'Sorry' isn't good enough when sensitive data is compromised

Australia’s biggest data leak wasn’t a clever hack or the result of a system failure. It occurred because someone who should have known better fumbled, missed an important detail, and had no processes in place to check for errors.

This is not something that should happen at an organisation like the Red Cross Blood Service, which is responsible for taking care of very sensitive, personally identifiable data.

The ramifications of the spill of donor data range from identity theft to possible blackmail. Worse still, people could be dissuaded from donating blood if they fear their details won’t be kept safe.

There was a serious lack of judgment at Precedent, the digital agency who built the blood service’s website, and a serious lack of oversight at Red Cross Blood Service itself.

Leaving sensitive data on a publicly exposed web server is as bad as it gets when it comes to security fumbles.

It should go without saying that if you’re using contractors to develop sites and services, it’s imperative that you conduct due diligence to explore the security capabilities and processes they have in place to mitigate risk and human errors.

It’s better to take one step too many than miss a small detail that could lead to a catastrophe.

And there’s little excuse for cases like Precedent and the blood service given the plethora of advice documents provided by government agencies, intelligence bodies and the infosec industry on best practices for securing websites and the information stored within.

Yet these are ignored, not understood, or both.

It’s clear a change in mindset is urgently needed. But how do you drum in the message that people’s sensitive data is not to be taken for granted?

Sites that need to retain data - and don’t forget one of the best security measures against data breaches is to delete information once you no longer need it - should be required to prove they are competent when it comes to security before they are allowed to ask users for sensitive details.

This is where the current Australian data breach notification bill falls short. Penalties for operators that try to hide data breaches are great, but to further drive the point home there should also be a financial clout around the ears for incompetence.

Other industries such as cars, aviation, food and toys are expected to be competent producers of safe goods and services. When they mess up, the official hammer comes down hard. There’s no reason IT should be any different.

How else will operators be encouraged to actually take proper steps to avoid data breaches, rather than just saying sorry when they happen?

Data like that contained in the Red Cross Blood Service leak - which, thankfully, as far as we know has spread no further than the source who discovered it - has the potential to devastate should it fall into the wrong hands.

It’s time for custodians of data to take their responsibilities seriously and stop playing around with people’s lives.