The Information Commissioner’s Office (ICO) has published a security report, “Protecting personal data in online services: learning from the mistakes of others”, providing best practice on how to avoid eight common IT security vulnerabilities that most frequently lead to data security breaches. The flaws include poor password storage, poorly designed networks in inappropriate locations, a lack of protection from structured query language (SQL) injection, poor decommissioning of old software and failing to update software. The report makes a number of recommendations including hashing and salting passwords, creating a well-designed security architecture, being aware of all of the components of a service to ensure that they are fully decommissioned and implementing a software updates policy.
Updating software has become even more urgent since Microsoft stopped supporting its Windows XP operating system and the uncovering of the security flaw, Heartbleed. The ICO says that all organisations should have a basic understanding of these types of threats and that, while the report is aimed at data protection officers and senior managers, IT security professionals may also find it of use.
Anyone who processes personal information must comply with eight principles of the Data Protection Act. The seventh data protection principle imposes data security obligations on organisations and the ICO can issue fines of up to £500,000 for serious breaches of the Data Protection Act.
Recent fines include the £200,000 penalty issued to the British Pregnancy Advice Service after the details of service users were compromised due to the insecure collection and storage of the information on their website, and the £250,000 fine issued to Sony Computer Entertainment Europe after the company failed to keep its software up to date, leading to the details of millions of customers being compromised during a targeted attack on the Sony PlayStation Network Platform.