Two recent data breaches by the police, both releasing personal data, could seriously compromise personal safety.
Omdia view
Summary
On August 8, 2023, a story broke that the Police Service of Northern Ireland (PSNI) had mistakenly revealed details of its 10,000 staff online. This has serious security implications now that it has been reported the data may have got into the hands of dissident paramilitary organizations. Then on August 16, only eight days later, we learned that Norfolk and Suffolk Police made a similar error, releasing data concerning 1,230 individuals and including the personal information of victims of crime, witnesses, and suspects across a range of sexual offences, domestic incidents, assaults, thefts, and other crimes.
Data security becomes personal
Up to the time of writing, data breaches have largely often been passed off as that—erroneous distribution, loss, or theft of data with little in the way of afterthought. Significant or even catastrophic for the businesses or organizations involved but without serious safety compromises on an individual basis. These new breaches, however, take things to a different level. They provide pointed examples of how protecting data is both an increasingly vital aspect of the way we live our lives—and also that, in many cases, data equates to people. These cases, where serious safety concerns or even endangering the lives of those involved, present a new perspective for data security. At the very least, those individuals included within the data will be significantly worried or distracted over the subsequent days and well beyond.
We read about data breaches on an alarmingly regular basis. The regulators then step in and fine those at fault and remediation measures are implemented to stop the breach happening again. Over time, organizations generally recover from a breach, but when people are put at risk it becomes about much more than just regulatory compliance. It becomes a case of organizational obligation and protection to the individual.
Putting safeguards in place
I find it bewildering that in this day and age we find ourselves reading about the release of highly sensitive data, but this is increasingly the reality. Increasing workloads, reduced timeframes for delivery… Mistakes are made. It also begs questions around how much we know about our data or perhaps how much value we apply to it?
Data is often referred to as organizational “crown jewels,” and arguably the most important asset within the business. Data is simply not an asset: it is vital to operational success. Yet the way we protect that data is just not commensurate. I am sure the PSNI did not want information relating to the entirety of their force falling into the wrong hands, so why was the data not adequately classified and protected? In all probability, not enough consideration was given to the value of the data, and once that click happened the damage was effectively done.
We do not know enough about our data and without that knowledge we cannot protect it adequately. Tools and processes are available to stop erroneous distribution and these should be top of any requirements list to build up a robust cybersecurity posture. However, people are also part of this equation and they need to be educated, educated, and educated again in a positive sense, building up a security culture and attaching value to data and constantly challenging themselves as to whether what they are about to do with a dataset is the right course of action.
Appendix
Author
Adam Strange, Principal Analyst, Data Security
