Data breaches: when Office attacks
It was a hectic Friday in the office. A few people were away, so it fell to Ed to finish off some tasks relating to the new product launch. The Chief Exec wanted a summary for that afternoon’s Board Meeting, there was some impressive customer feedback to send to a retail chain thinking of stocking it and a trade magazine had requested some product photos. On top of all that, there was the outcome of a disciplinary hearing to send to the Director of HR.
So, Ed finished off the draft summary that Dave had written in Word and emailed it to the Chief Exec. He found the customer feedback Excel spreadsheet and – having had a look to make sure there was no personal information on it – emailed it to the retailer. He found the PowerPoint file used in the internal presentation about the product and forwarded it to the magazine, telling them to use the images in it. And, finally, he found the Word document from the head of the Disciplinary Panel and sent it to Samira in HR.
Job done! He went home at 5pm feeling achieved.
On Monday morning, Ed walked into a war zone. Dave was clearing his desk; Sales were panicking because the retailer was having second thoughts (something about data protection standards); the legal team was dealing with a complaint about a breach of privacy and apparently the Chief Information Officer was having an awkward phone conversation with the Information Commissioner’s Office.
Then Ed got called into his manager’s office. For a chat that was very much without biscuits.
Yes, all those problems were down to Ed, to some extent. What did he do wrong?
Well, in turn:
The setting he was using to edit the Word summary for the Chief Exec meant he didn’t spot Dave’s comment that read “Better keep this to words of one syllable or the idiot won’t understand any of it” (OK, Dave must share the blame for that one…).
Ed’s quick visual check of the customer feedback spreadsheet wasn’t enough to spot a slew of hidden data – some of which was personal.
The photos in the PowerPoint file LOOKED ok, but if Ed had known how to check, he would have discovered that they had not been cropped properly – the images of identifiable people who had not given their consent to be photographed were still there, hidden.
The disciplinary hearing document was sent to the wrong Samira – unfortunately, one that took delight in blowing the whistle on this error. Even with the wrong email address, this could have been avoided if the document had been encrypted – but it wasn’t.
In his defence, Ed could argue that all these errors were down to features of the Microsoft Office suite that he didn’t know about. But it’s a pretty flimsy defence.
Microsoft Office isn’t full of deliberate data privacy traps – the litany of problems above was caused by features that, used correctly, can be very useful. You wouldn’t want to be without them.
However, if you don’t understand them, don’t approach applications like Excel or Outlook from a data protection viewpoint and don’t know how to check for hidden dangers, there’s a real risk that these applications could land you in trouble. Something that has, time and again, been brought home to me when investigating data breaches in a number of organisations.
The majority of data breaches are down to error, and many of these errors stem from not fully understanding how business apps work. I’m not singling out Microsoft Office here: it’s true of all such suites of apps. However, Microsoft Office is so ubiquitous that it will inevitably feature in a large number of data breaches.
For this reason, I’ve been working with Lara Mellor to develop a training module that gives organisations insights into how to reap the benefits of using Microsoft Office while avoiding the potential data protection pitfalls. Lara has been delivering Microsoft Office training for some time now through her company, Lara Mellor Training & Consultancy. It was a pleasure to work with her and I’m really pleased with the course we have put together.
Why not take a quick look? If your business uses Microsoft Office, this course could save you a lot of grief (and ticks the box for showing you are complying with Article 32 of the GDPR and applying ongoing organisational controls to your data processing).
To find out more, click here.