Subscribe to FILED Newsletter
Welcome to FILED Newsletter, your round-up of the latest news and views at the intersection of data privacy, data security, and governance.
- New research suggests half of organizations have had a data breach in the last two years.
- Tips for businesses who want to show customers they are committed to privacy.
- A hacker connected with the hackers who broke into Medibank thinks Australians are “the most stupidest humans alive”.
But first: is your data “stagnant”? Time to deal with it.
If you only read one thing
Stagnant data is a major hidden problem for organizations
Do you remember what you were doing in 2005? By any chance, did you make any major purchases? A stereo, a new lounge suite?
If you’re based in Australia, you may have done so with financing from GE Money. While the appliance or furniture you purchased has undoubtedly been replaced by now, your sensitive data may have remained in the company’s hands for a decade. At that point, GE Money was acquired by a consortium of investors who rebranded the company as Latitude Financial, enlisting Alec Baldwin to tell consumers they could do better. This new company then continued to hold onto the (already stagnant!) data until last month, when an attacker made off with it.
The Latitude Financial data breach is now Australia’s largest, with 14 million current and former customers affected. Based on the details the company has revealed to the ASX and the media, it’s hard not to visualize its data in sedimentary layers.
A new layer accreted with every acquisition and merger, with the older data lying in wait, growing more stagnant. The collection included:
- 7.9 million Australian and New Zealand driver license numbers.
- Of which approximately 3.2 million, or 40%, were provided to the company in the last 10 years.
- A further approximately 6.1 million records—including some but not all of, name, address, telephone, and date of birth—dating back to at least 2005 were also stolen.
- Of which approximately 5.7 million, or 94%, were provided before 2013.
To put the age of some of this data in perspective, some of the highest-grossing films in 2005 were Star Wars Episode III: the Revenge of the Sith and Harry Potter and the Goblet of Fire; the highest charting songs included such classics as Hollaback Girl by Gwen Stefani.
The bottom line, companies should not be holding on to data until it is old enough to vote.
Undergoing a merger or an acquisition? The data comes along for the ride
When a company makes an acquisition or undergoes a merger, or a government department undergoes a Machinery of Government (MOG) change, too often the data is an afterthought. Disruption is the norm, and with staff turnover often accompanying these events, it’s possible the person who knew about the old data no longer works at the company. When the inevitable data breach occurs, a far greater number of individuals are affected, many of whom had no idea their data was even held by the organization breached.
Do you have any stagnant data you may have forgotten about? Data that no longer has a need to exist? It is stagnant if your data isn’t linked to economic activity and is not required by law.
Now you have a good excuse to go digging and remove that stagnant data.
The inevitable generative AI tie-in
We’re trying to avoid making every newsletter about ChatGPT and its friends, but the technology continues to evolve.
There are two ways your organization may be impacted when it comes to stagnant data: by a data breach, and by a large language model harvesting the data. When someone using ChatGPT or a competitor makes a query that is related to your company or industry, this data may form part of the result.
Depending on the data harvested, this could also have the same effect as a data breach! But more likely, it will give the public an inaccurate picture of your organization, damage your brand, and lower your value.
As seemingly magical as these models are, they still obey the same law as any other computer program: garbage in, garbage out. If you want to take advantage of ChatGPT, you must address your stagnant data.
Take it from Alec Baldwin: you can do better.
🤫 Privacy and governance
Meta is bracing itself for the imminent final decision from Ireland's Data Protection Commission on the legality of its EU-U.S. transfers, which could put a stop on its EU-U.S. data flows and earn the company an EU General Data Protection Regulation fine.
TikTok now collects altitude data, meaning the app can tell what floor you are on, according to a US cybersecurity firm.
How small businesses can show customers they’re committed to privacy. Some great tips here for any business, big or small.
9 out of 10 mobile games ignore user privacy, surprising no-one.
Most Australian renters think third-party rental application apps require too much data. Almost a third won’t apply a property if it requires the use of such a platform. The exact kind of prudent, risk-averse people you would want as renters.
Two examples of the fallout that can come from not managing customer data correctly: Optus and Medibank have each been hit by a class-action lawsuit on behalf of customers and former customers impacted by their respective 2022 data breaches.
Speaking of Medibank, in a big feature, the ABC in Australia spoke to a hacker connected with the group suspected of hacking the health insurer. One choice quote: “Australians are the most stupidest (sic) humans alive and they have a lot of money for no reason.”
Half of organizations have surveyed suffered a data breach in the last two years, according to a report from Splunk and Enterprise Strategy Group.
T-Mobile suffered its second breach of the year, and ninth since 2018, though this time only 836 customers were impacted.
OpenAI also suffered its second breach of the year, this time a bug made some users’ payment info visible to others.
Outsourcing group Capita says customer, staff and supplier data was accessed in an attack in March. The company is one of the UK government’s most important suppliers and runs services for the military, the NHS, the Cabinet Office, and... the National Cyber Security Centre.
📣 The latest from RecordPoint
Duplicate records are easy to create, tricky to identify, and can lead to many challenges for organizations, including the risk of data breaches, increased discovery delays and errors, and increased costs. Learn how a data inventory that encompasses all your data sources is the answer.
Organizations that rely on M365 for records management are missing data and leaving themselves open to regulatory and security risks. Luckily, there is a solution: finding a records management solution that works alongside M365 to deliver a better outcome for your organization. Learn more in our new resource.
Finally: let's end on a lighter note. Does compliance sometimes feel like a never-ending obstacle course? It doesn't have to be.