How the JD Wetherspoon breach could have been prevented
Pat Clawson, CEO at Blancco Technology Group looks at the potential causes of the JD Wetherspoon breach and the measures that could have been taken to prevent it.
How could this have been prevented? Is there any valid reason for this database not to have been securely erased when JD Wetherspoon moved to a new provider?
One thing that’s interesting about this data breach is that the leaked information was housed on a database related to an old version of JD Wetherspoon’s website that’s since been replaced. When a company decides to replace old websites and launch ones, it’s not a decision that’s made quickly and months of planning go into it. So when that decision was made, JD Wetherspoon should have also created a plan to remove all data completely and permanently from the old database. This would have required identifying a technology solution that could do this, as well as establishing clear processes, documentation and training/communications to all internal departments.
Who do you think is most responsible for this breach? Is it the third party who failed to protect/destroy this sensitive data or JD Wetherspoon for failing to ensure their supplier took the appropriate actions?
Whenever something goes wrong, people often get lost on focusing on the wrong things – pointing fingers, placing blame and evading responsibility. It’s not about saying one party is 100% to blame. When JD Wetherspoon chose to sign a contract with an third-party vendor to host its (old) website, it immediately took on the responsibility for managing that relationship and doing due diligence on the vendor’s systems and processes being used to house its website. To blame the vendor for the delay in discovering the breach is just irresponsible and it points to a major weakness in how JD Wetherspoon’s internal IT and technology teams managed the relationship with the vendor.
There’s no justifiable reason for JD Wetherspoon to not have taken these precautionary data security measures. But it’s also a very common and frequent oversight made by many companies. Even though things like ‘breach notification’ are being pushed heavily with new legislation like the General Data Protection Regulation that’s close to being finalized in Europe, the true definition of secure data removal – or data erasure – just isn’t known enough or discussed enough. And a lot of the times, companies mistakenly presume ‘deleting’ data is the same thing as ‘erasing’ data. But it’s not and that’s where you see companies like JD Wetherspoon and Ashley Madison getting into serious trouble.
But that doesn’t mean the third-party vendor who accepted the contractual responsibility and fees to host JD Wetherspoon’s old website isn’t responsible either. The vendor should have been forthcoming and transparent in giving JD Wetherspoon’s IT teams access to view their internal data security processes, data removal methods, tools and technology implemented, documentation and most importantly, communication that the breach had occurred at the time that it did, not months later after the fact.
Does this point to a wider issue within data lifecycle management and what happens to information that no longer needs to be stored?
The breach itself and the tone of JD Wetherspoon’s response point to a wider issue. All too often, companies think about data security in terms of physical assets and devices. Instead, organizations need to plan for the entire data lifecycle – from creation to storage to finally, secure and permanent removal. Here’s why.
There are a lot of different deletion methodologies that exist. The approach you choose depends on your risk tolerance, security posture, your policies and the specific types of data being stored. And one of the biggest lessons from last year’s data breach at Sony is that there’s really no such thing as ‘unimportant’ data. Although most data protection laws and regulations are focused on protecting customer and employee data (and possibly financial data if you’re a public organization), and most organizations are extremely sensitive and vigilant about protecting their intellectual property (from product designs and manufacturing processes to customer lists and go-to-market strategies), few think about the skads of supposedly mundane data contained in everyday emails or employee spreadsheets. But even seemingly unimportant data could cause serious damage to the customers in question and to the companies who failed to stop the breach from occurring.