Oh FFS !!!!!
The staffer was one of 20 users with unfettered access to search, view and download data onto personal drives from SWAN
Well, that's 20 too many.
International health insurance business Bupa has been fined £175,000 after a staffer tried to sell more than half a million customers' personal information on the dark web. The miscreant was able to access Bupa's CRM system SWAN, which holds records on 1.5 million people, generate and send bulk data reports on 547,000 Bupa …
you almost always need an Admin account to find 'bad'/orphan etc data (unless you're a startup with no legacy data). Splitting the data (by region etc) just means you need more people acting as Admin. Is it better to trust one Admin or many...?
Depends on your threat model, I suppose. If you're complaining about the download capability - then I would just say - you can't stop people photographing the screen, so your procedures shouldn't be about preventing people querying data - they should be about *detecting* that access. Pretty unusual day at the office if half a million records get reviewed by a single human.
Of course. But that's not the same as an account which has the rights to download ALL records ONTO A ****ING storage device.
In addition, a little bit of sensible encryption would have meant that even the administrators couldn't make sense of the data.
Homomorphic encryption was designed for this.
@Anon, My point is that if you can see it, it's not encrypted, so you can't protect it at that point; where you download it to is irrelevant. Homomorphic encryption does not help if your Admin needs to examine the data, it's just intellectual masturbation in most cases.
@Mongrel
If you're responding to me, that was exactly my point, if you read my posts. People need to see the data to use it - however at this point downloading (that bit) is irrelevant. Controls should be monitoring people are not accessing 1 million records a day.
Segregation of duty is missing.
(S)he should not have had access to removable media OR control of the function to manage access to removable media.
Nether should they have had the ability to move data to a system with external connectivity.
Am also guessing HR check were weak or not completed correctly.
Well, GDPR has certainly put the cat among the infosec pigeons now! This gigantic, eye-watering fine will devastate the £12 Bn[1] annual turnover firm and cause a revolution in security throughout the country.
As a humble grunt toiling in the security trenches I for one can't wait for another 70 mins to pass so I can open a nice bottle of cask-conditioned real risk controls and get mitigating.
[1] H118 half-year report https://www.bupa.com/corporate/our-performance/financial-results
"Well, GDPR has certainly put the cat among the infosec pigeons now! This gigantic, eye-watering fine will devastate the £12 Bn[1] annual turnover firm and cause a revolution in security throughout the country."
Go back and read the article. Notice the bit that says "June last year". Compare that with the date GDPR became operative. Note that it's earlier so the old rules apply under which the maximum fine was £500,000. At 2% of annual turnover the maximum fine would have been nearly 500 times larger form a £12bn under GDPR.
Go back to the article again and notice the bit that says that they turned themselves in. That automatically exempts them from a maximum fine - if it didn't work that way there'd be no incentive for anyone to do that.
"Note that it's earlier so the old rules apply under which the maximum fine was £500,000. "
Note also that the actual fine is significantly less than the maximum allowed, with a further 20% discount for prompt payment. Even under GDPR, I doubt the fine would have been anywhere near the maximum capped limit. In fact, I doubt the fine if under GDPR rules would have been any higher than the one imposed.
When I used to work there I had an ODBC link to every customer record and full credit card details though I would never have dreamt of selling it. It was necessary for the role I was doing, what I.T. should have done was create a front end for access per record. I did that myself in excel/access of all things and locked it down as best I could. So this doesn't surprise me.
I remember working there many years ago when they were trying to get off their green screen database technology and on to a new system. Hilariously when they did their Y2K compliance and were asked how far into the 21st century they wanted it to work, they replied "2010. No-one will be using this system in 2010".
They had been given from Friday lunchtime to Monday 0900 to do the migration. When I left the whole project was years late and the migration was taking 13 days.
We have a customer who has delayed a migration by two years since it started. Fairly certain it will never work now but they've given us a 12 hour window to get it done.
1st attempt has failed, 2nd isn't expected to go well and the 3rd.. Well they've made their main person redundant so can't see it going anywhere!
System is running unsupported OSs and probably has CC data on it..
I always assumed it was the other way around. They go trawling around looking for data, then go to the company involved and say "look what we found, you should probably pay us some money to make sure this doesn't go any further".
Probably both I suppose. Get one company to pay you to go looking for data, and keep an eye out for other firms leaks while you're at it.
BUPA wrote to me last year, telling me about the leak. Aside from their loss of my data, I was surprised that BUPA still had any of my data, as it was nine years since I had terminated my policy with them.
I replied to BUPA, asking what exact data had been lost i.e. not the field names but which address, phone numbers, etc. They were unable to tell me and claimed to have asked their IT department to check but I never heard back from them.
Annoyingly, Equifax also lost/leaked my details last year as well.
It's fair enough that, when a company fails to take proper care of sensitive client data, they should be fined. But why don't the thieves who steal the data in the first place get some prison time? It seems to me rather like fining the homeowner who is burgled because a window was left open. I have little sympathy for hackers, scammers and thieves who make so many lives miserable.