Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

// // //
9/22/2021
02:45 PM
Maxine Holt
Maxine Holt
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv

UK MoD Data Breach Shows Cybersecurity Must Protect Both People and Data

The UK MoD has failed to protect personally identifiable information (PII) for Afghan interpreters; the incident highlights how avoidable cybersecurity mistakes can have devastating consequences.

On Sept. 20, 2021, it came to light that the UK's Ministry of Defence (MoD) had committed a basic mistake: It had included the email addresses of hundreds of Afghan interpreters, many reportedly still in hiding in Afghanistan, within an outbound email.

Just today, a second MoD data breach involving Afghan interpreter email addresses was discovered, compounding the mistake. 

Related Content:

Data Privacy Day 2021: Pandemic Response Data Must Align with Privacy Rules

Data Security Accountability in an Age of Regular Breaches

Data Privacy Day 2021: Data Privacy Must be Improved in a Changed World

This is more than a mere breach of data privacy; the ramifications include potentially endangering the lives of these individuals and their families.

Information security, as a discipline, focuses on protecting the confidentiality, integrity, and availability (CIA) of information; cybersecurity, as a subset of information security, focuses on protecting the CIA of digital information.

An individual's email address (business or personal) is categorized as personally identifiable information, or PII, and most organizations are bound by regulations to keep PII confidential. In the MoD security breach, email addresses and in some cases photographs of individuals were reportedly included.

This incident is a stark reminder that cybersecurity is not just about protecting computer systems and data that we can't touch. Cybersecurity protects people. The failure to protect the PII of Afghan interpreters by the MoD has implications far beyond a compliance violation. If that information gets into the wrong hands (and having 250 email recipients massively expands the opportunity for malicious actors to access this email and act upon its contents), there is the potential for the lives of the interpreters and their families to be endangered.

Maintaining data privacy must not merely be a "best practice" in organizations, it must be standard practice. Security controls require people, process, and technology to work successfully, and neglecting any single aspect of this means that these controls can be rendered ineffective. The MoD data breach highlights the importance of all three: People must be trained and educated to understand not only what they must do when it comes to data privacy, but also why they must do it; processes must be robust, clear, and enforced; technology must be able to identify potential mistakes and ideally prevent them before a worst-case scenario can occur.

The combination of people, process, and technology create security controls to protect the confidentiality of information trusted to the organization by an individual. Layering security controls helps organizations not only protect the data that it is responsible for, but in many cases, also helps protect the lives of the individuals whose PII is held.

Apologies from the MoD are no doubt likely. Apologizing after an event of this magnitude, however, is too little, too late.

Maxine leads Omdia's cybersecurity research, developing a comprehensive research program to support vendor, service provider, and enterprise clients. Having worked with enterprises across multiple industries in the world of information security, Maxine has a strong ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-45786
PUBLISHED: 2023-02-04
There are issues with the AGE drivers for Golang and Python that enable SQL injections to occur. This impacts AGE for PostgreSQL 11 & AGE for PostgreSQL 12, all versions up-to-and-including 1.1.0, when using those drivers. The fix is to update to the latest Golang and Python drivers in addition ...
CVE-2023-22849
PUBLISHED: 2023-02-04
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features. Upgrade to Apache Sling Ap...
CVE-2023-25193
PUBLISHED: 2023-02-04
hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.
CVE-2023-0676
PUBLISHED: 2023-02-04
Cross-site Scripting (XSS) - Reflected in GitHub repository phpipam/phpipam prior to 1.5.1.
CVE-2023-0677
PUBLISHED: 2023-02-04
Cross-site Scripting (XSS) - Reflected in GitHub repository phpipam/phpipam prior to v1.5.1.