What High Profile Data Breaches Can Teach Us

The two high profile data breaches that have made the news over the last days. These incidents raise some important issues that we should all take seriously.

The Electoral Commission say that their systems, alongside the details of more than forty million voters, have been compromised. According to the Guardian, the suspicion is that this attack originated in Russia. In addition, the first compromise may have been in 2021.

In contrast, the breach at the Police Service of Northern Ireland (PSNI) was self-inflicted. A spreadsheet containing the details of all serving officers was made public for about 3 hours. Ironically, this happened as part of responding properly to a freedom of information request. This is a clear warning to other public bodies about ensuring they don’t accidentally disclose data when responding to FOI requests.

The Electoral Commission incident certainly fits general image of a blockbuster data breach. A malicious actor, long term compromise of the systems and a huge amount of data available for download.

Assessing the Risks

What are the risks from the breach? Although millions of people have requested not be on the open register, name and address data for most individuals is low risk. There are however, people who register to vote anonymously, for example someone who has fled domestic violence.

The registered addresses of individuals may be found if this information becomes available. Although the probability of this occurring seems very low, the potential consequences to the located person could be catastrophic. Lets assume the chance of something happening being one in a hundred million. With 40 million records at risk, the odds of a person being affected are much too high for comfort.

The lesson here is that even with what appears to be relatively benign data, when there is enough at risk, the ‘it would never happen’ consequences must be taken seriously.

Breached for three hours

The PSNI incident, in contrast, had data at risk for three hours. It was a single spreadsheet albeit with a lot of information in it. As an aside after disclosing that the information included rank, grade and location as well as initial and surname, the Assistant Chief Constable was quoted as saying “It is limited to surname and initial only, so there’s no other personal identifiable information contained within the information that was published”, thereby showing a misunderstanding of the nature of personal data.

Many tensions remain in Northern Ireland despite the 25 years that have passed since the Good Friday Agreement. Dissident republican groups have said they have access to the data, it has been reported. According to the Belfast Telegraph, more than 600 members of the PSNI have come forward raising significant concerns based on the breach.

Learning the Lessons

Whether the information is in the hands of malicious actors or not, it is clear that simple confirmation of employment is enough for many to be concerned about their safety. Like the Electoral Commission incident, the potential consequences could be of the utmost seriousness. Additionally, large numbers of individuals may be affected.

If you are dealing with a breach, it’s essential that you think through all the possible impacts. There are few occasions where a group of names are on a list for no reason. In the PSNI case, it was because they were members of the service, but it might be a list of students who receive free school meals, staff who have had more than 5 days of sick leave or any number of other reasons. Without the context, a name is still just a name.