Lessons from the MoD data breach

Now and again, an incident occurs which casts a new light on the importance of data security. Data breaches today have become so common that we are now desensitised to stories of malicious attacks and hackers. However, for the 250 Afghan interpreters who fell victim to the UK’s Ministry of Defence (MoD) data incident this week, the impact is immeasurable.

The MoD has fallen into the same human-error shaped hole which thousands of organisations across the globe find themselves in, every year. While humans are at the heart of business, errors will occur; human error, afterall, is human nature. However, not every mistake can be treated as a learning experience.

The subject of great outrage, the MoD are currently under investigation for an incident which, given the appropriate security practices, could have been prevented.

Ministry of Defence data leak - what happened?

On 20th September 2021, it was reported that the MoD had failed to protect personally identifiable information (PII) for 250 Afghan interpreters. The story highlights the devastating impact of an entirely avoidable security incident; the email addresses for 250 individuals were incorrectly Cc’d for all to see.

As with the vast majority of reported data incidents today (over 70% in the UK, according to the ICO), the MoD incident is reportedly due to basic human error. 30 minutes after the initial email was sent, the MoD circulated a second email with the subject line “Urgent - Arap case contact”, telling recipients to delete the previous email and warning "your email address may have been compromised".

And now, just days later, the BBC has uncovered a second incident involving an email sent a month earlier which mistakenly displayed the email addresses and names of 55 Afghanis.

With the incident under investigation and the story continuing to unfold, the MoD remains the subject of great criticism.

Data protection is people protection

By its very nature, the disastrous fallout of this particular data incident is very rare. However, this is an opportunity to consider the way data is handled today:

“The Afghanistan/MoD data leak news is a stark reality of what can happen when digital communications are not safeguarded. (...) All business leaders need to sit back and review how sensitive information is being shared and what support their workforce has to communicate securely. Commonly, incidents such as this result from human error (...) Organizations need to focus on how they can empower their individuals to be able to share information securely when they need, with confidence and with ease to avoid a potentially damaging situation.”
- Wouter Klinkhamer, CEO at Zivver

Protecting personally identifiable information (PII) is about more than ensuring compliance; it is about respecting an individual’s right to privacy. As Maxine Holt points out, cyber security protects individuals, not just their data: 

“This incident is a stark reminder that cybersecurity is not just about protecting computer systems and data that we can't touch. Cybersecurity protects people. The failure to protect the PII of Afghan interpreters by the MoD has implications far beyond a compliance violation.”

Too much emphasis today is placed on isolated aspects of data loss prevention strategies. We cannot rely solely on people when human error remains the leading cause of data loss. Equally, technology is not a cybersecurity silver bullet; IT policies and procedures are good on paper but unlikely to guarantee best practice if the aforementioned areas are lacking.

We’re only as good as our tools

While email remains a powerful tool, it leaves a lot to be desired on the matter of security. Fortunately, technology is escalating to pick up where traditional email clients leave off. By automating manual tasks and alerting users in real time to potential errors, machine learning leaves no room for human error in outbound communications.

Accidentally using Cc in place of Bcc accounts for thousands of data breaches annually in the UK, and was likely the cause of the MoD data incident. That a seemingly small mistake can have such disastrous consequences is an undeniable signal for organisations to harness the power of existing technologies to intervene - not to replace humans, but to empower them in behaving as securely as possible.

Most standard email clients still lack an effective revoke function. And, beyond informing a recipient that a message includes sensitive information, the sender cannot apply the appropriate controls to protect their communications; in the instance of a data leak, employees are unable to act accordingly. They cannot determine when a message was accessed, by whom, or take the necessary steps to control the situation - all of which are issues likely experienced by the individuals involved in the MoD leak.

Whether accessing platforms on a private network or logging into a mobile banking application, two-factor authentication is a familiar practice to most of us. The same principle applies when sharing PII via email; every precaution must be taken to ensure only authorised individuals can access messages and attachments via the most user-friendly (and familiar) methods possible.

In addition, email encryption is vital in protecting sensitive data. Encrypting the connection between the sender and recipient’s server prevents unauthorized users from intercepting communications whilst in transit. And, if an unauthorised user gains access to encrypted files in a user’s email client or network, they cannot read them.

Turning best practice into standard practice 

As stated by Maxine Holt, maintaining data privacy should no longer be considered ‘best practice’ - it should be standard practice.

It is not enough to demand employees ‘act securely’, utilise sub-standard technology, and complete compulsory training. Organisations are obliged to seek out security platforms robust enough to fulfil compliance, and aid their people in safeguarding digital assets.

A culmination of people, technology, and policy is needed to ensure truly effective data security today.

Blaming people when technology and policy fails is a good way of turning your most valuable asset into your greatest security risk. Terms such as ‘insider threat’ and ‘weakest link’ are rife. Even ‘human error’ implies malicious intent within the workforce. In place of finger pointing, organisations must position employees as the data protectors they want to be, with the platforms they require to do so with confidence.