nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
More data lost or stolen in first half of 2017 than the whole of last year

Anonymous Coward

The plan is to bring in the GDPR after there is nothing left to be disclosed. Sounds like it's right on track :)

6
0
Bronze badge
Devil

More like data anybody noticed...

Be honest, this is a measure of security activity. The actual losses have been far vaster for donkeys' years but nobody ever wanted to know.

At last, infosec whistleblowing is no longer an automatic sacking offence (you do still need qualifications first, though)

4
0
Silver badge

What do you mean by ''lost'' ?

I suspect that you mean ''laptop left on train'', or similar, ie misplaced - and possibly in the wrong hands.

This is very different from ''data accidentally deleted''. There is sometimes a requirement for data to be kept for certain periods. I observe that embarrassing data, especially when asked for by a subject access request, has a propensity to become ''lost - accidentally deleted''.

These two should be counted separately.

Could we please start calling the ''left on train'' incidents ''misplaced'', not ''lost''.

2
0

Re: What do you mean by ''lost'' ?

It's worth reading the report, as it does explain a bit more... Accidental loss counts for 18% (166 incidents), with malicious outsiders being by far the biggest challenge (74%) but malicious insiders working their way up too at 8%, or 71 incidents...

That's just one of the data points in there. There's plenty more.

Take with a pinch of salt, but it is good evidence to change an organisation's mindset on security.

2
0
SVV
Bronze badge

A poor reflection on the industry

An entrencheched culture of management who still see security as a cost without benefits, combined with a lack of thinking on the part of system designers and implementers has led to this sorry state of affairs,

How loudly and how often do you STILL need to shout "do not store identifiable user information in unencrypted plain text" before someone takes notice? I'm sick and tired of seeing company databases in the course of my work that have a User table with two columns (username, password) that do this. They often have a mandatory email address column too, enabling an attacker to have a good chance of getting into that user's accounts on other sites too. And the uninterested reaction from management every time I wearily point out what a bad idea this is is something I've come to expect. There are ways of organising a secure soltion via configuration and access control that make even an inside job more or less impossible.

We need to spread the idea that if you take the lazy approach you have no right to call yourself an "IT professional". And any company / government who stores user credentials this way should be made legally liable for any and all losses that are incurred by users as a result, plus damages. Publicising the change in the law should spur all but the most stupid into action.

3
0
Silver badge

Re: A poor reflection on the industry

legally liable for any and all losses that are incurred by users as a result, plus damages

s/damages/fines/

The users' losses are the damages. Otherwise, you're quite right.

0
0
Silver badge

Re: A poor reflection on the industry

Publicising the change in the law should spur all but the most stupid into action.

Why? It's already a data breach is already an offence, the bulk of the change is simply that the penalties COULD be much higher. TalkTalk reported the internal costs of their 2015 data breach as £35m a figure that could have been easily estimated from previous research that puts this as only just above average in terms of cost per record lost. If instead of a "mere" 156k records, they'd lost 1m, then the costs would have been even higher, perhaps £150m. Both actual and my example dwarf current and likely fines under GDPR.

So, if TalkTalk (and all the other careless UK hoarders of bulk data) aren't put off by the risk of their company being found guilty by the ICO, by the vast reputational damage, and by the prospect of recovery costs in the ballpark of £30m-£300m, why will these dinosaurs change?

My guess is that most would, and would have done so a long time ago if they knew how. But they don't.

Few if any directors understand IT. Few CIOs really understand the architecture and risk register of their IT estate in much detail. And the few overworked ITSec staff rarely have the luxury to see the full picture, simply because there's so much corporate code. Just from business change, corporate systems rapidly acquire Byzantine complexity; outsourcing and offshoring mean there's no historic knowledge, no local knowledge, no understanding of the fudges, bodges, and skeleton-filled cabinets. Documentation means nothing unless it is good documentation, you have people who can properly interpret it, and you can find the documentation after the contractors have departed to another gig. Now throw in a few mangagerial reorganisations, that always see the loss of senior staff who are complaining about ITSec risks.

I'd love to see IT security improve, but I don't expect much change for the reasons above.

2
0
Coat

Re: A poor reflection on the industry

@SVV

I can't be the only one who saw the comment title and thought...

"Need better Data Mirroring!"

Mines the one with the compact. ---------->

1
0
Silver badge

Re: A poor reflection on the industry

"Why? It's already a data breach is already an offence, the bulk of the change is simply that the penalties COULD be much higher."

Breaches themselves are not an offence, failing to secure adequately is. In the same way that crashing a car isn't a crime but dangerous driving is.

GDPR covers a lot more than the larger fines though. There's mandatory disclosure, so reputation damage is always a risk. Then there's the subject access and consent rules so people can take action to make sure that the data isn't there to be lost. And then there's collective action that means everyone will be able to collect damages, not just those that can afford lawyers.

0
0
Silver badge

All is lost

And yet Theresa May still wants encryption banned or discouraged despite local government needing it and not using it.

7
0
Silver badge

It's not surprising. Big Data means more data to be snaffled.

1
0
Anonymous Coward

I'm alright, I keep my data in a jar at the back of the kitchen cupboard next to the hob nobs.

0
0
Bronze badge

You mean more detected loss?

Call me an asshole for playing the causality card here.

Did we lose more data or did we manage to detect more data loss?

3
0

Re: You mean more detected loss?

My dear Cheesy, sadly, from such data, it would appear that overall we all lost more manage.

0
0

Security Is Not Hopeless

Whody en you listen to the breached companies lament you would get the impression that cyber-security is impossible.

But consider for a moment that we do not have routine electronics looting of bank accounts, or of confidential files have by law firms for clients. Somehow *those* records can be kept secure.

Nobody designs their bank accounts so that a single password can abscond with the entire assets of a company, but apparently that is all it takes to steal all of the data held about consumers. But that's understandable, cash has real value that needs protecting.

4
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing