Last month, Life at Parliament View was fined £80,000 by the ICO (Information Commissioner’s Office) after security errors exposed 18,610 customers’ personal data for almost two years.
The incident occurred when the London-based estate agency transferred personal data from its server to a partner organisation but failed to implement access controls.
This meant that tenants’ and landlords’ bank statements, salary details, passport information, dates of birth and addresses were publicly available online between March 2015 and February 2017, when Life at Parliament View learned of the breach.
During its investigation, the ICO discovered many security practices that contravened the DPA (Data Protection Act) 1998. Had the incident occurred after the GDPR (General Data Protection Regulation) took effect on 25 May 2018, Life at Parliament View would have faced a much higher penalty.
Unfortunately, many organisations are vulnerable to the same mistakes. So how can you be sure that your systems and processes are secure?
The breach at Life at Parliament View can largely be attributed to the company’s failure to turn off ‘Anonymous Authentication’ after completing its file transfer. This caused two major security issues.
First, the information was no longer subject to any kind of access control, meaning anyone who found the database was free to view or copy the information it contained.
That’s bad enough, but it also meant that those who accessed the database did so anonymously. Life at Parliament View had no way of knowing whether the people opening or amending the database were employees doing their job or whether the information had been compromised by an unauthorised person – be it another employee or a criminal hacker.
There were other security mistakes that exacerbated the issue, like a lack of encryption and poor staff awareness training to identify security lapses, but the root cause was the lack of access controls to ensure only authorised employees could access the sensitive information in question.
What are access controls?
Put simply, access controls are measures that restrict who can view data. They consist of two elements:
- Authentication: a technique used to verify the identity of a user.
- Authorisation: determines whether a user should be given access to data.
To be effective, access control requires the enforcement of robust policies. This can be difficult when most organisations operate in hybrid environments where data is mobile and moves between on-premises servers to the Cloud, external offices and beyond.
Organisations must determine the most appropriate access control model to adopt based on the type and sensitivity of the data they’re processing. They have several options:
- Discretionary access control: employees control the programs and files they use, and determine the permissions other users have relating to that information. It is commonly referred to as a ‘need-to-know’ access model.
- Mandatory access control: the administrator defines the usage and access policy, which cannot be modified by users.
- Role-based access control: provides access based on a user’s role, and applies principles such as ‘least privilege’ and ‘separation of privilege’. This means the user can access only the information that is required for their role.
- Attribute-based access control: based on different attribute types: user attributes, attributes associated with the application, and current conditions. This provides dynamic, fine-grained access control but is also the most complex to operate.
Whichever model you adopt, it’s important to keep access to your data to a minimum, as this limits the opportunities for a criminal hacker to access your information.
Access controls and Cyber Essentials
Organisations that want understand how to implement access controls should look at Cyber Essentials, a UK government assurance scheme based on “10 Steps to Cyber Security” and administered by the NCSC (National Cyber Security Centre).
Cyber Essentials has two objectives:
- To set out five basic cyber security controls that can protect organisations from common cyber attacks.
- To provide a simple and affordable certification process for organisations to demonstrate that they have implemented essential cyber security measures.