Cymraeg

Do organisations with poor data protection lack respect for their customers or employees?

Do organisations which enable their customer or employee data to be accessed by unauthorised parties disrespect their customers or employees? I would argue that they do, whether the cause is poor practice, lack of training, ineffective data (or online) security or they just don’t give a damn. Indeed, you could forgive the affected customers or employees for thinking that even if it's one of the first three, the last is the case.

Customers trust you to look after them, not only with the quality of products and service you provide, but the behind-the-scenes trust. And I’d say that not revealing or leaking (or whatever you want to call it) their financial or personal details to anybody else, figures very strongly in that.

The same goes for employees. If anybody came to work in your business in the knowledge that their date of birth, National Insurance number, salary and who knows what other information wasn’t safe, it’s doubtful that they’d decide to work for you. Do you issue employee handbooks and employment contracts that stipulate that your workforce can’t reveal details of your business to others, either inside or outside of the business? And in turn, do you undertake to keep their personal information safe?

Maybe you should.

I’d like to mention a couple of recent data hacks to illustrate the different consequences of poor data protection, caused by different circumstances.

In November, Sony Pictures Entertainment suffered what many are calling the highest-profile hack of all time. Highly confidential employee data including records of salaries and bonuses, dates of birth, social security numbers, performance reviews, criminal background checks, termination records and details of medical conditions were all stolen and posted on the internet for all to see. Confidential emails – including some highly sensitive ones from Hollywood stars – and film scripts were also leaked.

Apparently, much of the data was stored in unencrypted, plainly labelled Excel and Word files enabling anyone scanning them to guess the contents. Some files were password-protected, but these were usually accompanied by a folder with the passwords in.

So what did they expect?

Closer to home, I see that footwear retailer Office has been rapped over the knuckles by the Information Commissioner’s Office after the personal data of over a million of its customers was left exposed last year. A hacker gained the ability to access contact details and website passwords (but not card details) because they in an unencrypted database that was due for decommissioning stored on a legacy server outside the core infrastructure of the current website. Only one penetration test had been completed on the old system but the results hadn’t been concluded or recorded because of the impending decommissioning.

Another case of poor practice.

Incidentally we do offer advice on both software decommissioning and unnecessary services on the Get Safe Online site.

And, of course, the Office hack highlights the time-worn advice that, if followed by internet users everywhere, would save so much fraud, ID theft and general grief. Don’t use the same login details on more than one website because if cybercriminals get their hands on them from one hack, they’re sure to be able to figure them out on all your other accounts. Check out our passwords page for more info.

In partnership with