The plan is to bring in the GDPR after there is nothing left to be disclosed. Sounds like it's right on track :)
More data records were leaked or stolen by miscreants during the first half of 2017 (1.9 billion) than all of 2016 (1.37 billion). Digital security company Gemalto's Breach Level Index (PDF), published Wednesday, found that an average of 10.4 million records are exposed or swiped every day. During the first half of 2017 there …
Wednesday 20th September 2017 10:14 GMT steelpillow
More like data anybody noticed...
Be honest, this is a measure of security activity. The actual losses have been far vaster for donkeys' years but nobody ever wanted to know.
At last, infosec whistleblowing is no longer an automatic sacking offence (you do still need qualifications first, though)
Wednesday 20th September 2017 10:49 GMT alain williams
What do you mean by ''lost'' ?
I suspect that you mean ''laptop left on train'', or similar, ie misplaced - and possibly in the wrong hands.
This is very different from ''data accidentally deleted''. There is sometimes a requirement for data to be kept for certain periods. I observe that embarrassing data, especially when asked for by a subject access request, has a propensity to become ''lost - accidentally deleted''.
These two should be counted separately.
Could we please start calling the ''left on train'' incidents ''misplaced'', not ''lost''.
Wednesday 20th September 2017 10:55 GMT Nick L
Re: What do you mean by ''lost'' ?
It's worth reading the report, as it does explain a bit more... Accidental loss counts for 18% (166 incidents), with malicious outsiders being by far the biggest challenge (74%) but malicious insiders working their way up too at 8%, or 71 incidents...
That's just one of the data points in there. There's plenty more.
Take with a pinch of salt, but it is good evidence to change an organisation's mindset on security.
Wednesday 20th September 2017 10:51 GMT SVV
A poor reflection on the industry
An entrencheched culture of management who still see security as a cost without benefits, combined with a lack of thinking on the part of system designers and implementers has led to this sorry state of affairs,
How loudly and how often do you STILL need to shout "do not store identifiable user information in unencrypted plain text" before someone takes notice? I'm sick and tired of seeing company databases in the course of my work that have a User table with two columns (username, password) that do this. They often have a mandatory email address column too, enabling an attacker to have a good chance of getting into that user's accounts on other sites too. And the uninterested reaction from management every time I wearily point out what a bad idea this is is something I've come to expect. There are ways of organising a secure soltion via configuration and access control that make even an inside job more or less impossible.
We need to spread the idea that if you take the lazy approach you have no right to call yourself an "IT professional". And any company / government who stores user credentials this way should be made legally liable for any and all losses that are incurred by users as a result, plus damages. Publicising the change in the law should spur all but the most stupid into action.
Wednesday 20th September 2017 11:05 GMT Doctor Syntax
Wednesday 20th September 2017 11:29 GMT Anonymous Coward
Re: A poor reflection on the industry
Publicising the change in the law should spur all but the most stupid into action.
Why? It's already a data breach is already an offence, the bulk of the change is simply that the penalties COULD be much higher. TalkTalk reported the internal costs of their 2015 data breach as £35m a figure that could have been easily estimated from previous research that puts this as only just above average in terms of cost per record lost. If instead of a "mere" 156k records, they'd lost 1m, then the costs would have been even higher, perhaps £150m. Both actual and my example dwarf current and likely fines under GDPR.
So, if TalkTalk (and all the other careless UK hoarders of bulk data) aren't put off by the risk of their company being found guilty by the ICO, by the vast reputational damage, and by the prospect of recovery costs in the ballpark of £30m-£300m, why will these dinosaurs change?
My guess is that most would, and would have done so a long time ago if they knew how. But they don't.
Few if any directors understand IT. Few CIOs really understand the architecture and risk register of their IT estate in much detail. And the few overworked ITSec staff rarely have the luxury to see the full picture, simply because there's so much corporate code. Just from business change, corporate systems rapidly acquire Byzantine complexity; outsourcing and offshoring mean there's no historic knowledge, no local knowledge, no understanding of the fudges, bodges, and skeleton-filled cabinets. Documentation means nothing unless it is good documentation, you have people who can properly interpret it, and you can find the documentation after the contractors have departed to another gig. Now throw in a few mangagerial reorganisations, that always see the loss of senior staff who are complaining about ITSec risks.
I'd love to see IT security improve, but I don't expect much change for the reasons above.
Wednesday 20th September 2017 13:28 GMT Adam 52
Re: A poor reflection on the industry
"Why? It's already a data breach is already an offence, the bulk of the change is simply that the penalties COULD be much higher."
Breaches themselves are not an offence, failing to secure adequately is. In the same way that crashing a car isn't a crime but dangerous driving is.
GDPR covers a lot more than the larger fines though. There's mandatory disclosure, so reputation damage is always a risk. Then there's the subject access and consent rules so people can take action to make sure that the data isn't there to be lost. And then there's collective action that means everyone will be able to collect damages, not just those that can afford lawyers.
Wednesday 20th September 2017 11:42 GMT Cynical Observer
Wednesday 20th September 2017 14:06 GMT CheesyTheClown
Wednesday 20th September 2017 15:20 GMT CaitlinBestler
Security Is Not Hopeless
Whody en you listen to the breached companies lament you would get the impression that cyber-security is impossible.
But consider for a moment that we do not have routine electronics looting of bank accounts, or of confidential files have by law firms for clients. Somehow *those* records can be kept secure.
Nobody designs their bank accounts so that a single password can abscond with the entire assets of a company, but apparently that is all it takes to steal all of the data held about consumers. But that's understandable, cash has real value that needs protecting.