Charlie re-investigates Capita’s hack and discusses how performing a data risk assessment on your organisation may be beneficial in the event of a cyber incident, and looks at what should be included within the assessment.
A couple of weeks ago, I wrote about how poor I thought Capita’s response to their hack on the 31st March was, and after I wrote the bulletin, the incident continued with multiple customers reporting possible data breaches to the Information Commission Office (ICO). The Pensions Regulator wrote to the hundreds of pension funds that employ Capita to ‘administer their payment systems, urging them to determine whether there is a risk to their schemes’ data’. Over the last few days, there have also been news reports of a vulnerability found in MOVEit – the managed file transfer software. This vulnerability has allowed the Clop ransomware gang to access staff payroll data belonging to several organisations, including the BBC, British Airways, Aer Lingus, Boots, the Nova Scotia Government, and the University of Rochester. A data risk assessment is one of the items we teach in our BCT Certificate in Cyber Incident Management course, and I thought in this week’s bulletin I would explain what one is, and how carrying one out could benefit your organisation.
When teaching any type of incident response, be it crisis management, business continuity, or cyber, then we should do the work now, so that it will save us time when we are responding to an incident. A data risk assessment is one of the activities which can be done now, to save you hours and days of time that you don’t have during a response. The essence of the risk assessment is that we should record all the different types of data held in our organisation, what the data consists of, the number and volumes of it, who processes it or has access to it, and to understand the impact if it is lost. Cataloguing personal data is extremely important, but it is not the only type of data which should be recorded. The idea of carrying out a data risk assessment is because at the beginning of a cyber incident, it may take hours, if not days, for our technical staff to determine if any data has been exfiltrated. It may take even longer to prove that certain data has not been taken or accessed. If we have a definitive record of all our data and the effect on the organisation, if lost, then we can work from the worst case scenario that all data has been accessed, and consider whether we should warn those whose data might have been accessed, rather than waiting for the long process of trying to verify exactly what has gone. I criticised both Capita and Arnold Clark for saying that data hadn’t been accessed, Capita said ‘there is no evidence of customer, supplier, or colleague data having been compromised’, only to later admit that they actually had lost data.
When carrying out the data risk assessment I think the following should be recorded:
- Organisational Data – a) Negotiating positions, b) Price-sensitive information, c) Organisation strategies, financial models, mergers and acquisitions, d) Restructuring information, e) Intellectual property, research, trade secrets, and source codes
- Staff data
- Previous staff data (including pensioners, leavers & potential staff)
- Customer data
- Supplier data
- Data which could be exploited for financial gain
For each of these data sets, the following should be recorded:
- Volumes of data
- What actual data is held e.g. national insurance numbers, passport details, medical histories
- What is the impact if the data is lost?
- Who would have to be informed if the data is breached and how would this be done?
What I find interesting in both the Capita and the MOVEit cases, is that the six organisations mentioned above that had their payroll details accessed through the MOVEit software, had their payroll processed by the specialist payroll provider Zellis. So, when conducting our data risk assessment, we need to catalogue which external third parties have access to our data. In the MOVEit case, it was not British Airways that got hacked, but their supplier, Zellis. If you are aware of which third parties are processing your data, you can quickly contact them to determine if your data may have been accessed in the event of a hack. Similarly, if you hold data on behalf of others, it is important to catalogue the data you hold and maintain contact information in case a breach is suspected. While many organisations supplying data to third parties may not want to be reminded of the risks, you may want to consider exercises with them on how a possible breach would be managed.
Conducting a data risk assessment is a vital step in preparing for any incident management response of a cyber incident. By spending time assessing and cataloguing organisational data, including: personal, staff, customer, supplier, and financially sensitive information, we can better understand the potential impact of a breach, and have plans in place for communicating with those whose data may have been accessed, or information the organisation whose data you have holds. As with all things incident management, taking proactive measures today will save invaluable time and resources when faced with a real incident in the future.