In mid-October 2016, Kings College London (KCL) suffered a catastrophic data outage. The outage was so severe that it lasted almost 4 weeks and affected almost all systems being run from their Strand data centre.
Users across all of KCL’s campuses felt the effect of a “routine” systems upgrade failure which caused a corruption to storage systems running virtual environments including, telephony, website and payroll systems. KCL were quick to share updates regarding the process to recover, stating they would work with suppliers 24/7 until the issue was resolved; the main priority for KCL to restore data was timetabling systems, SITS (student records) and finance systems.
Two weeks into the outage and the KCL IT services team had posted updates warning that the outage may not be fully resolved for a further two weeks. They also confirmed that they had begun to restore some disks from incremental backups that had been taken two days prior to the outage.
The fall out
KCL, who have a comprehensive guide to backup and data strategy on their website, are yet to release the results of any independent audit that has since taken place, although this could be ongoing.
Ironically this is not the first time that Kings has had to deal with the fall out of a data breach. They were subject to an undertaking by the Information Commissioners Office (ICO) in 2015, for a data breach regarding personal information on a student database.
Following the incident, it has been claimed that KCL have told staff not to take independent backups or copies of work. Given that individual staff members may have been able to get back to operational capacity more quickly had they been doing this prior, it could be seen as a strange decision. However, KCL are likely taking a very stringent look at data security processes and any possible routes to data loss at this point in time. Improper, unencrypted, backups could increase the risk of data loss or further breaches.
The information Commissioners Office is the data regulatory body in the UK and is responsible for ensuring organisations in the UK adhere to The Data Protection Act (DPA).
Data loss falls under the DPA and the ICO are well known for publicly naming and shaming companies that break these laws, publishing the actions they have taken including any fines given, such as in the recent case of Royal Sun Alliance Insurance recently.
In 2017 alone the ICO has issued fines totalling more than £500,000, the smallest of these being for £20,000.
Private Health organisation fined
HCA International is a private hospital company in the UK and although they can boast an impressive record of pioneering specialist treatments, they have recently had to deal with the after effects of a data breach.
Following an investigation into data practices taken by the organisation from as far back as 2009, it was deemed that HCA were seriously contravening the seventh data protection principle under the DPA. HCA (the data controller) had for years, used audio recordings to gather confidential details of patients and their meetings with doctors and consultants.
They then used an external organisation (data processor) to transcribe the sensitive information within these audio clips. The data however was then being stored on insecure storage infrastructure and actions had not been taken by HCA to ensure the data would not be unlawfully processed, accidentally lost, destroyed or damaged.
HCA International were fined a total of £200,000 by the Information Commissioners Office for the offence.
This case highlights the need for organisations to understand fully what services they are using and the companies that provide them. Further to this, it is important to investigate fully the processes companies take around the protection of data and which organisation could be liable if there is a breach.
- Data controller – A person who (either alone or jointly or in common with other persons) determines the purpose for which, and the manner in which, any personal data is to be, processed.
- Data processor – Any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
Paragraph 11 at Part II of Schedule 1 to the DPA states that “Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle – (a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and (b) take reasonable steps to ensure compliance with those measures”
How can I check that an external organisation is compliant?
Making sure external organisations are compliant may seem a daunting task, especially if you don’t know where to start. A good starting point is to gain a further understanding of the services being offered and how and where they are delivered from. Questions to answer when choosing external providers could include:
- Where do they store data?
- Will my data leave the country?
- What data am I sharing with them?
- What level of access do they have to my data?
- Who will have permission to access it?
- Is it a reputable organisation and do they have references?
- Are they ISO certified for Information Security (27001)?
- Who has access to their data centre locations?