The University of East Anglia has suffered another data breach, when, on Sunday 5 November, an email was sent to about 300 students in the social science faculty which included the personal health information of a member of staff, in a repeat use of a flaw not fixed previously.
The problem has again been caused by accidental use of an email distribution list, and given that it is easy to limit access to mass mailing lists, there is understandable criticism of the university.
Oz Alashe MBE, CEO of CybSafe, notes that the breach was highly preventable, adding that as it was caused by exactly the same flaw as last time, the university has clearly learnt very little from its previous breach.
He adds in an email to SC Media UK, “The Information Commissioner's Office (ICO) concluded that the June breach didn't meet requirements for it to take action. However, after a second breach exposing a similar flaw the ICO might take a different stance this time; leaving the university liable to ICO sanctions.”
The UEA's data protection training has been criticised by staff with Alashe noting, “The course culminates in a multiple-choice test of just eight-questions – it's incredibly short, and staff will likely take away very little from the programme.
“UEA's check box approach to its training programme needs a complete overhaul. Giving staff unwieldy ‘training manuals' is ineffective; simply reading facts doesn't mean those facts will be acted on. Likewise, telling staff how damaging a data breach could be won't elicit changes in behaviour. Cyber-security training needs to be a thorough process. Individuals should be tested to ensure they have retained information, but they also need to be tested to see whether they can act on that information. Training staff is one thing; getting staff to act on that training is quite another.”
Matt Lock, director of sales engineers at Varonis points out that academic institutions are prime targets for cyber-criminals and that a large university often has sensitive personal identifiable information (PII) and protected health information (PHI) on tens of thousands of students. In an email to SC Media he commented, “It's important for universities to secure their data, educate their employees and contractors to ensure they have good cyber-hygiene and take the steps to automate the prevention of human error – in this case preventing inappropriate access to personal information and incorporating utilities to prevent the exposure.
“The way that personal data is collected and stored is a huge privacy concern, particularly in light of the upcoming GDPR: universities (and individuals) need to keep an eye out on privacy policies and data gathering in order to consistently meet business policy and security requirements.”
For Adenike Cosgrove, EMEA cybersecurity specialist, Proofpoint the issue points again to the human vulnerability. “Data breaches are not just a IT security issue, but a fundamental data governance issue. Organisations must combine information security with data governance programmes that identify, classify and protect critical and sensitive data assets. Technologies like encryption and Data Loss Prevention (DLP) provide automated controls that protect the processing and storage of confidential information. Only by leveraging technology controls, can the likelihood of data exposure be reduced,” she told SC Media UK in an email.
Reacting to the news Andrew Clarke, EMEA director at One Identity, said: “One of the primary factors where organisations fall short is by not making security part of their everyday operations. Through experience we know that security is a continual process and goes beyond the basics of installing a firewall or a AV tool. In the case of UEA, questions that determine how a person accesses an employee's confidential and sensitive health information; will be a step in the right direction to avoid a repeat of such an accidental case of attaching to an outbound email. Identity & Access Management coupled with Data Governance tools are the right way to get this addressed.”
Lock also points out that exposed personal data is not only an abuse of personal data privacy, “but can be leveraged to breach more secure systems and put critical data at risk.”
The local newspaper which broke the story reports a UEA spokesperson saying: “An urgent investigation into how this happened is underway. The university contacted the member of staff to apologise and will be providing support.
“Steps were taken to recall the message as soon as possible using an automated process which can be run by a limited number of UEA employees allowing the removal of the specific email, without accessing individuals' email inboxes.
“The University will continue with the roll out of our newly created action plan to prevent incidents like this in the future.”