Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

// // //
9/22/2021
02:45 PM
Maxine Holt
Maxine Holt
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv

UK MoD Data Breach Shows Cybersecurity Must Protect Both People and Data

The UK MoD has failed to protect personally identifiable information (PII) for Afghan interpreters; the incident highlights how avoidable cybersecurity mistakes can have devastating consequences.

On Sept. 20, 2021, it came to light that the UK's Ministry of Defence (MoD) had committed a basic mistake: It had included the email addresses of hundreds of Afghan interpreters, many reportedly still in hiding in Afghanistan, within an outbound email.

Just today, a second MoD data breach involving Afghan interpreter email addresses was discovered, compounding the mistake. 

Related Content:

Data Privacy Day 2021: Pandemic Response Data Must Align with Privacy Rules

Data Security Accountability in an Age of Regular Breaches

Data Privacy Day 2021: Data Privacy Must be Improved in a Changed World

This is more than a mere breach of data privacy; the ramifications include potentially endangering the lives of these individuals and their families.

Information security, as a discipline, focuses on protecting the confidentiality, integrity, and availability (CIA) of information; cybersecurity, as a subset of information security, focuses on protecting the CIA of digital information.

An individual's email address (business or personal) is categorized as personally identifiable information, or PII, and most organizations are bound by regulations to keep PII confidential. In the MoD security breach, email addresses and in some cases photographs of individuals were reportedly included.

This incident is a stark reminder that cybersecurity is not just about protecting computer systems and data that we can't touch. Cybersecurity protects people. The failure to protect the PII of Afghan interpreters by the MoD has implications far beyond a compliance violation. If that information gets into the wrong hands (and having 250 email recipients massively expands the opportunity for malicious actors to access this email and act upon its contents), there is the potential for the lives of the interpreters and their families to be endangered.

Maintaining data privacy must not merely be a "best practice" in organizations, it must be standard practice. Security controls require people, process, and technology to work successfully, and neglecting any single aspect of this means that these controls can be rendered ineffective. The MoD data breach highlights the importance of all three: People must be trained and educated to understand not only what they must do when it comes to data privacy, but also why they must do it; processes must be robust, clear, and enforced; technology must be able to identify potential mistakes and ideally prevent them before a worst-case scenario can occur.

The combination of people, process, and technology create security controls to protect the confidentiality of information trusted to the organization by an individual. Layering security controls helps organizations not only protect the data that it is responsible for, but in many cases, also helps protect the lives of the individuals whose PII is held.

Apologies from the MoD are no doubt likely. Apologizing after an event of this magnitude, however, is too little, too late.

Maxine leads Omdia's cybersecurity research, developing a comprehensive research program to support vendor, service provider, and enterprise clients. Having worked with enterprises across multiple industries in the world of information security, Maxine has a strong ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-39268
PUBLISHED: 2022-09-30
### Impact In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end use...
CVE-2022-34428
PUBLISHED: 2022-09-30
Dell Hybrid Client prior to version 1.8 contains a Regular Expression Denial of Service Vulnerability in the UI. An adversary with WMS group admin access could potentially exploit this vulnerability, leading to temporary denial-of-service.
CVE-2022-34429
PUBLISHED: 2022-09-30
Dell Hybrid Client below 1.8 version contains a Zip Slip Vulnerability in UI. A guest privilege attacker could potentially exploit this vulnerability, leading to system files modification.
CVE-2022-40923
PUBLISHED: 2022-09-30
A vulnerability in the LIEF::MachO::SegmentCommand::virtual_address function of LIEF v0.12.1 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted MachO file.
CVE-2022-40943
PUBLISHED: 2022-09-30
Dairy Farm Shop Management System 1.0 is vulnerable to SQL Injection via bwdate-report-ds.php file.