Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/22/2021
02:45 PM
Maxine Holt
Maxine Holt
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv

UK MoD Data Breach Shows Cybersecurity Must Protect Both People and Data

The UK MoD has failed to protect personally identifiable information (PII) for Afghan interpreters; the incident highlights how avoidable cybersecurity mistakes can have devastating consequences.



On Sept. 20, 2021, it came to light that the UK's Ministry of Defence (MoD) had committed a basic mistake: It had included the email addresses of hundreds of Afghan interpreters, many reportedly still in hiding in Afghanistan, within an outbound email.

Just today, a second MoD data breach involving Afghan interpreter email addresses was discovered, compounding the mistake. 

Related Content:

Data Privacy Day 2021: Pandemic Response Data Must Align with Privacy Rules

Data Security Accountability in an Age of Regular Breaches

Data Privacy Day 2021: Data Privacy Must be Improved in a Changed World

This is more than a mere breach of data privacy; the ramifications include potentially endangering the lives of these individuals and their families.

Information security, as a discipline, focuses on protecting the confidentiality, integrity, and availability (CIA) of information; cybersecurity, as a subset of information security, focuses on protecting the CIA of digital information.

An individual's email address (business or personal) is categorized as personally identifiable information, or PII, and most organizations are bound by regulations to keep PII confidential. In the MoD security breach, email addresses and in some cases photographs of individuals were reportedly included.

This incident is a stark reminder that cybersecurity is not just about protecting computer systems and data that we can't touch. Cybersecurity protects people. The failure to protect the PII of Afghan interpreters by the MoD has implications far beyond a compliance violation. If that information gets into the wrong hands (and having 250 email recipients massively expands the opportunity for malicious actors to access this email and act upon its contents), there is the potential for the lives of the interpreters and their families to be endangered.

Maintaining data privacy must not merely be a "best practice" in organizations, it must be standard practice. Security controls require people, process, and technology to work successfully, and neglecting any single aspect of this means that these controls can be rendered ineffective. The MoD data breach highlights the importance of all three: People must be trained and educated to understand not only what they must do when it comes to data privacy, but also why they must do it; processes must be robust, clear, and enforced; technology must be able to identify potential mistakes and ideally prevent them before a worst-case scenario can occur.

The combination of people, process, and technology create security controls to protect the confidentiality of information trusted to the organization by an individual. Layering security controls helps organizations not only protect the data that it is responsible for, but in many cases, also helps protect the lives of the individuals whose PII is held.

Apologies from the MoD are no doubt likely. Apologizing after an event of this magnitude, however, is too little, too late.

Maxine leads Omdia's cybersecurity research, developing a comprehensive research program to support vendor, service provider, and enterprise clients. Having worked with enterprises across multiple industries in the world of information security, Maxine has a strong ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20837
PUBLISHED: 2021-10-26
Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earl...
CVE-2021-41305
PUBLISHED: 2021-10-26
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view the names of private projects and filters via an Insecure Direct Object References (IDOR) vulnerability in the Average Number of Times in Status Gadget. The affected versions are before version 8.13.1...
CVE-2021-41306
PUBLISHED: 2021-10-26
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References (IDOR) vulnerability in the Average Time in Status Gadget. The affected versions are before version 8.13.12, and from version ...
CVE-2021-41307
PUBLISHED: 2021-10-26
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References (IDOR) vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.12...
CVE-2021-41308
PUBLISHED: 2021-10-26
Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the `ReplicationSettings!default.jspa` endpoint. The affected versions are before version 8.6.0, fr...