The recent cyber-attack on discount retailer The Works, emphasises the need for organisations of all sizes to invest in ransomware prevention measures.Continue reading
Please give us a few moments whilst we get your account ready.
In mid-October 2016, Kings College London (KCL) suffered a catastrophic data outage. The outage was so severe that it lasted almost 4 weeks and affected almost all systems being run from their Strand data centre.
Users across all of KCL’s campuses felt the effect of a “routine” systems upgrade failure which caused a corruption to storage systems running virtual environments including, telephony, website and payroll systems. KCL were quick to share updates regarding the process to recover, stating they would work with suppliers 24/7 until the issue was resolved; the main priority for KCL to restore data was timetabling systems, SITS (student records) and finance systems.
Two weeks into the outage and the KCL IT services team had posted updates warning that the outage may not be fully resolved for a further two weeks. They also confirmed that they had begun to restore some disks from incremental backups that had been taken two days prior to the outage.
KCL, who have a comprehensive guide to backup and data strategy on their website, are yet to release the results of any independent audit that has since taken place, although this could be ongoing.
Ironically this is not the first time that Kings has had to deal with the fall out of a data breach. They were subject to an undertaking by the Information Commissioners Office (ICO) in 2015, for a data breach regarding personal information on a student database.
Following the incident, it has been claimed that KCL have told staff not to take independent backups or copies of work. Given that individual staff members may have been able to get back to operational capacity more quickly had they been doing this prior, it could be seen as a strange decision. However, KCL are likely taking a very stringent look at data security processes and any possible routes to data loss at this point in time. Improper, unencrypted, backups could increase the risk of data loss or further breaches.
The information Commissioners Office is the data regulatory body in the UK and is responsible for ensuring organisations in the UK adhere to The Data Protection Act (DPA).
Data loss falls under the DPA and the ICO are well known for publicly naming and shaming companies that break these laws, publishing the actions they have taken including any fines given, such as in the recent case of Royal Sun Alliance Insurance recently.
In 2017 alone the ICO has issued fines totalling more than £500,000, the smallest of these being for £20,000.
HCA International is a private hospital company in the UK and although they can boast an impressive record of pioneering specialist treatments, they have recently had to deal with the after effects of a data breach.
Following an investigation into data practices taken by the organisation from as far back as 2009, it was deemed that HCA were seriously contravening the seventh data protection principle under the DPA. HCA (the data controller) had for years, used audio recordings to gather confidential details of patients and their meetings with doctors and consultants.
They then used an external organisation (data processor) to transcribe the sensitive information within these audio clips. The data however was then being stored on insecure storage infrastructure and actions had not been taken by HCA to ensure the data would not be unlawfully processed, accidentally lost, destroyed or damaged.
HCA International were fined a total of £200,000 by the Information Commissioners Office for the offence.
This case highlights the need for organisations to understand fully what services they are using and the companies that provide them. Further to this, it is important to investigate fully the processes companies take around the protection of data and which organisation could be liable if there is a breach.
Paragraph 11 at Part II of Schedule 1 to the DPA states that “Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle – (a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and (b) take reasonable steps to ensure compliance with those measures”
Making sure external organisations are compliant may seem a daunting task, especially if you don’t know where to start. A good starting point is to gain a further understanding of the services being offered and how and where they are delivered from. Questions to answer when choosing external providers could include:
Reading, April 28, 2022 – Redstor, the cloud-first backup platform of choice for MSPs, today announced the appointment of accomplished channel sales executive Mike Hanauer in a newly created role of Chief Revenue Officer (CRO). Known across the market for his revenue-generating successes with top data protection, recovery and security companies, Hanauer will spearhead global expansion plans for Redstor’s category-leading SaaS platform.Continue reading