Cybercriminals raid BBC pension database, steal records of over 25,000 people The BBC has emailed more than 25,000 current and former employees on one of its pension schemes after an unauthorized party broke into a database and stole their personal data. Names, national insurance numbers, dates of birth, sexes, and home addresses were included in the data that was exposed via a cloud database used by …
Agreed.
Remind we why this kind of data moved to the cloud - and how such a decision sits with the inevitable 'We take the security of client data seriously' statement that some middle-tier wonk will be obliged to make. I can't for a moment imagine the choice was made on cost grounds! </sarcasm>
A local database on gear not connected to the Internet is OK. You don't need paper.
The problem is so called "Cloud" service. Simply someone else's server where you don't know what security, privacy or backups they really do.
Ultimately those third party providers want to make a profit. It's only worth it for public facing stuff for small companies. No-one/nothing else should use it. https://www.corvidspress.com/fiction/otherworld-series/no-silver-lining/
Any breach of this type should have the company that owns the data be required to pay for a lifetime monitoring / resolution services. If somebody is involved in identity fraud going forward, the company should be fixing it, not the victim.
The data is now out there for life, and it'll be duplicated, shared and sold to anybody and everybody on the dark web for the forseeable future. This is now a lifetime of risk for the victims, not just 2 years - it shouldn't be up to the victims to deal with this going forward.
Maybe when the cost of a breach outweighs the savings in lax security practices these companies will take our data security a bit more seriously.
At this point I know businesses, not the BBC, have leaked my identity and important information multiple times. Are Experian and similar services actually worth anything? I don't know what the real costs of clearing up an attempted or successful identity theft are. I don't know what hoops you have to go through to actually claim real damages from Experian or other monitoring companies.
The US government has a pretty detailed guide on what to do in the case of identity theft and a doubt any of the monitoring companies are going to help you much with the actual work of recovering from the fraud.
https://www.justice.gov/usao-wdmi/file/764151/dl
"...doubt any of the monitoring companies are going to help you much with the actual work of recovering from the fraud."
Quite so.
And I think at this point it's probably as well to assume that unless you've lived in a cave with no electricity for the past 20 years your data will by now have been compromised and sold several times.
Until there are harsher penalties for having a data breach this will continue. Already it seems to be commonplace and accepted.
That is not acceptable.
The "2 years of Experian" should be extended to "lifetime" and a payment to the individual concerned should also be arranged depending on the nature of the data and incompetence showed.
The ICO should be doing stuff, but currently it seems completely toothless, just like ever other compliance body in this country (i.e. ofwat - the sewage/water company issues.... dont drink tap water).
If the company cannot afford the insurance for that, then it should not be storing your data.
If it is not confident it can protect your data then it should not have your data.
GDPR is basically a total failure.
It is that simple.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
