In January of this year, shoe retailer Office was required by the Information Commissioner's Office (ICO), the UK data protection regulator, to sign a formal undertaking to improve its data protection compliance after a member of the public hacked into an Office legacy server. The incident highlights the need for organisations, such as franchisors, to have in place appropriate security measures for all systems holding personal data (whether such systems are live or not), the risks posed by retaining personal data for longer than is needed and the continued threat of unauthorised attacks by outsiders.
An individual managed to access an unencrypted historic Office database on a server that was due to be decommissioned. Office has explained that there were several technical measures in place to minimise the risk of such an attack, but the hacker managed to bypass these, undetected, to gain potential access to the personal data of over a million Office customers, including contact details and website passwords. Financial information, however, was not compromised. The ICO noted that there is no evidence to suggest that the information accessed has been further disclosed or otherwise used.
The Office incident highlights two important areas of data protection compliance for franchisors holding large amounts of personal data. Firstly, ensuring that there are appropriate security measures in place to protect personal data against unauthorised access for all systems and servers and secondly, ensuring that personal data is not kept for longer than is necessary.
To resolve the issues with Office's data protection compliance in these two areas in particular, the Chief Executive of Office Holdings Ltd signed an undertaking that the company will:
- subject all of its websites and servers to regular penetration testing;
- implement its new data protection policy documents within three months (including a retention and disposal policy for customer data, the requirements of which should be monitored on an ongoing basis);
- give formal data protection training to staff, including refresher training; and
- implement such other security measures as are appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage, and to ensure that any such information is only retained for as long as necessary in relation to the purposes of the processing.
The ICO has stated that "all data is vulnerable even when in the process of being deleted, and Office should have had stringent measures in place regardless of the server or system used".
This echoes points raised in the ICO's security report published a few weeks before the Office security breach (entitled "Protecting personal data in online services: learning from the mistakes"). The report listed the eight most common IT security failings which have been responsible for data breaches in an online context, and one of the vulnerabilities listed was poor decommissioning of systems, software and services. The ICO has said that the biggest danger with inadequate decommissioning is that because the organisation believes the service has been shut down, it becomes less likely that they will notice or manage the remaining risk.
On the question of what security measures Office should have taken in relation to the legacy server, the ICO specifically calls out penetration testing. Office's hacked legacy system had been the subject of one penetration test, but the results were not concluded or recorded due to the system being in the process of being decommissioned. The lack of penetration testing has also been raised as an issue in other more serious security breaches. In July 2014, Think W3 Limited, an online travel services company, was fined £150,000 by the ICO after a SQL injection attack on its website enabled a hacker to obtain 1.1 million customer credit and debit card records as well as other customer personal data. In addition to the insecure coding of the website, the ICO called attention to the failure to implement vulnerability and penetration tests.
Unnecessary retention of personal data
Office's hacked legacy server held historic customer data that was no longer required and some of the data may have been inaccurate. In relation to Office specifically, the ICO has stated that "the need and purpose for retaining personal data should…be assessed regularly, to ensure the information is not being kept for longer than required".
It is good practice for franchisors to regularly review the personal data they hold and to subsequently delete anything no longer required. Where information does not need to be accessed regularly, but still needs to be retained, it should be safely archived or put offline. Regular reviews and deletions of unnecessary data can help minimise the risk in the event of a security breach - the less personal data a franchisor holds, the less personal data there is at risk of being accessed by an unauthorised party.
Unauthorised attacks by outsiders - a continuing concern
Finally, the Office security breach serves as a reminder to franchisors that unauthorised attacks by outsiders should continue to be a concern, particularly as the Department for Business Innovation & Skill's most recent Information Security Breaches Survey has found that the proportion of large organisations that were successfully hacked in 2014 continues to rise, with 24% of large organisations reporting penetration of their networks (up by 4% from 2013).