In the second such instance of human error resulting in the breach of personal data of citizens within a month, the DCMS (Department for Digital, Culture, Media & Sport) recently leaked email addresses of three hundred journalists in an email announcing the introduction of age filters in adult webstes.
When drafting the said email, an employee of the DCMS (Department for Digital, Culture, Media & Sport) included email addresses of 300 journalists in a way that the addresses of each journalist could be viewed by the rest of them.
Apologising for the breach of email addresses of journalists, a DCMS Spokesperson said that the department takes data privacy extremely seriously and wishes to apologise to those affected.
“Unfortunately despite rigorous technical and process controls, examples of human error such as this can mean the difference between a normal day and a data protection disaster. What we’re seeing from a lot of organisations is a situation where technical solutions and process management are in place to a certain degree, but the equally important employee awareness aspect is still yet to be adequately addressed,” said Adenike Cosgrove, cybersecurity strategist for EMEA at Proofpoint.
“Businesses must make end-users aware of what type of data is protected under the GDPR. In addition, organisations must work to change user data-handling behaviour, they must offer action-oriented scenarios that challenge users to think about how the regulation affects their day-to-day business activities.
“GDPR mandates that users handling personal data must be trained on how to handle it appropriately to protect the privacy and confidentiality of that information. Companies rolling out cyber security awareness and training programs should ensure that employees are trained not just on potential technical threats, but are also educated on how to handle sensitive information, particularly Personally Identifiable Information (PII),” Cosgrove added.
In another similar incident earlier this month, the Home Office leaked email addresses of hundreds of Windrush migrants when it sent a series of emails to migrants to advise them about a new compensation scheme.
Before sending the emails, the Home Office failed to mask email addresses by entering them in the ‘bcc field’, thereby leaving email addresses of hundreds of migrants visible to others. After the breach was discovered, Immigration Minister Caroline Nokes issued an apology for the “administrative error”, stating that an internal review had been launched to investigate the breach.
“Even though there are technologies available in the Cybersecurity market for masking or anonymising email addresses, this breach was mainly due to a poor, human based-decision,” said Jonathan Deveaux, Head of Enterprise Data Protection at comforte AG.
“More organisations need to enable data protection of personal or sensitive info to ‘automatically’ occur, upon creation of the data, so that ‘accidental insider’ events like this happen less often. The data-centric security model adheres to this and is starting to gain momentum with organisations who want to stay out of the news headlines and restore data privacy,” he added.