NUI Galway Data Breach – Lessons learned?

nui galway data breachThe NUI Galway data breach that was revealed this week is concerning. Particularly the initial reports about the breach, which weren’t very clear. If you hadn’t already heard, a USB memory stick was mislaid. This memory stick may have had personal data on 5% of the student population. This 5% of an 18,000 student population gives us approximately 900 individuals being impacted by this breach. That personal data may have included exam results, as reported by the Irish Independent.

While the University is unclear on the contents of the portable device, it may have held a file containing names of approximately 5% of the student body, their student number and exam results.

It’s the uncertainty that is most worrying to me. Also their claim that they have strict policies in place relating to portable devices is a bit disingenuous. I’ve been through the policies and also looked at their data protection section and found some conflicting direction with regard to data handling and USB memory sticks.

The Data Handling Policy states the following about “NUI Galway Highly Restricted” data:

Storage of this data outside of the source system, for example on a laptop or memory stick; must be approved by the data owner. Where data is held outside the source system it must be encrypted.

That seems quite sensible, as approval would mean that somebody would know exactly what data is on there and it would then be encrypted. However their Encryption policy, has something else to say on USB memory sticks:

Portable storage capability such as DVD’s, CD’s and USB flash drives should not be utilised for classified data storage or transfer, even in an encrypted format.

So the handling policy says it’s fine, but the encryption policy says no. It’s obvious that the data handling policy wasn’t followed with this data breach.

I thought it interesting that they have plenty on their site for how to use USB memory sticks and the protections they have in place.

ISS have disabled Autorun on the all computers in the PC Suites as a precautionary measure to prevent the spread of viruses.  When autorun is disabled, a USB memory stick or software on a CD or DVD will no longer automatically start when inserted.

So that’s great … lots of protection there … or maybe not. What if the USB device impersonated a keyboard? It could inject keystrokes that open up a command line, execute a command to download dodgy software and execute it. I’m not making this up. The USB stick could also fry the electronics on your computer. Again this is something that happens.

These USB memory sticks are such a problem from a data breach perspective that I always recommend companies and organisations to either block them completely or put in place a solution that automatically encrypts all data on them. My friend and colleague Philipa Jane Farley has a somewhat more, “robust” view on how they should be handled ?.

I did dedicate an entire commandment to USB memory sticks. So you can get my deeply held views in there.

The NUI Galway data breach was an embarrassment for the University. I don’t think the exam results could be classified as sensitive personal data (special category). But I’m sure students wouldn’t like these been released publicly. As long as the powers that be learn a lesson from this sorry situation and implement more rigorous technical solutions, then it will hopefully prevent future, larger and more sanction-worthy breaches.

Lets be careful out there.

#SecuritySimplified #GDPR #SimpleGDPR