Poor data security from several of the UK’s local councils has left sensitive expenditure information openly available on the internet. Web hosting company UKFast has spoken of data protection ignorance which left details of one council’s £83m spend – including suppliers’ contact details and prices – as simple to find and download as an MP3 track.
A Google search found numerous databases from both businesses and local government. Although some of the data is available to the public through the Freedom of Information Act 2000, one of the databases contained personal contact details of suppliers including names, addresses, phone numbers and email addresses, along with specific details of the council’s almost £83m spend over three years.
Lawrence Jones, CEO at UKFast said: “Our security division regularly monitors the level of cyber risk across the internet to make sure our clients are protected from every type of threat. The public sector should set an example on data protection so to discover such a lapse – where personal details and sensitive data is openly available – from a local government body is very concerning.”
UKFast warned that the data discovery not only damages the council’s reputation but also puts the suppliers involved at risk of a type of cyber attack called spear-phishing. In a spear-phishing attack, criminals use personal information gleaned through data leaks or social media to impersonate a trusted source (the council or the supplier) to send malware-infected emails or requests for further information such as bank details or payments.
Jones added: “We discovered several databases, not only from councils but from businesses as well, all filled with information that would allow cybercriminals to impersonate suppliers to steal money or personal information through even the simplest of attacks. It would not take any specialist technical skill to be able to find this information through a search engine and then put together a convincing email or phone call impersonating the suppliers to steal from the council or business.”
UKFast’s technical director Neil Lathwood offered advice to businesses and the public sector on how to ensure their data is not accessible via a Google search. He said: “Google is extremely good at indexing so any files that you save on a web server may not be linked to from the website but will still be searchable by Google, so even the least technically-skilled criminals can find your personal details.
“It is very basic cyber security to ensure that personal data, such as that discovered by our security team, is not stored unencrypted on your web server or on an unsecured intranet network.”
Advice:
Encrypt all sensitive information – if in doubt, encrypt it anyway
Don’t store anything on a web server that you don’t want to be accessible by search engines
Test your security – use penetration testing or employ an ethical hacker or security firm
Consider secured supplier portals to allow the safe sharing of information.
Commenting
Commenting, Avecto says that the unintended data breaches are almost certainly the result of too many people having the ability to access personal information.
Paul Kenyon, chief operating officer with the Windows privilege management product company, says that most organisations fall into the trap of giving their staff virtually complete access to the firm’s information – including company and customer confidential data – and so creating their very own data vulnerability.
“Our approach in avoiding this is to adopt a least risk strategy that involves only giving Windows-based desktop and server users the privileges they require to perform their roles – without compromising the integrity and security of personal plus company-confidential information. In taking this approach, the organisation is adopting the principle of least privilege, whereby users logon with minimal rights – and applications are assigned the necessary privileges to enable users to perform the task in hand – all under the control of policies that are defined by the IT department,” he adds.
Kenyon adds that a failure to adopt this strategy means that staff – all the way from senior managers down to the office junior – have access to far too much personal information. And, he says, expecting the office junior to have the same level of awareness about business data security as a senior manager is asking for trouble, especially when – by using a technology such as Avecto’s Privilege Guard – staff can be allowed to continue to perform their duties just as effectively, but with a far lower inherent risk to personal data. He adds that the public sector generates vast quantities of data. This means that allowing too many people access to that data – especially personal data – can translate into a data breach, as UKFast’s findings suggest.
The solution, says Kenyon, is to control who has access to the personal and company-confidential data – but in such a way that access is carefully controlled and limited to only that data which the employee (or manager) needs in order to perform their day-to-day duties.
“Put simply, this means that organisations need to adopt a least privilege stance, which in turn leads to the twin additional advantages of least cost and least risk,” he says.
“The fact that this investigation gave UKFast’s researchers access to partial and even complete databases shows what happens when data leaks out from an organisation. A least privilege approach would have helped to stop this type of information from leaking, as it clearly has done,” he added. For more on Avecto: http://www.avecto.com.
