Heads in the Cloud? The anatomy of a data breach.
A guest post by @foimonkey
The accidental release of a substantial amount of personal data by Newcastle Citizens Advice Bureau has already been quite widely reported in the media, but as the person responsible for spotting that Newcastle CAB had made this mistake and reporting it to the ICO, I feel it is appropriate to comment on the nature of the breach, the aftermath and what wider lessons can be learnt from this incident.
On 17 September 2013, I came across a spreadsheet whilst searching Google that contained sensitive personal information belonging to a sizeable number of individuals. It was apparent from the nature of the document that this was not intended for release and should not have been made available online. What was less clear was who owned the document (no organisation name was mentioned) so I modified my search to see what other files were hosted on the same ftp server to try to establish who was responsible and who to contact about the incident. To my horror, I found literally thousands of documents containing highly sensitive information that had been hosted on a public ftp server that was accessible via two different ip addresses. It didn’t take much detective work to figure out that this data belonged to the Newcastle branch of the Citizens Advice Bureau.
Citizens Advice Bureaux nationwide provide a valuable source of assistance to vulnerable people and great importance is placed on the confidentiality of their advice. It was troubling to discover that something had gone so horribly wrong at this particular branch of the CAB that meant that client files were not only publicly available on the internet to those who knew where to look, but had also been indexed, cached and made fully searchable. The potential for harm and distress to be caused to individuals who have had the most intimate details of their lives made available to all who cared to look for them should not be underestimated.
In total, Google showed that over 12,000 files from 55 directories had been indexed whilst the FTP server was publicly accessible. These appear to date from 2004 up until the first half of 2013. As well as the obvious risks associated with bank details and other financial information being published online, the files contained, amongst other things, information about suicide attempts, domestic violence, criminal activity, drug use, distressing family breakdowns,detailed medical reports from doctors for benefits appeals hearings and a list of sufferers of post-traumatic stress disorder who had been referred from the Royal British Legion – information that couldn’t be more sensitive or more private.
The files themselves show that this was not even the first data loss incident by Newcastle CAB. In 2010 client files that had been taken out of their office were left in a shop. It is unclear whether they notified the ICO about that incident.
After an initial attempt to get in touch with the CAB on 17 September, I finally managed to alert the CAB and the ICO early on 18 September. You would think that the first priority of Newcastle CAB, in conjunction with the ICO, would be to ensure that this information was removed from the internet as soon as possible. In my email to the CAB I included a link to Google’s help pages on how to remove personal data that had been included in the cache. This process is automatic and usually takes 24 hrs to complete. I personally submitted the urls of several hundred of the most sensitive files for removal from the cache that day and by the next day they were gone, so it is clear that the process works. Astonishingly, cached copies of these files were still accessible as late as yesterday(30 September), close to a fortnight after the breach was initially reported. I can not understand why there has been such a delay in acting, a delay that I believe may have put the victims of this breach at greater risk. As others have already written, an explanation as to why this information has taken so long to be taken offline has yet to be forthcoming, but I believe that one is certainly owed to those affected by the breach.
Sadly, this breach by Newcastle CAB is not the only breach that has occurred by the means of confidential files being uploaded to an open ftp server. On the same day as this breach came to light, I also contacted the ICO about a small company who had made confidential information available via an open FTP server in the same way. This time, the sensitive personal data of current and former employees was exposed including their bank account details and passport numbers. As yet, neither the company concerned, nor the ICO has acknowledged this incident and the data (contained in over 5000 files) remains online today.
There are other companies/organisations that currently have or have previously had client and employee data exposed online, including a law firm, a haulage firm, a photographer, a firm of lobbyists, a clothing company, an engineering firm, a vets, an investment fund, several charities, a medical database provider to the NHS, a recruitment agent, a parish council and even a data protection trainer. It currently takes less than 5 minutes to find copies of bank account information, credit card details, scans of driving licences and passports and other information of use to fraudsters that UK organisations have leaked online. I even found a copy of the unedited electoral roll listing postal and proxy voters in Epsom West that had been uploaded to the public ftp server of a local firm.
The risk doesn’t only come from unsecure company servers themselves, but also from automatic file backups to personal cloud servers by individual employees who have taken their work home with them. Whilst there may be benefits to having a copy of all your files backed up online in case of system failure, it may be wise to make sure that you know exactly what data you are putting online and who has access to it. Whilst a lot of the ICO’s enforcement activity has thus far concentrated on hard copy breaches from public sector organisations, online breaches such as this by private sector organisations could, if properly investigated, keep them busy in the years to come.