22 October 2011

Super data breach

I'm following with interest the claims and counter-claims about the First State Super data breach, not least because it's an illustration in my cybersecurity conference paper on breach regulation.

The major superannuation fund manager has acknowledged that there were problems with its security, which allowed a customer (and IT security consultant) Patrick Webster to access financial information about other customers. That information reportedly included full names, addresses, email addresses, membership numbers, age, insurance information, superannuation amounts, fund allocations, beneficiaries and employer information. Mooted legal action against Webster for alerting First State appears to be going nowhere.

The SMH has now reported anonymous claims "by a former IT staffer" that First State "knew of a major security flaw that potentially exposed 770,000 member details years ago and did nothing". The Federal and NSW Privacy Commissioners are apparently reporting.

A spokesperson for Pillar, the fund manager, reportedly denied the allegations with the comment that "It's garbage - we fixed this thing in a matter of hours so why would we sit on it for years? Makes no sense, there's no logic." Pillar dismissed the SMH source as a "disenfranchised employee making ridiculous claims".

Interestingly, the SMH source contests First State claims that the IT system would generate alerts when a member accessed another member's statement. The source reportedly commented that there were "no controls that produce security or privacy alerts", so that unauthorised access would not be detected. That is consistent with the SMH's claim that another First State customer "stumbled across the security flaw while checking their statement more than 18 months ago"

The Australian Prudential Regulation Authority (APRA), as regulator of the super fund industry, reportedly could not comment on the matter because "a secrecy provision in the APRA Act prevents us from" commenting on the regulated bodies. We can and should fix that provision in the public interest.

the SMH points to the APRA Prudential Practice Guide (PPG) 234 – Management of security risk in information and information technology [PDF], which features the statement that -
Controls, commensurate with the sensitivity and criticality of the data/information involved, would normally be implemented where sensitive data/information is at risk of leakage
That Guide could usefully be read in conjunction with the recent SEC guidance noted here.

In the UK the national Information Commissioner has revealed that the number of reported data breaches has increased by 58% on the previous year. That figure is newsworthy but is problematical, given the uncertainty about how many breaches are occurring but are not detected and/or are not divulged.

In a statement earlier this month the Commissioner commented that -
Powers to conduct compulsory data protection audits in local government, the health service and the private sector are needed to ensure compliance with the law, the Information Commissioner said today at the 10th annual data protection compliance conference in London.

Christopher Graham’s call came as figures showed that the ICO is being blocked from auditing organisations in sectors that are causing concern over their handling of personal information.

The only compulsory data protections audit powers the ICO currently has are for central government departments. For all other organisations the ICO has to win consent before an audit can take place.

Data breaches in the NHS continue to be a major problem. Of the 47 undertakings the ICO has agreed with organisations that have breached the Data Protection Act since April, over 40% (19) were in the healthcare sector. In addition, the most serious personal data breaches that have resulted in a civil monetary penalty occurred in the local government sector. Four of the six penalties served so far involved local authorities.

Businesses remain the sector generating the most data protection complaints. Despite this, as reported in July, just 19% of companies contacted by the ICO accepted the offer of undergoing an audit. The ICO has written to 29 banks and building societies and so far only six (20%) have agreed to undergo an audit. The insurance sector has also shown reluctance in this area. Of the 19 companies contacted this year by the ICO, only two agreed to an audit.

Information Commissioner, Christopher Graham said:
Something is clearly wrong when the regulator has to ask permission from the organisations causing us concern before we can audit their data protection practices. Helping the healthcare sector, local government and businesses to handle personal data better are top priorities, and yet we are powerless to get in there and find out what is really going on.

With more data being collected about all of us than ever before, greater audit powers are urgently needed to ensure that the people handling our data are doing a proper job. I am preparing the business case for the extension of the ICO’s Assessment Notice powers under the Coroners and Justice Act 2009 to these problematic sectors.