Forget about the numbers, data breaches are about real people

Hi there,  

Welcome to FILED Newsletter, your round-up of the latest news and views at the intersection of data privacy, data security, and governance.  

This month:

• President Biden signs executive order preventing “countries of concern” from accessing Americans’ sensitive data, but critics suggest it has plenty of loopholes.
• The LockBit ransomware group has been captured.
• New NIST Cyber Security Framework dropped.

But first: when it comes to data breaches, the personal touch is best.

If you only read one thing:  

Data breaches are personal

In some ways the latest Notifiable Data Breaches report from the Office of the Australian Information Commissioner made for troubling, if unsurprising, reading. Some headline figures:

• There was a 19% increase in the number of data breaches compared with the previous reporting period (Jan ‘23 to Jun ‘23), with the health sector particularly impacted.
• 67% of data breaches were the result of malicious or criminal attacks.
• 44% of all breaches were due to cyber security incidents, such as ransomware, hacking and malware.  
• And 30% of all breaches were caused by human error. Of these, a third were due to sending PI to the wrong recipient.

These are not encouraging numbers, and it’s clear all industries have a long way to go to address their cybersecurity challenges.

The report points to the underlying issues behind the numbers, many of which are subjects we tend to cover a lot here: data over-retention, securing your supply chain, and legacy attacks, to pick a few.

️But elsewhere in the report, another statistic was a little more encouraging.

“Only 12% of Australians said there was nothing an entity could do that would influence them to stay after a data breach. This demonstrates the response matters – the individual should be front and center.”

Hear, hear.

More than just a number

In a document that aggregates data breaches involving millions of people, I loved that the OAIC took a moment to remind us that each of those data points represents a real person, with a life that was likely disrupted due to the breach in question.

Putting the individual at the center of a data breach is fantastic advice. Companies that do this will naturally make better decisions when handling customer data – reducing their supply chain risk, legacy application risk, all that fun stuff – and then do a better job of alerting customers early when something goes wrong.

Remember, the longer you take to notify your customers, the longer they are at risk. Rather than spooking them, an early notification can empower your customers to lower their risk of harm and secure their data.  

Of course, this advice may raise other questions. Do you even have a plan for a data breach, for example? If you don’t, I will point you to this interview I did with Josh Mason, our CTO, for advice on building one.

Customers trust you with their data, so when something goes wrong, you owe it to them to let them know so they can act.

Privacy & governance

President Biden’s recent executive order preventing “countries of concern” from accessing Americans’ sensitive data, would do little to disrupt the wider data broker market and leaves plenty of loopholes for motivated bad-actors, according to this analysis.

Speaking of ad-tech and data brokers, a “fun” story from Wired on how the Pentagon (and presumably every intelligence agency) is using ad-tech to find targets, including Vladimir Putin.

An examination of how the definition of “sensitive data” is expanding across US state privacy laws. If only there was a federal privacy law to reference for things like this!

A glitch in Wyze security cameras allowed thousands of users to see inside strangers’ homes,. The company said when cameras were brought back online following an Amazon Web Services outage, the wrong thumbnails showed up on their dashboard.

Security

A coordinated effort from 10 countries has brought down the criminal operation of the LockBit ransomware group, responsible for billions of Euros in damage, including arresting two people in Poland and Ukraine.

An update on news from last month: Microsoft has confirmed that Midnight Blizzard, the hacking group that breached its corporate email accounts via a legacy application, has been using data obtained from that hack to access its source code repositories and internal systems, though not customer-facing systems.

10 years following its introduction, The National Institute of Standards and Technology (NIST) has updated the widely used Cybersecurity Framework (CSF).  

A data leak from I-Soon, a Chinese cybersecurity firm, has revealed fascinating details as to the scope of China’s hacking program, from targets to which tools were in use.  

The phones of members of the European Union’s defense subcommittee show “traces of hacking.” Seems fine.  

The Australian privacy regulator is looking into the security of a Defence Department’s online database (soft paywall) after an Army veteran complained his details were accessed “to shut me up.”  

The latest from RecordPoint  

Read:  

The ultimate guide to data discovery.

A guide to understanding data lifecycle management.

And another guide, this one focused on mastering data maintenance.

Listen:

Are you subscribed to the FILED podcast? If you were, you would’ve already heard this fascinating interview with the great Randy Lindberg, CEO of Rivial Data Security, where he goes deep into the cybersecurity challenges and failings of the financial services industry.  

‍