Category Archives: Data Loss

Twenty percent of data loss originates from within, report claims

A study by KPMG has found that a fifth of data loss incidents which occurred this year were a result of internal activity, rather than third party interference, which shows a significant rise compared to statistics gathered in 2009.

Three years ago this type of data loss was accountable for four per cent of the global total, with a total of 23 million people from around the world being impacted by insider activities resulting in data loss, between 2007 and 2010.

KPMG UK’s Malcolm Marshall, indicated that the economic downturn is thought to have played a part in the instigation of this rise in malicious behaviour. The value of data has not gone unnoticed and so unscrupulous employees are more likely to try and profit from exploiting this fact, according to Mr Marshall.

An alternative cause is highlighted in the report, with KPMG pointing out that perhaps third parties are more likely to try and recruit insiders to their causes now, because the security measures levelled against them by businesses are making it more difficult for them to steal data externally.

The targeting of healthcare services is on the rise with over 25 per cent of data loss or security breach incidents attributed to this sector in the first half of the year, impacting on the lives of close to four million people.

Twenty per cent of incidents were recorded by governmental departments, within which close to 40 per cent occurred as a result of third party activity.

Although insider exploitation is a growing area of concern, hacking is by far the most significant threat to businesses and public sector organisations, with nearly 250 million people suffering as a result of a hack during the past three years.

Hacking can be carried out for a number of reasons, with terrorism, intellectual property theft and monetary benefits all listed in the KPMG report.

Mr Marshall believes that the threat will only continue to increase as the years pass, with cyber attacks becoming more common and national security put at risk regularly.

ICO issues fines months after new punitive powers were gained

The Information Commissioner’s Office (ICO) has for the first time taken advantage of new powers it was issued with earlier in the year, to level fines against private and public organisations which have been held responsible for data loss or theft.

In an announcement made this week, the ICO said that a £100,000 fine is being put at the feet of Hertfordshire County Council, in response to a pair of significant data losses and security breaches.

The events in question occurred in June this year with private data accidentally leaking out of the litigation unit dealing with childcare cases for the council. Two separate faxes containing incorrect details exposing data relating to unrelated individuals were issued to the wrong recipients, with the council notifying the ICO on both occasions.

The incidents occurred within two weeks of one another, with one fax going awry and ending up on a private citizen’s machine, after which the council attempted to cloak the details of the mistake from the media.

The second incorrectly sent fax with data of three local children, along with information about people who had been convicted of domestic violence, turned up in the office of a barrister who was not involved in the particular case.

The ICO concluded that a fine of £100,000 was an adequate penalty in the face of these data loss incidents, which were considered to be serious in nature and potentially harmful to the members of the public who were exposed as a result.

£60,000 in fines have also been charged to a private company called A4e, which lost the private data of 24,000 citizens when a laptop which lacked encryption was stolen from an employee of this employment services firm, in the summer of 2010.

A4e took steps at the time to inform the affected parties and also report the data loss to the ICO. The regulator concluded that the firm had not behaved responsibly when the worker was allowed to use a laptop which lacked proper encryption, that might have protected the data after its theft.

Some experts welcome the news that the ICO has begun to throw its weight around, although others are concerned that this is still not enough of a deterrent, with one identifying that A4e has been made to pay under £3 per lost entry.

Notable rise of in-house data theft recorded

The percentage of employees who steal data from their employers has jumped upwards according to a survey in which respondents were asked whether or not they would consider the theft of secrets in the event of being dismissed from their positions.

Over 1000 people took part in a survey conducted in the UK by Imperva and it was discovered that 70 per cent of those questioned had already planned to steal from their employers if they lost their job.

Twenty – seven per cent said that they were planning to take intellectual property owned by their employers while 17 per cent favoured the theft of customer details.

What is perhaps more worrying is that a majority of the respondents said that they had prepared in advance by storing the appropriated data on a personal device, in anticipation of potentially being put out of a job. Eighty – five per cent said that they had data on their home PCs which belonged to their employer, while 59 per cent said that they would plan to steal data in anticipation of a job change not just a straight forward dismissal.

Imperva’s Amichai Shulman, said that he does not believe the employees are acting maliciously but rather that, in their understanding, the termination of their employment entitles them to take ownership over any data which is in their possession.

Last year Cyber-Ark conducted a survey along the same lines as this and discovered that 48 per cent of those questioned would steal corporate data in they lost their job without warning and 39 per cent would take data they thought would be saleable to rivals, if they discovered that their position with their current employer was uncertain.

Cyber-Ark’s Mark Fullbrook, came out to respond after the publication of Imperva’s study and said that the protection of corporate data from employee exploitation is a difficult area because granting access to the data was necessary to ensure productivity and controlling privileges is difficult.

Mr Fullbrook also pointed to reductions in IT budgets as key in restricting a business’s ability to protect data.

Data protection deficit detected in UK corporate laptops

A study has found that a majority of laptops operated by corporations in the UK are not properly secured against data loss, theft or security breaches.

Security firm Check Point gathered data from 130 firms in the public and private sector and it concluded that a total of 52 per cent of laptops remain unencrypted and rife for exploitation by cybercriminals.

This figure is believed to be attributable to the fact that many organisations are pushing for widespread integration of personal devices, including employee laptops and smartphones, into corporate systems.

Fifty-five per cent of respondents said that personal devices were used by employees for work matters and 39 per cent asserted that, for the time being, there is no policy for adding to the security of these potentially hazardous additions.

Thirty-seven per cent of UK organisations have banned personal devices from being used for work, while 61 per cent have implemented restrictions on access from unapproved devices.

Check Point’s Nick Lowe explained that the findings of the survey are consistent with similar studies carried out over the preceding three years. This shows that encryption levels are stagnating and many firms are failing to recognise the potential for data loss or infection posed by the use of personal devices.

Mr Lowe implies that there is a discrepancy between the high profile examples of how a lack of encryption can be damaging and the number of businesses and public sector organisations who have actually taken heed of the warnings repeated over the years. He pointed to the data loss suffered by HMRC in 2007 as a case that should have inspired greater investment in encryption, but, as the figures show, has not.

Mr Lowe believes that many IT workers are concerned about the ongoing consumerisation of corporate systems which is progressing at a pace that leaves many exposed following an influx of unsecured personal smartphones and laptops. He thinks an increase in training as well as alterations to policy will allow businesses to tackle these issues and prevent data loss in the future.

Expert warns of data loss damage to SMBs

Small and medium size businesses (SMBs) are at the greatest risk of collapse, following a serious incident of data loss as the result of a disaster or security breach, according to tech expert Susan Campbell.

Campbell is concerned that many SMBs fail to grasp the potential severity of data loss when on-site systems are taken down and she cites figures which show that an alarming 70 per cent of developing businesses which are hit by such events are forced to close within 12 months, because they cannot cope with the financial strain and damage to their reputation.

The increasing reliance on digital storage solutions for all aspects of operation can leave businesses dangerously exposed, should a lynchpin service fail or a device become corrupted or go missing, according to Campbell.

She points out that while no one can be expected to predict when a natural disaster, loss or theft will impact a business, it is sensible and necessary to plan for such eventualities. By backing up data and having contingencies in place to account for disruption to in-house systems, it should be possible for small firms to remain operational, perhaps winning clients if there is widespread disruption impacting the competition.

Campbell describes such disaster planning as having the ability to resuscitate a business which has been hit by a catastrophic event, which renders standard data management systems inoperable. This type of investment is seen as critical by many experts, even as IT budgets are being squeezed within SMBs.

Among all these pieces of advice it is perhaps the 70 per cent failure rate of SMBs which suffer data loss that stands out the most. While it is not necessary to understand the systems which govern data within your business, it is easy to see that if you are inadequately prepared for unpredictable events, the impact upon your business can be terminal if you are a small operation.

Campbell acts as a contributing editor to online tech resource TMC Net and her assertions should be relevant for a number of UK businesses.

Council data loss tackled by ICO

The Information Commissioner’s Office has concluded that New Forest District Council was in breach of the terms of the Data Protection Act (DPA), when in 2008 it exposed the details of private citizens online.

The data leak occurred when the council made public details of an application for planning permission, while failing to omit information which could have been exploited. This led to a complaint from the implicated party.

The ICO said that while the council had initially made the mistake of distributing the data via the internet, it had reacted swiftly to rectify the situation and prevent any further access to the information.

Despite the appropriate response in this case, a member of the public kept tabs on the council’s activities over the following months and alleges that similar failings in data protection were easily observable.

The ICO said that it has carried out an investigation which was able to unearth private data as recently as July 2010. As part of its review of the council’s operation, it questioned a number of employees.

The ICO’s Sally-Anne Poole said that following on from the incident and its investigation, it is now confident that no further incidents of data loss similar to this will occur from within this particular organisation.

Poole explained that the council has implemented a number of new policies governing the way in which data is handled and the ICO is satisfied that this should help to stem further leaks.

Poole pointed out that the ICO did not expect public or private sector organisations to be completely watertight when it comes to data and adherence to regulations, but that it did want to see evidence that attempts were being made to work closely within regulations, so that the integrity of private details is retained.

Critics of the ICO have pointed out that it has once again failed to impose a monetary penalty as a result of this data leak, despite the fact that it can seek up to half a million pounds for a serious breach of the DPA.

Our Customers

  • ATOS
  • Age UK
  • Alliance Pharma
  • Liverpool Football Club
  • CSC
  • Centrica
  • Citizens Advice
  • City of London
  • Fujitsu
  • Government Offices
  • HCL
  • LK Bennett
  • Lambretta Clothing
  • Leicester City
  • Lloyds Register
  • Logica
  • Meadowvale
  • National Farmers Union
  • Network Rail
  • PKR

Sales question? Need support? Start a chat session with one of our experts!

For support, call the 24-hour hotline:

UK: 0800 999 3600
US: 800-220-7013

Or, if you've been given a screen sharing code:

Existing customer?

Click below to login to our secure enterprise Portal and view the real-time status of your data protection.

Login to Portal