such luck. Tellingly, it was turned into a newspaper (The Mail on Sunday) rather than given back to the government.
The point isn’t that the flash drive was lost. What was all that data doing on it in the first place? The Prime Minister is pointing the finger at Atos Origin which is fingering Daniel for breaching operating procedures. Really? Sounds exactly like Chancellor Alistair Darling pointing to a junior official in the HMRC case. It really shouldn’t be so easy to evade accountability.
Why was the flash drive unencrypted? The passwords were encrypted but, throw enough resources at it, and it shouldn’t be that hard to break. It’s impossible to say how many copies of the flash drive may be in circulation.
Some will use this to question the UK’s plan for a National Identity Card. Others will again proclaim the death of passwords. Yet others will cry that it’s the tip of the iceberg- who knows how many other unreported breaches of this magnitude are happening around the world? I’m sure at least a few will wonder what if it had been biometric templates.
Me, I mourn the blows to trust in government and online services all over the world. And the frightening reality that past lessons are simply being ignored, taking us ever closer to a tipping point.
Following several months of consultation on the August 2007 draft data breach notification guidelines, the Privacy Commissioner has now released a final version of the voluntary guidelines accompanied by an information paper.
The guidelines consist of two documents- Key Steps for Agencies in Responding to Privacy Breaches and a Privacy Breach Checklist.
In announcing the launch of the guidelines, Privacy Commissioner Marie Shroff says there is “a good case to require agencies by law to notify customers where a security breach puts those customers at risk…The voluntary guidelines are not inconsistent with New Zealand moving in due course to make breach notification mandatory.”
The Privacy Commissioner will give the voluntary guidelines 18-24 months before deciding if mandatory rules are needed, using her own statutory powers or the Law Commission taking it up as a part of its current review of privacy laws.
The guidelines note that “agencies have duties to safeguard personal information under information privacy principle 5, and are encouraged to follow the guidance.” Guidance on four stages for managing a privacy breach has been described:
1. Containing the breach and preliminary assessment;
2. Evaluating the risks;
3. Considering or undertaking notification; and
4. Putting in place future prevention strategies.
The guidelines remain “harm based” and a critical part is an assessment of the foreseeable harm to the individuals, agencies, and general public. Direct notification to affected individuals is preferred over indirect means such as via a website or media. While “Agencies are encouraged to report material privacy breaches to the Office of the Privacy Commissioner” the guidelines are silent on what constitutes a material privacy breach.
Now that the guidelines are here, it is sensible for government agencies and businesses to proactively conduct a security audit and put into place contingency plans to deal with any breaches that may occur.
And, it is worth remembering, that the source of many security incidents are internal so a parallel review of policies and processes (including offsite backup or transportation of customer information) is a good idea.
Back in August 2007, I had called the draft voluntary guidelines regarding data breach notifications as “quick and light.” The Dominion Post/Stuff website today says following public consultation the Privacy Commissioner will give the guidelines 18 months to two years to take effect before deciding whether mandatory rules are required.
Lessons from other countries as well as “how businesses and government agencies abide by the guidelines” will be taken into account to determine if the guidelines become mandatory.
The Privacy Commissioner is further quoted as saying, “Our research has definitely shown there are downsides to mandatory guidelines as well as to voluntary guidelines. Mandatory guidelines always become somewhat rigid.”
The comments Stephen Revill made in the original post are still relevant. He thought that “The criteria used to provide guidance as to what a “material” privacy breach is, can be best described as “fuzzy”….If there are no clear rules, no clear incentives to comply and no way to measure how far the guidelines are being adhered to, then the law makers will be not be in any better position when it comes time to decide whether a security breach notification law is needed.”
Hopefully this will be addressed over the next few weeks as the guidelines are finalised.
My personal opinion remains the same. I don’t think the level of data breaches in NZ is too high and that the actual consequent misuse rate is very low. However, I favour mandatory disclosure to the Office of Privacy Commissioner so that the actual size of the problem is clear, there is no wiggle room from discretion, and there is sufficient incentive for organisations to up their security of personal information they hold.
How much identity fraud or theft actually comes from breaches involving the disclosure of personal identity information?
This is an important question because of increased publicity around high profile breaches. The fiasco in UK involving 25 million records is an obvious one but also, according to Privacy Rights Clearinghouse, over the past three years there were about 217 million known records containing sensitive personal information involved in security breaches in the US.
The study looked at over a dozen data breaches involving more than ten million consumer identities. ID Analytics found five separate cases where breached identity data was misused by fraudsters, with two of those cases resulting from employee theft of data.
Very few identities were misused following a data breach.
Smaller breaches had a higher misuse rate than larger breaches. Misuse of personal data ranged from 1 in 200 identities for breaches of fewer than 5,000 individuals to a misuse rate of less than 1 in 10,000 identities for breaches of more than 100,000 individuals. So, data breaches that get major press coverage, generally falling in the latter category, have a misuse rate of under 0.01%.
Therefore, there is some evidence that identity fraud or theft that actually comes from breaches involving the disclosure of personal identity information is quite low. A greater danger comes from internal breaches than external ones.
Hopefully, this will inform a rational debate on the nature of public disclosure for data breaches.
Even though I have no connection with Passport Canada, for some reason I’m feeling terribly let down by them.
My disappointment may stem from an agency making an elementary security mistake and, rather than fixing the problem, repeating it and looking foolish.
Or, it might be that it is incidents like these that collectively undermine trust people have in dealing with government agencies online.
Sigh…government agencies dealing with sensitive personal information simply have to do better.
What happened? According to Globe and Mail, a security flaw in their website allowed passport applicants to view the personal details (including social insurance number, date of birth, address, driver’s licence number, and gun ownership) of other applicants by simply changing one character in the URL displayed in the address bar. A very, very basic mistake and, worse, evidence of appalling testing.
The site was taken down but when it was put up again, a few key strokes were still all it took to reveal personal information. All the while, Passport Canada was in a public denial mode.
Their website says about Web Security that “Passport Canada is taking the measures necessary to protect the confidentiality of the personal information you provide and to ensure that your electronic transactions with us are secure.”
The problem is, when fine words don’t match reality, public cynicism results. And that hurts.
Frank Wilson has authored the latest in a series of Think Papers for the European Commission entitled “Trust and Identity in Interactive Services: Technical and Societal Challenges” (PDF).
In this Paper, he says “… our governments and citizens must together develop an agreement on the acceptable ways of gathering, storing and using data about citizens within a secure electronic service environment.”
“The future of electronic service provision in all European societies relies on development of a citizen-centred European trust network to underpin and facilitate the many secure electronic service networks under development at present.”
I interpret this in two ways.
First, that data breaches of government-held personal information, such as that in the UK recently, undermine the basic trust relationship between government and people. As I mentioned in my first post on this topic, “The real issue goes to the heart of governance and government: trust… The hard reality is that it is about trust and a loss of trust strikes at the very foundation of government.”
Secondly, if the trust fabric is strong, people and government can both benefit substantially from richer user-centric online services that require an identity backbone. The trust pact ensures that a framework that protects privacy and offers user-control is in place, i.e. a framework that both reflects and enhances the trust relationship. Without such a trust relationship, efforts in building a user-centric identity or information metasystem that involves the government as an Identity Provider is inherently flawed.
How, then, should the trust relationship be built and nurtured? The Think Paper offers a somewhat simplistic view on that vital question by recommending “achieving a balance between the need to hold data and the duty to use it and protect it responsibly.” Hopefully, a future Think Paper will do more justice to this critical question.
Talk about timing.
Just hours before UK’s Chancellor Alistair Darling revealed to MPs the loss of 25 million personal records, Government CIO John Suffolk gave a blunt warning about the danger of creating more giant government databases. He said, “To put more eggs in single basket is a foolhardy approach. The best way to protect data is to say: this data is for specific purpose, put protection around [it].”
He went on to say, “There is a balance to be struck. It’s nonsense to assume or even think about a central database or central clearing house.”
As Kim Cameron said in his blog post, “To me this is the equivalent of assembling a vast pile of dynamite in the middle of a city on the assumption that excellent procedures would therefore be put in place, so no one would ever set it off.”
“There is no need to store all of society’s dynamite in one place, and no need to run the risk of the colossal explosion that an error in procedure might produce.”
In my first post about the data loss, I mused, “Perhaps the time has come when identity systems are based on an assumption that peoples’ personal information is not secure.” On the same lines, Kim said “the information that is the subject of HMRC’s identity catastrophe should have been partitioned – broken up both in terms of the number of records and the information components… no official (A.K.A insider) should ever have been able to get at enough of it that a significant breach could occur.”
That got me to do a mental check about the online identity and authentication systems being put into place in New Zealand. Though the service is presented to people as a single, integrated service (igovt), under the hood there are two separate services (Government Logon Service and Identity Verification Service) run by two separate government agencies with two separate databases.
This ensures that in the unlikely event that a breach does occur, even then no single database has all the information. The check provides a measure of confidence that the NZ services are designed right from a breach perspective.