Human error the number one problem in data privacy


Privacy Awareness Week 2014 is now well underway (4-10 May) – the week aims to highlight to business where the critical risks lie, and how to stay protected.

The Office of the Australian Information Commissioner (OAIC) is the body behind the awareness week, and has a number of resources available to help you businesses spread the privacy message throughout their networks.

Privacy laws changed significantly on 12 March 2014. The changes include a new set of Australian Privacy Principles (APPs) which set out how many private sector organisations and federal Australian Government agencies covered by the Privacy Act 1988 must handle people’s personal information.

Professor John McMillan, Australian Information Commissioner, commented that privacy is often associated with secrecy. “However, the new APPs aim to build organisational cultures that respect privacy while ensuring greater openness about the handling of personal information.”

Entities covered by the Privacy Act must now have a clearly expressed and up-to-date privacy policy explaining what they are going to do with people’s personal information. “The challenge for organisations and agencies is to develop privacy policies that allow individuals to make informed decisions about their privacy,” Prof McMillan added.

Michelle Dennedy, chief privacy officer at McAfee, part of Intel Security, is visiting Australia during Privacy Awareness Week. Dennedy, who is also the author of The Privacy Engineer’s Manifesto, says even the most comprehensive security systems have flaws – and they’re often human errors.

“We live and work in a digital, IP-connected world where privacy and security vulnerabilities cannot be completely programmed out. That being said, the best course of action is to plan for the eventuality of errors by building a privacy infrastructure that places protecting customer data at its heart,” Dennedy said.

External attacks

The retail sector in particular has seen a spike in attacks on point of sale (POS) systems as cyber criminals recognised an opportunity to exploit an area where there has been little effort to secure customer data.

“We’ve found that retailers are falling into a ‘security by obscurity’ trap – they mistakenly believe that their POS system is so customised to their particular business requirements that it would be too difficult for hackers to bypass the controls and access the system,” says Dennedy.

“In fact, most use fairly standard systems and processes and it is relatively easy for criminals to gain access to customer account and credit card details; many hackers are using fairly unsophisticated off-the-shelf malware to perpetrate a successful attack,” she says.

Coding glitches

The Heartbleed vulnerability in OpenSSL poses one of the most formidable security and privacy concerns in recent memory, given attackers manipulating it could have eavesdropped on communications, stolen data directly from services and users, or impersonated services and users.

“What we’ve seen is a human error in the coding of the software, but as this particular technology standard is not very user- or administrator-friendly, the OpenSSL has been implemented poorly in many cases, creating an even broader problem for businesses,” says Dennedy.

“Technology developers must go further by building privacy controls into their products at their genesis, rather than attempt to bolt it on to technology as an expensive afterthought with risk-liability implications,” she says.

Internal risks

Cyber risks are not only external to the business, a key threat to data security is from employees, suppliers and third parties who either maliciously or accidentally misuse or have an inappropriate level of access to sensitive customer data.

“What we are aiming for is privacy by design, where businesses think about what their customers would expect from them and use that as a starting point for building a privacy framework. We call this ‘privacy engineering’ where customer privacy protection practices are embedded into every aspect of the business and at every level of employee, and that means all staff – current and past.”