The BBC reports that the personal details of 458 customers of holiday company Thomson were shared in an email sent on 15 August in a “data protection breach”. Holidaymakers’ details included names, addresses, email addresses, telephone numbers and flight details.
Thomson said:
We are aware of an email that was sent in error, which shared a small number of customers’ information.
The error was identified very quickly and the email was recalled, which was successful in a significant number of cases.
We would like to apologise to our customers involved and reassure them that we take data security very seriously.
We are urgently investigating the matter to ensure this situation will not be repeated.
Data Protection Act compliance
The Information Commissioner’s Office (ICO) can issue fines of up to £500,000 for breaches of the Data Protection Act 1998 (DPA).
Principle 7 of the DPA states that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data,” but, as the ICO itself notes, ‘There is no “one size fits all” solution to information security. The security measures that are appropriate for an organisation will depend on its circumstances, so you should adopt a risk-based approach to deciding what level of security you need.’
An information security management system (ISMS), as set out in the international standard ISO 27001, provides such a risk-based approach to information security. Implementing an ISMS enables organisations of all sizes, sectors and locations to mitigate the risks they face with appropriate controls. An ISMS addresses people, processes and technology, providing an enterprise-wide approach to mitigate information security risks with appropriate controls, thereby limiting the inadvertent threats posed by untrained staff, inadequate procedures and out-of-date software solutions.
Addressing insider threats
An ISO 27001-compliant ISMS requires staff to be adequately trained, their access rights to be suitably controlled, and a best-practice approach to information security to be adopted throughout the organisation.
If you’re concerned about your organisation’s susceptibility to insider security threats, you need to ensure that everyone in the organisation behaves responsibly. IT Governance’s Information Security Staff Awareness E-learning Course aims to familiarise non-technical staff with information security policies and procedures, thereby reducing the organisation’s susceptibility to attack and limiting the risk wrought by careless or ignorant staff.
Our Information Security & ISO 27001 Staff Awareness E-learning Course enables employees to gain a better understanding of information security risks and compliance requirements in line with ISO 27001, the international information security standard.
My first thought is that the information stolen is benign; there are no bank details, credit card numbers and no personal sensitive information (e.g. sexual orientation or medical records). But the information is invaluable for social engineering and/or spear phishing attacks. If I subsequently got an email from a taxi company saying that I had been chosen to win a trail lift to the airport to catch my flight to Malaga and it gave the times, maybe I would be tempted to click on the link. After all, they know my flight details; it must be legitimate, right?
And then there is the issue of knowing when the house will be empty. A burglar would use this information to plan his “work” timetable. He may be tempted to go back time and again while the householders are enjoying the sun. Maybe really get into their life and order goods and services from their home!
The trouble is that the ICO tend to look at the information in isolation; is it personal, is it sensitive. They set their penalties accordingly. But do they take into account the knock-on effect of the data breach?
It would be interesting to research those who have had their data stolen to see if the amount of spear phishing in creases or, god forbid, if their homes got broken into while they were away……
I agree, Michael. And I don’t think there’s really any such thing as ‘benign’ information from a criminal perspective. Given the scale of cyber crime, it’s all sensitive; the cumulative effect of gathering a name and address here, a credit card number and username there, and a password or two somewhere else means that sooner or later criminals can build up a pretty good user profile. The results? Identity theft, spear phishing and fraud – to name but three. All information is sensitive. All information needs to be properly safeguarded. I too will be interested to see what action the ICO takes.
I am one of the 458 travellers, I have now had to cancel my holiday due the the data leak. I have not had an apology from Thomson , they can not be bothered to return my calls. In fact they have the most appalling customer service I have ever come across. I will never book with them again.
I’m sorry to hear that Mandy.