US spy satellite agency breached, but insists no classified secrets spilled A computer intrusion hit the US spy satellite agency, but officials insist no classified secrets were lost - just some unclassified ones, apparently. The National Reconnaissance Office (NRO) confirmed to The Register that attackers gained limited access to its networks, but no classified data was exposed. It would not answer …
Tea is absolutely at fault - would they operate in the EU they would totally be afoul of the GDPR. What a bunch of idiots.
I'm not making up excuses for the absolute scum bags that released the information, but that information should not have been stored.
Do people even think? At least in my work place we do. And work hard to have only minimal data, because we don't want to deal with this kind of carp. And don't want to do the necessary work to be allowed to store this kind of data, let's be honest, correctly implementing all of the requirements is a hassle. Don't store data, if you have to store data, minimise it and protect the hell out of it. I'm currently doing a security audit for the internal services I'm responsible for and I'm glad to skip the really tough tasks.
That's all well and good until you hit some Marketing droid who insists you need to capture as much as possible for client profiling, and when you mention GDPR they'll tell you that's "legitimate use" (I'm not kidding, I'm about to shop a major organisation to the authorities for trying exactly that).
The best action if you're tasked with this is to ask for confirmation that they want to do this despite your observation, and save that email as a PDF (because email can always 'disappear'). That way, when the inevitable happens the blame gets to the right people, or at least not to you.
That's very definitely a thing. My work place is under closer scrutiny (because of the data we do have to handle - well, other departments) so company policy and culture is trying to follow all those pesky rules. That's why my little internal services do have to go through the security assessment and documentation and jump all the hoops....
Kudos to you for bringing things like this to attention! Too few would do that.
I've heard it often in IT that 'they run the systems that earn the money', to which my answer is that Compliance ensures they can then hang on to it instead of throwing it back out again in fines, fraud and compensation.
Getting GDPR wrong can get rather expensive.
.. as "The Firm" which was responsible for other crimes.
I definitely need more coffee.
:)
