DPaaS Newsletter Data Protection as a Service Newsletter From CSP, Your Trusted Security Partner
Cheap Covid test firm leaks ‘selfies’, passport scans and addresses of customers Source: Which? | Trevor Baker
Hundreds of customers of Alpha Express Testing received an email last
NEWSLETTER HIGHLIGHTS Covid test firm leaks important customer data
week from a concerned customer, warning their data had been exposed. This data included; full names, home addresses, telephone number and an image of a person’s passport. Alpha Express Testing are on the official government providers list also. All that was needed in order to be shown the leaked data was to change one digit in the reference number. Some customers also reported that they were able to see not just data, but also passport photos and the selfies required to register a test. Fortunately, the person who sent out the email had no intention of using the data he’d found. He just wanted to warn Alpha’s customers. What CSP would do to prevent this: Using a Data Protection Officer (DPO) to come into the business is a
School data breach leaks sensitive information Industry Update - IDTA and UK Addendum
Contact Us www.csp.partners
great place to start before or after any major data breach. If you as a business are concerned about any potential data breaches occurring,
info@csp.partners
a DPO can help improve data security for any business. This can be by implementing the following; - Auditing your business to assess whether you are following good data management practices. - Advising on data storage and the implications this has on the business. - Training the people working in your business on how to handle information. This can be used as part of your subscription. A Privacy Impact Assessment (PIA) would be useful in these scenarios. PIA would help to consider the amount of information stored and easily accessible. Typically, the process assists JANUARY, 2022
0113 532 3763 26 Whitehall Rd East, Leeds, LS12 1BE @CyberSecPartner @CyberSecurityPartners CYBER SECURITY PARTNERS
CSP advice continued...
businesses in identifying and managing the privacy risks arising from; new projects, initiatives, systems, processes, strategies, policies. Here at CSP we can help businesses to complete the assessment too, as part of our DPaaS service. Sensitive data handling training - when handling sensitive data, it is vital that the process is not rushed. Encrypt any sensitive data - as the list was being made to be presumable passed on, the document should have been encrypted. This could have stopped the risk of it being publicly available after user error. As with most encryption the person trying to read the document would have needed to know the key, which has been used to encrypt the data.
School data breach leaks sensitive information about pupils
Source: Yahoo News | Lewis Berrill
Sensitive information about pupils was leaked to parents and students following a data breach at a secondary school. Information such as; free school meal status, address, deprivation status, exam dispensation and special educational needs. These details were of Year 11 children at Greensward Academy in Hockley, which was accidentally leaked by a teacher. The information was made available to Year 11 pupils and their parents via Google Classroom when a mock examinations timetable was shared by the teacher who was unaware the document also contained sensitive information.
What could be done to stop this: · Sensitive data handling training - when handling sensitive data, it is vital that the process is not rushed. Staff should be regularly trained on the importance of data handling. CSP's DPaaS ‘Information Handling Training’ can provide this to your users on either a scheduled or ad-hoc basis. · Encrypt any sensitive data - As with most encryption, the person trying to read the document would have needed to know the key, which has been used to encrypt the data. · Stronger Access Control - Access control is allowing information to be given on a need to-know basis. Businesses should frequently be assessing the RBAC (rolebased access control) model, which should be adopted.
Industry Update International Data Transfer Agreement (IDTA) and UK Addendum laid before UK Parliament On 28 January 2022, the Secretary of State for the Department for Digital, Culture, Media & Sport (DCMS), laid the UK's new transfer tools for international transfers of personal data under the UK GDPR. These tools are key for organisations transferring or receiving personal data subject to the UK GDPR. The specific tools which have been presented are: The international data transfer agreement ("IDTA") The international data transfer addendum to the European Commission's Standard Contractual Clauses ("SCCs") for international data transfers (the "Addendum") Transitional provisions (together, the "Tools"). The IDTA is intended to be used as a safeguard, to comply with Article 46 of the UK GDPR, for data transferred under the UK GDPR. The Addendum may be particularly useful to organisations subject to both the UK and EU GDPR looking to have efficient data transfers documentation. JANUARY, 2022
CYBER SECURITY PARTNERS