Lock up your data
From addresses and birthdays to relationships and credit card details, huge parts of all our lives are now stored online, and we trust agencies and corporations to keep them safe. But a series of recent data leaks should have us questioning just how safe the brave new digital world really is and how security can be improved.
Recent online privacy breaches should put data security at the top of Flanders’ digital agenda
Around mid-December, news reports surfaced that the personal information of hundreds of solar panel owners in Flanders had been briefly accessible to anyone with a login and password to the website of the Flemish energy regulator, VREG.
Just before Christmas, an online data leak at the railway operator NMBS Europe exposed the names, addresses and birthdates of 700,000 international customers.
Two weeks later, the job-search website Jobat involuntarily dumped the salary details of 4,000 users online.
These were just the latest in a string of data leaks that have raised tricky questions about consumer rights, privacy and accountability in a brave new digital world that is moving increasingly quickly.
The data breaches have played an important role in alerting businesses, government agencies and consumers in Flanders to the importance of keeping personal information safe online. In a recent blog post, Ulrich Seldeslachts, CEO of the non-profit IT security industry association LSEC, which is supported by the Flemish Agency for Innovation by Science and Technology (IWT), pronounced 2013 “the year of the major data breaches and the data protection regulation”.
Data leaks are being recognised as a global, socio-economic problem, says Christian Van Heurck from the Federal Cyber Emergency Team, the government agency that helps companies and organisations improve their internet and network security. “Much, if not all, of our personal data that would before have been stored in hard copy is now being saved electronically somewhere,” he says. “And people are beginning to realise that if those data fall into the wrong hands, that can have consequences for companies’ reputations, for government administrations and for consumers.”
The agency received 3,866 reports about security incidents last year, a 48% increase from 2011. “We are seeing a growing awareness; that is very obvious,” says Van Heurck. It’s not clear whether that is because the agency has gained visibility, because cybercrime is growing or because companies are increasingly lax with sensitive data.
Tip of the iceberg
In February, an answer to a parliamentary question revealed that Flemish government agencies experienced seven data leaks in the past three years. It’s much more difficult to gauge how widespread data breaches are at privately held companies and businesses. But experts think we are only seeing the tip of the iceberg and that many companies are skimping on basic protection of online customer information.
“Companies have no legal obligation to tell us about data breaches,” says Eva Wiertz, communications officer at the federal Privacy Commission. “So they just don’t.”
Seldeslachts understands that IT security management can seem a complex and daunting task but claims that’s no excuse for companies to just not deal with it. By way of illustration, he often asks people if they sometimes leave their front door open or hand strangers their house keys. “People typically say: ‘No, no, we don’t.’ So then I ask them: ‘So why do you do that on a computer system where you store some of your most valuable assets, namely data?’”
Companies that fail to safeguard personal information risk doing harm to more than just their own reputation. The European Commission has pointed out that by damaging online consumer confidence, frequent data breaches risk slowing down online developments in general.
“Personal data is the currency of today’s digital market,” EU justice commissioner Viviane Reding said when presenting a proposal to overhaul European data regulations last year. “And like any currency, it needs stability and trust. Only if consumers can trust that their data is well protected will they continue to entrust businesses and authorities with it, buy online and accept new services.”
A study last year by the federal economy ministry revealed that 41% of all Belgians worried about disclosing personal data online. It’s not yet clear how the latest leaks have affected those levels of concern.
A watchful eye
Back in 2008, IT experts from academic institutions and professional organisations warned that the state of IT security in Belgium was worse than in some Eastern European countries. Things have improved since then, says Guy Kindermans, a veteran reporter at the trade publication Datanews. “A lot of companies have really adapted to modern times and have done their homework,” he says.
Still, experts say that Belgium lacks a comprehensive national – or regional – approach to IT security. According to Seldeslachts, businesses and corporations will never self-regulate. “If you want to make sure that companies take IT security more seriously, then you have to have somebody or something leading the way.”
The Federal Cyber Emergency Team would be the most logical partner to take up that task. But, says co-ordinator Van Heurck, constant finger-wagging and policing make no sense as an awareness-raising strategy. He doesn’t want companies to hold back from reporting cyber security incidents because they fear sanctions. “Trust, I think, is important,” he says. “Our role is to help and to prevent. So sometimes we don’t report incidents because it’s more important for us to make sure that information and understanding of such-and-such an incident can be shared with other companies.”
Xavier Damman is the Belgian CEO and co-founder of Storify, a social media storytelling platform that Time rated one the 50 best websites of 2011. Having lived and worked in San Francisco since 2009, he says that businesses in Flanders still need to wake up to the significance of technology. “They don’t recognise technology as being so primary, really, to every single aspect of every single business nowadays,” he says. “That’s really the problem.”
So how did these leaks happen? Experts say that it wasn’t a lack of expertise or knowhow. Flemish engineers have long worked at major corporations like Microsoft and HP, and a number of cutting-edge IT solutions in the fields of encryption and authentication technology have come out of Flanders in recent years. Nor were these leaks the result of hacking attempts. Instead, they sprang from human errors that weren’t caught in time because of an outdated management approach to IT.
According to Kindermans, companies ought to take a step back and determine what standards, procedures and risk assessment strategies they can introduce to safeguard their own and their customers’ data. Because data leaks can have such far-reaching consequences for a company, IT security should get commensurate attention from management, shareholders and board members.
“That awareness is completely lacking in most companies,” he says. All too often, CEOs still brush aside IT security as a problem for IT staff. Or they shell out on expensive software licences and antivirus software and think they’re set, while the truth is that there are no quick-fix solutions. “Security isn’t about software; it’s about people,” says Kindermans. “People make mistakes; people carry out procedures, and so on and so forth. And a security expert can’t go looking over every single employee’s shoulder.”
Lack of time and money
The leaks have also drawn attention to the legal dimension of online data breaches. Last Christmas, Frederic Jacobs was one of 700,000 customers whose data were exposed in the NMBS leak. A 20-year-old Brusselsborn student at the Swiss Federal Institute of Technology and a parttime software engineer, Jacobs did what most tech whiz-kids would do. He built a website.
On sncb.fredericjacobs.com, customers could verify if their own data had been compromised with a simple search query. What Jacobs didn’t realise was that, in spite of his noble intentions, he was effectively breaking the law. “It’s crazy,” he says. “The internet laws were made before I was born, which makes no sense to me.”
Belgium’s privacy law puts the burden on individuals and companies to ensure appropriate protection of personal data against misuse and theft. In the past five years, the Privacy Commission has launched a handful of inquiries into major data breaches. That’s a reflection not of the severity of the problem but of a scant budget.
“We have the legal ability to be more proactive, to go to court for inspection, to see if this or that controller complies with the rules,” says Wiertz. “But we don’t have the time or the staff or the resources to do so.”
It also appears that both companies and government agencies are waiting for pending European legislation, which is almost certain to affect the existing Belgian privacy act. Among the most notable proposed changes is the data breach notification act, which will require companies and organisations to notify affected individuals of data leaks within 24 hours.