Akira ransomware gang says it stole passport scans from Lush in 110 GB data heist The Akira ransomware gang is claiming responsiblity for the "cybersecurity incident" at British bath bomb merchant. Akira says it has stolen 110 GB of data from the UK-headquartered global cosmetics giant, which has more than 900 stores worldwide, allegedly including "a lot of personal documents" such as passport scans. …
You have to wonder just when it will dawn on HR types that personal data held for a moment longer than needed becomes toxic waste. Perhaps a mandatory fine of 1,000 GBEurollars per retained passport scan discovered on audit* and 10x that for each taken in a heist would have some effect. But probably not.
* It's time for compulsory unannounced audits of organisations licensed** to hold personal data of more than, say 100 people.
** Yes, it's time for such licensing.
This would have a nice anonymity side-effect. Only imagine you showing in a business database purely as a unique non-reusable number associated ONLY with this particular business. Individuals could confirm/allow registration on business-independent app, when becoming a client. After that this business can only access your personal details for specific business operation, for example delivery address.
> You have to wonder just when it will dawn on HR types that personal data held for a moment longer than needed becomes toxic waste.
When it publicly and very visibly becomes something that can have *real* risks and consequences for the company itself and- directly or indirectly- the careers and even liberty of those working in HR, that's when.
> are routinely collected to verify identities during the course of the hiring process
Collected? Not just "checked and that check signed off by HR"?
Oh no, of course not, that might mean that HR actually has to take responsibility for doing their job and putting their name to it. Far less damaging[1] to demand and keep a scan.
[1] to that HR hack, that is.
There should be a time limit on this. After somebody has been "verified", the scan should be deleted permanently. A fine of £10,000 for every scan retained if it is not deleted.
All these companies siphon up data, keep it stored insecurely. Then they get to wash their hands of the problems they cause by having poor security.
Problem might be that the immigration service no doubt says that records must be kept for XYZ years to verify that proper employment checks were done when hiring.
i.e. HR would have to prove that they were presented with what looked like authentic documents at the time rather than just have their word taken for it.
Even then they could probably just print out the passport scans etc. and stick them in a handy filing cabinet with a reference rather than leaving them on a computer.
They should certainly be deleting / shredding any that relate to past employees one would think since keeping those would surely breach Data Protection laws.
Problem with filing cabinets is that they have security issues of their own, rogue staff can have a browse without any chance of detection, stuff gets misfiled and more, plus the physical storage space to hold that many records for that many staff isn't a small amount
"we have taken immediate steps to secure and screen all systems in order to contain the incident and limit the impact on our operations,"
Translation: we've sent comeone to the ironmongers for stable door bolts.
"We take cybersecurity exceptionally seriously"
Translation: we/ve just discovered cybersecurity has to be taken exceptionally seriously"
Alternative translation: Cybersecurity is to be taken seriously but we made an exception.
But yet again someone is reacting to a loss. It is already too late.
That is the issue. This will have been another " sophisticated" attack that somehow justifies the loss and makes it acceptable.
No data loss is acceptable and the penalties for the losses take too long and are insignificant.
Tell me, in the name of that's holy and blessed, why the fricking hell a shop that sellls fricking soap, needs to be storing customer's passport scans?! Employees in the HR DB, fair enough but customers?! I hope they had a damn good reason else GDPR will be ragging their arses once the hackers have finished having their fun.
You seem to forget that the recent UK government has out-sourced immigration to employers, so they have to collect stupid amounts of data to avoid being liable for employing someone how is not allowed to work.
The same bunch of useless fsckers who were not satisfied with Windrush, so brought us Brexit, and all the extra load of that...
It is wiser to create a gov-funded ID/passport verification service shared with businesses. A business representative would type/scan a physical ID into a gov-portal, and get shown the person's photo, and some kind of confirmation. The alternative is hopeless, because the majority of businesses are not sophisticated enough to keep personal details secure in their own systems. And will never be. So they should not be allowed to, except a few key identifiers, which could be as simple as an email address.
Each ID verification access should be logged, and all businesses must register with the service to keep operations. So some bad guys could not bulk-verify personal information, as some kind of quotas and throttling should be set-up for each business with appropriate handling fees, depending on operation scale. Also, data owners (actual persons), could get an SMS/email alert on each ID verification.
Ideally such verification should be for the whole EU, and other large blocks who trust each other. Keeping/saving detailed personal data by businesses should be forbidden, unless a person comes from a non-block country, unable to verify otherwise.
Since access logs would be saved for each business, this could help verify persons even if their ID got changed or temporarily lost.
Here I am, contemplating the duality of having the best security experts money can buy (as suggested above in getting a "Google", an "Oracle" or a "Microsoft" to tender to do so) running a secondary verification/storage facility for high-PII like passports and driving licenses, against the pain/risk of a sole bucket of such a quantity posing a juicy target for the greatest and deepest-resource-pocket-government-backed hack groups to go after.
You've solved the hell out of it. It doesn't need to be 2nd party. The government can, for a ****small**** fee perhaps, store that you registered an interest in an individual and verified documents as presented to you, as well as returning a single photograph (? from passport/driving license to allow you to confirm you were not just given a passport number for "16yo Sarah from Birmingham" that belonged to 86yo Sandra from Aberdeen and that the NI matches the passport), a date at which checked and non-identifiable GUID for your transaction? They have the data and maintenance of a table to confirm you have provided a correct passport ID and legally identifiable name as well as having proven you have legitimate interest for such a function through registered-company information would work?
Are totally useless at everyone company I've been at. They are there to protect the company not the employees but they can't even do that. I can't comment on what I've seen them do, the idiots, as it would be obvious then who I am (it was recent) but they are idiots. Not checking who's left themselves signed into a printer for starters.
Nice- albeit somewhat more "Burma Shave" than "Lush"!- but I should be clear that what I was aiming at with my original attempt wasn't anything in the direction of a haiku!
Personal data retention should be turned on its head and decentralised, instead stored in a local user wallet, accessible to organisations via secure API. Centralised records are not only duplicated endlessly, but also more likely to be targeted by attackers. Local records would require a monumental effort to retrieve at any sort of scale.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
