5 examples of how easily data leaks can occur
Now that we have entered the third year of the GDPR, it is becoming more clear how effective our information security really is. Since the introduction of the privacy law, 273 fines have been given with a total amount of €153.525.487.
We could state that we know how to prevent these fines by taking care of factors that cause data leaks. Yet mistakes are often still made and this comes down to one thing: perception of the causes of a data leak. Organizations often think they have applied enough security or that something is not applicable to them. But a data leak can occur anywhere, anytime.
Examples of how easily data leaks can occur
Here are 5 examples that could also happen to your organization if you don’t take the right measures:
Sending information to the wrong recipientIt remains the biggest cause of data leaks: sending sensitive data to the wrong person. It happened to the Dutch municipality Assen, when an employee had sent a file containing 530 persons' personal data to the wrong email address. And is a major problem, because with standard e-mail you as a sender don’t receive a notification or a warning if sensitive data is processed.
If the user had known that the wrong email address had been entered before sending, this error could have been avoided. A check on receivers is therefore a functionality that can limit this risk of human error.
Email addresses of al recipients in CC
Whoever puts all addresses in the cc, makes all recipients in that group public. This happened recently to another Dutch municipality: an email was sent with all 123 recipients in the cc. While some aren’t aware that an email address is sensitive data too, it is. In this case, the email addresses should have been kept private from everyone. This also went wrong earlier, when the Dutch Data Protection Authority accidentally used the cc button, instead of the bcc.
A check on recipients can prevent data from being shared with everyone in the recipient group. But even better: a check on recipients in the to, cc, or bcc field could help the sender to be aware what will be exposed when an email is sent.
Unsafe serversIt is not only important to send data securely, it should also be stored securely. Recently, copies of ID documents of 800 people were accessible by third parties, because they were stored on an unsecured publicly accessible server. And it is precisely this type of information that is interesting for cyber criminals: identity fraud is popular, which leaves high financial consequences for the victims.
By using secure servers you can prevent data from being viewed just like that. It is important that these servers are not only secured themselves, but that they also store the data encrypted.
Weak passwordsWhat gives access to secure data? The credentials needed to get through security. Creating a strong password, which is difficult for hackers to guess, ensures that access can’t simply be obtained. In 2014, such an example hit Ebay: hackers gained access to databases full of sensitive data via credentials of 3 employees.
We make it difficult for malicious parties by creating strong passwords. But that's not all: changing that password regularly is even more effective. Therefore, make it a habit to renew your passwords every now and then
Lack of the right encryptionZoom, a video call application, has been under attack recently as well. In addition to problems with easy-to-retrieve passwords and adding users from the same domain, there were also problems with the encryption. That is exactly important when data is exchanged. The lack of proper encryption ensures that there is direct access to the data when intercepted.
Encryption is one thing, but applying it properly is equally important. Zero-knowledge end-to-end encryption is a way to ensure that data remains protected. This applies to malicious parties as well as data processors.
Feature Friday: Keep control with a content policy