I noticed this headline on the BBC website this week and it really stood out as a huge breach of security. The data was supposedly stolen by an IT contractor working for a company called the Korea Credit Bureau that produces credit scores. It appears that he stole the names, social security numbers and credit card details of 20 million South Koreans, including the President Park Geun-hye and UN secretary general Ban Ki-moon. He then sold the data on to various marketing companies. The Korea Credit Bureau only became aware of the breach and the full scale of the loss when the contractor was arrested. The data was not encrypted and so this made it easier to steal. Although this incident is more about information security than business continuity, there are some lessons for us: 1. As part of your business continuity planning, do you plan for a data breach? Cases such as this, concerning loss of data and data breaches, are making headline news recently. The Edward Snowden case and a number of high profile cyber attacks have been in the headlines a lot. Often we are told that business continuity plans should cover PPRS (loss of premises, people, resources, and suppliers) and that this type of incident is perhaps out of the scope of the business continuity manager. I think that your strategic team should be able to deal with any event, whether it is a business continuity event or a reputational event such as this. If you are not responsible for planning for this type of event it might be worth doing some investigation to establish who is responsible and ensure that there are suitable plans in place. 2. Are appropriate procedures in place in your organisation for the selection and vetting of contractors and temporary staff, especially those who are employed in sensitive and secure areas? Personal data can be sold on to unscrupulous marketing companies and to criminals for large sums of money. If you are going to use any temporary staff as part of your plan, for example getting rid of any backlog, can you get them recruited and vetted within the required time? 3. In this case the data was not actually stolen from The Korea Credit Bureau but three companies it worked with. Have you, in your media management plans, thought through how you would manage an incident which involved one of your partners? In this type of incident you might want to show a united front to the world but at the same time be preparing to take legal action against your partners. 4. I have heard a number of presentations from IT security professionals who tell “war stories” of how they have been contacted by organisations out of the blue, who need help with security issues right NOW. The companies suggest that you should have a relationship with them in advance of the incident so they can offer a better service on the day. This is something you should bear in mind. Have you, as business continuity manager, got a relationship with companies you might need? This could be specialist salvage contractors or companies who can replace a large number of PCs at short notice so that during an incident you are not scrabbling about to find a suitable supplier!