Monday, 31 October 2016

The leak of personal data from the Red Cross Blood Service (RCBS) has had plenty of exposure.

I am one of 550,000 affected people who have had their personal details exposed to the internet. (The total number of records is more like 1.3 million). So the whole world might have known whether I’ve been involved in “at-risk sexual behaviour” (which I haven’t) and other personal details. That’s scary!

It appears that an RCBS contractor who was doing website development had copied the personal details to a development area of the website where it was exposed to the internet. I assume that the development area wasn’t subject to the normal security rigours.

I have received the email from RCBS offering their sincere apologies for the incident. But that’s not going to solve their problems.

 I find it very frustrating that we all focus on cyber security - important as it is. We should be focusing on the data. What data do we have? Where is it? What’s its content and value? What happens if we lose it? And – most important: Who in the organisation owns it? Who is responsible for understanding our data and protecting it like the gold that it is? 

The way I see it we need to get serious about data, its content, and value. Otherwise these sorts of breaches will continue.

Let’s think about our attitudes around data.

One – No common sense. People don’t apply the same level of common sense in the electronic world as in the physical world. For example, people readily click on links in suspicious emails received, then find that crypto-locking software has made all their data unusable. They then have to either pay a ransom to the hackers (maybe in bitcoins) or have to restore their data from a back-up. In the physical world people aren’t so casual with their assets.

Two – No ownership. Businesses are happy to own the business processes and the controls associated with them. For example, IT (who are the custodians of data) are happy to own the infrastructure and the security associated with that infrastructure, like cyber security, and the controls that stop me accessing payroll details. But who is responsible for understanding the value of that data? That value is not just what it cost to get the data. Or what it might be sold for. Thinking about data has to include: What duties do I owe to the people who’ve entrusted their data to me? How much value might my brand lose if I don’t keep that data safe? What value would I lose if my data was destroyed? Or if my competitors got it?

So from a data perspective, no common sense and no ownership: a recipe for disaster!

We need to change our thinking, and fast. Businesses need to understand what data they have, where it is, and people need to take responsibility and ownership of that data. That’s not just IT’s responsibility.

All this being said, I agree that it remains in the public’s interest for the RCBS to collect information from blood donors. I, for one, will continue to donate blood, and I hope this episode doesn’t stop others from doing so.