As always, Dan wanted to understand the reason for change. He was speaking to a prospective client about why they were engaging with us to take over the hosting of a complex and busy site. The recent supplier had gone out of business, it later transpired it was partly due to an information security breach.
My ears pricked up.
I did a little investigation and found that the site collected personal data and had been through a rebrand, nothing technical, just changing how it looked. It had been moved to its new hosting location, a common process to have old and new running in tandem until everybody was ready to change the origin and launch the new site to the world.
It was launched.
Together with a database dump of all the existing personal details in the publicly accessible file. Gigabytes of personal data.
Eventually, this was found, downloaded, and this contributed to the demise of the firm. If the ICO get involved then hefty fines can be imposed, but you can't actually quantify reputational damage to yourself and your client. I was alarmed. This, in part, had happened to us. It brought the idea of a catastrophic data breach very much in to scope. How had we managed to protect our client's data, our reputation, and, well, everything? ISO 27001 and 9001, of course.
I spoke with our Infrastructure Manager Dylan and Service Desk Manager Matt about our experience. During our 9001 process to onboard a new system into live service, we came across a database dump in the web directory tree.
Matt remembers, "It's not something we come across with our developers because they follow a process to prevent this and to keep track of data stores. Also, live service is my domain, any change going live comes to my team and we know what to look for." Matt continued, "However, during the onboarding process we spotted database dumps in the website folder structure. We removed the data and I spoke with you Barry about what we found and the possible risks". Dylan added, "Once in live service, we have controls in place to prevent live data being made available like this, if you recall we discussed all this during the ISO 27001 and 9001 design phase”. So, it could have happened. The same ingredients were there. What did we do differently?
We decided to add a step in our onboarding process to scan for this sort of occurrence. We also decided to scan all our existing systems in live service, we found one more affected system; although the system didn't hold any personal information. We now scan during the onboarding process, at frequent intervals during the contract. With access restricted to live service to only our trained professional staff, we're comfortable that our processes are robust.
As if that wasn't enough, I personally remember being challenged by the auditors from ISOQAR about this very topic - quite a few “...what if..” questions were posed. We passed the audit and retained our ISO 27001 and 9001 certification. The process to identify, report, plan and implement is fundamental to the ISO standards, and this continually improves the management systems in place for Information Security and Quality. We spotted a potential vulnerability, the process allowed us to manage this, and we changed.
Process 1 - 0 Data Breach
If you're worried about your customer's personal data, our team are able to advise on your best options which may include a website health check.