| UK History: |
| Three Mobile 2016: all customer accounts stolen by guessing a simplistic employee password. |
| Tesco 2016: 40,000 accounts attacked, money stolen from 20,000 accounts. |
| Sage 2016: 280 customer data stolen with thousands of staff details lost - inside login stolen. |
| Kiddicare 2016: 800,000 customer details leaked - inside testing failure. |
| TalkTalk 2015: three leaks in one year resulting in 157,000 accounts stolen from lost laptop. |
| MoonPig 2015: 3 million accounts stolen using Andriod application flaw. |
| Think W3 2014: 1 million credit card details stolen - SQL injection. |
| Mumsnet 2014: 1.5 million accounts stolen - heartbleed SSL encryption flaw. |
| Staffs Uni 2014: 125,00 student records lost - laptop stolen. |
| Morrisons 2014: 100,000 staff records stolen - inside theft. |
| Sony 2014: 77 million accounts and credit cards stolen three times - poor security. |
| Brighton Hospital 2010: 232 hard drives sold on ebay containing patient data. |
| HMRC 2007: 25 million child details lost on CD in the post. |
| Nationwide 2006: 11million customer details lost - stolen laptop. |
| Learn From Others: |
| 1. Laptop theft is the top cause of a data breach - business data must NEVER be stored on any computer or attached to an email - 100% avoidable with cloud based services. Recycled business computers containing real customer data is a totally unacceptable company policy. |
| 2. Staff theft is a major cause - staff must NEVER have access to business data that is not fully encrypted when stored and when being communicated - 100% avoidable with simple encrytion. |
| 3. SQL Injection is a basic security error caused by cheap programming without inspection or testing - 100% caused by a bad company with inadequate development procedures. |
| 4. Inside testing error with real customer data - 100% caused by a company with inadequate testing procedures that should never have access to real data. |
| 5. Every email server is eventually cracked by criminals who steal many years worth of valuable business information, including Intellectual Property. Most email servers are not encrypted and are no longer fit-for-purpose. What was good enough is no longer good enough. |
| Data Breach Framework: |
| 1. Every company has a legal obligation to document its data breach procedures and periodically verify that those procedures are effective. |
| 2. Step 1 is where are the data assets - PII hidden in emails and desktop documents can be hard to uncover? |
| 3. What security audits have been deployed to detect data breaches? |
| 4. What is the data breach reporting procedure: stackholders, customers, regulators, staff and the public? |
| 5. Has the reportable data breach procedures been verified to be complete and correct? |
| 6. What can be done to contain the data breach - what needs to be powered down? |
| 7. What tools can be used to discover the root cause? |
| 8. Regular reportable data breach notifications to include:- |
| (1) Number of people involved. |
| (2) Type of data concerned. |
| (3) Data Protection Officer is responsible and the single point of contact. |
| (4) Describe the potential consequenced for the people involved. |
| (5) Measures taken to mitigate the consequences. |
| 9. Eradicate and recover from the incident. Reinstall and recover all affected data, systems and equipment. |
| 10. Analysis and planning of preventable measures and leassons learnt. |
| 11. Disclose the attack characteristics to the industry peer group so others can install counter measures. |
| Data Breach Procedure: |
| 1. As a policy, everything that is needed to eliminate a reportable data breach must be deployed. |
| 2. 100% of business data is encrypted. No business data is stored. Encrypted data is replicated to a large number of secure data centers. |
| 3. No Personally Identifiable Information (PII) can be leaked, stolen or lost. |
| 4. Stakeholders will never need to be notified of a reportable data breach. |
| 5. Customers will never need to be concerned that their PII has been leaked. |
| 6. The Data Protection Officer continually demands improvements to ensure that a reportable data breach cannot happen. |
| 7. Every sign-in procedure is monitored in real-time to ensure that criminals are stopped and blacklisted. |