It takes more than just software and hardware protections to keep personal data secure. Like any cybersecurity measures, the best protection is an informed and educated workforce that knows exactly what pratfalls to look out for.
Sprint Education, a marketing firm for the education sector, provides an excellent example with their most recent slip-up. Though the fallout from this error is unlikely to be drastic, it does demonstrate how easy it is to overlook common security practices. It’s also memorable for its somewhat ironic circumstances.
Sprint recently sent a mass-mail out to members of its mailing list – comprised mostly of teachers and education sector workers – asking them to update their communications preferences in line with GDPR.
Unfortunately, one eagle-eyed recipient noticed that the email directed to a URL comprised of a long string of numbers, and by editing the string they discovered they could access to the company’s entire mailing list. That’s probably not the GDPR preference the recipients had in mind.
In a response to The Register, Guy Lewis of Sprint Education’s Board of Directors claimed that fewer than 250 of the intended recipients will have received the email, and that the send was halted as soon as the mistake was noticed. Tech lawyer Neil Brown, also responding to The Register, praised the company’s response to the incident, noting that they had informed those affected using simple English and that the data protection procedures were adequate, as much of the data was already available in the public domain. Nonetheless, Neil hasn’t ruled out the possibility of Article 32 GDPR breach - so while this simple mistake is unlikely to have grave consequences, the same couldn’t be said if that data was something more sensitive.
This incident demonstrates that some breaches can’t be prevented with technology alone; true GDPR security requires training and vigilance wherever any data is handled.
As you can see, it isn’t just hacks or intrusions that classify a data breach, but anything that compromises or confiscates your access to data.