The Story of Why – Root Cause Analysis in Information Quality & Data Protection
A leading Irish newspaper markets itself with the tagline “The Story of Why”. In many respects this highlights a similarity between plucky investigative journalism and dogged application of Quality Management principles. A classic quality management technique is the “5 Whys” method for Root Cause analysis – look at the symptom and then ask why 5 times (or more) until you drill down to the candidate root causes that need to be addressed. When, for example, you are presented with a river of dead fish you would ask “Why” and gather evidence where possible to support the answers that support or reject your “Why” hypotheses. Why do we have dead fish? –> because of toxins in the water –> why do we have toxins in the water? –> because of a chemical plant up river — why would the chemical plant release toxins? —
A company based in Ireland called LoyaltyBuild recently had a data security breach which resulted in the personal data and credit card information for over a million EU citizens snaffled by nefarious elements who are suspected to be based in Eastern Europe. When presented with the Data Protection equivalent of a fishkill in a river, the Irish media largely opted to start exploring the sensationalist aspects of this story: the “sophisticated external threat”, the unidentified boogeyman of hackers, and to give air to the downplaying of the threat of credit card fraud. “Most of those cards will have expired and unauthorised use will be refunded to the customer” was the paraphrased refrain from the Irish Payment Standards Organisation, which is less reassuring than one might think given that the entirety of data obtained goes beyond just credit cards and the costs to banks and retailers of unauthorised use of credit cards inevitably finds its way to consumers through higher prices or bank charges.
But the “Story of Why” behind this breach is not about the malicious attack and the unauthorised access. Looking back up river from the data fish kill that is the breach, we need to ask Why a few more times.
1. Why were the attackers able to get so much personal data?
The answer to this one is easy: It was there. It was retained on the databases of LoyaltyBuild after the transaction had been processed for the discounted holiday.
2. Why was there so much old data taken?
Again, the answer to this is because it was there. It appears LoyaltyBuild was retaining data from campaigns going back a number of years. There appears to have been no “housekeeping” done on data that there was no purpose for LoyaltyBuild to retain. Whether there was a purpose or not may hinge on the terms of the individual agreements with each of the brands on whose behalf LoyaltyBuild was acting. However retaining credit card details used for transactions would be, at best, questionable.
3 Why was there no data housekeeping done?
At this point we can’t answer specifically for LoyaltyBuild. But in general there are four main reasons:
- No one decided to make sure that it was done
- No one realised it neeeded to be done
- Someone decided not to do it
- Someone thought someone else was doing it
- Nobody asked for it to be done
Data Housekeeping comes at a cost. There is a loss of perceived value of the information asset (it is smaller, but if you are a Data Processor it’s not yours), you need to pay to have the deletion processes built, and it goes against our psychological nature as hoarders. But it is basically good data Feng Shui.
If no one decided to make sure it was done (and I’m not saying who that should have been) then there was a failure of controls and governance which is as much a contributor to the breach as the external attack. If no one realised it needed to be done then there was a failure to meet minimum standards under the Data Protection Acts (which actually require training) which is as much a contributor to the breach as the external attack.
More pointedly: If someone decided not to do it or thought someone else was doing it there is a clear breakdown in management control and governance of the data, which in itself could constitute a breach of the Data Protection Acts.
Finally, if nobody asked for it to be done it would suggest that the Brand owners who contracted with LoyaltyBuild missed the point about outsourcing data processing activities: you can’t outsource your responsibilities as a Data Controller and one of those is to ensure that data is not retained for any longer than is necessary for your purposes.
4 Why was the obligations Data Protection Acts ignored?
This we cannot answer. However lack of awareness, lack of understanding, lack of management commitment, and a lack of effective audit, control, and enforcement by internal auditors or external Regulators, coupled with low penalties that make minor breaches of the legislation part of the “cost of doing business” would all be factors based on my experience in other organisations
Military strategy and security has the concept of “Defence in Depth”. Look at any medieval castle and you will see layers of defence protecting the castle’s valuables. One of the layers of defence for personal data and financial data is to make sure you don’t have it in the first place for any longer than you need to have it. And another layer of defence in society is ensuring that every person building a castle knows what the minimum standards for castle building needs to be and that those standards are complied with.
That is the chemical plant that sits up stream from the LoyaltyBuild data breach fish kill.