Brian Vecci, technical evangelist, Varonis
Brian Vecci, technical evangelist, Varonis

Reports have emerged that Sports Direct suffered a breach of its employee data last year. That's not even really news any more—we're all numb from the constant stream of data breach news stories. What's alarming in this case isn't the breach, it's that affected employees weren't told even after Sports Direct was made aware of the sensitive employee data that was stolen. To add insult to injury, the stolen data wasn't stored in encrypted form. Critical data had been leaked in the open and Sports Direct sat on that.

Responsible disclosure

Accidents will happen, but we have to know when our personal data has been compromised, period. Why Sports Direct, which knew about the breadth and depth of the attack, would not alert its 30,000 employees is unfathomable.  Sports Direct knew there had been a breach of personally identifiable information (PII) of its employees and didn't notify them. If I can get an email from a retailer telling me my account may have been compromised due to someone else's breach, then I would expect Sports Direct to tell its employees that an actual breach involving their data happened on their own systems.

The information stolen in the Sports Direct data heist contained personally identifiable information like employee names, emails, postal addresses and telephone numbers—the kind of data attackers use for identity theft, phishing campaigns, social engineering attacks and other threats. Learning that your data has been breached by reading it in the news is like finding out via Facebook that your doctor forgot to mention you'd been diagnosed with a communicable disease. The longer it takes for you to find out, the better chance the thieves have of making the most use of your information.

The Information Commissioner's Office (ICO), the body tasked with imposing current Data Protection legislation in the UK, is aware of the incident although it hasn't disclosed if sanctions will be levied against the retailer for breaching the UK's Data Protection Act (DPA).

On 25 May 2018 the EU General Data Protection Regulation (GDPR) will come into force dictating how organisations collect, use and protect sensitive information. The regulation includes a duty on all organisations to report personal data breaches to the relevant supervisory authority within 72 hours of discovery, and in some cases to the individuals affected. Failing to do so could incur significant fines – up to €20 million Euros or four percent of global revenue – that's a lot of footballs and hockey sticks! The goal is to ensure that situations like this are minimised. When breaches happen—and they will continue to happen—it's critical that the affected parties be notified so they can take action.

They're not alone

While Sports Direct's handling of this breach is far from perfect, they're not the only ones who have struggled protecting sensitive data. A recent Forrester study found that only 38 percent of organisations make sure that employees can only access what they need to and a mere 45 percent monitor for abuse. You can't catch what you can't see, and more than half of companies are completely blind when it comes to who's accessing their data. That's incredible.

Under the new EU GDPR, organisations will have an obligation to implement technical and organisational measures that show they have considered and integrated data protection into processing activities. That's a fancy way of saying that now, by law, you have to make sure that you know where your sensitive data is, who has access to it, and—critically—when it's accessed and by who. Organisations need to find where sensitive data is stored, lock it down so that only the right people have access, and then delete it when it's no longer needed. They also need to take action to notify affected individuals in the event of a breach and then take action to mitigate future problems. 

While that may sound impossible, with the right processes in place it's relatively straightforward. Here are five steps to put organisations on the path to GDPR compliance:

1.     Identify where personal data is located across your environment (NAS, SharePoint, Cloud, etc). This could include intellectual property, R&D materials, plans, financial data, etc. It's not enough to just assume you have it—you need to find it and monitor it.

2.     Reduce data access to a “need to know” basis. Applying a least privilege model means that only those that need access have it. Least privilege needs to be designed into your controls and processes.

3.     Apply encryption so that if the data were to fall into the wrong hands, it is rendered useless. This is a no brainer, but encryption doesn't solve the problem of access, only the problem of what's possible after the breach.

4.     Monitor and audit data access, permission changes and data processing activities to aid in detection, forensics and proof that precautions were taken in the event of a breach. Regulators will look less favourably on those organisations who show contempt for security practices, versus those that have tried to reduce the risk.

5.     Limit data retention and comply with an individual's right “to be forgotten”. This may mean establishing data retention procedures and systems so that data is never stored longer than necessary – a requirement of both the existing DPA and incoming EU GDPR.

Trust has to be the bedrock of any employment relationship and, in the 21st century, trust includes keeping personal employee data safe and notifying employees in a timely manner when it isn't.

Contributed by Brian Vecci, technical evangelist, Varonis

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.