Greek Man Accused of Stealing Data of 9 Million Citizens
Greece is in news again, for all wrong reasons. This time it is not the ever failing economy or bailout plans from one more country or authority. A Greek man has been arrested on suspicion of having stolen 9 million personal data filesin what is believed to be the biggest breach of private information the country has ever seen. The 35-year-old accused was found in possession of the data files that included identity card details, tax numbers, vehicle license plate numbers and home addresses.
General legal framework in Greece
Personal data processing and protection in Greece is mainly regulated by Law 2472/1997 known as the Data Protection Act (DPA), implementing Directive 95/46/EC. The DPA regulates the automatic or manual processing of data relating to living identifiable individuals in connection with the provision of electronic communications, which are not publicly available. The DPA sets forth the basic terms and conditions relating to data collection and processing, imposes fundamental obligations on data controllers regarding all categories of data-related activities. The DP Authority receives complaints and have been levying penalties on data breach complaints received.
What abets the crime?
Interestingly, data breaches were observed in increased proportion across the Globe during the years of recession and economic slowdown few years ago. Security experts warn that incidents of crime are likely to increase during challenging economic times. There is evidence from the large security monitoring networks showing that cyber crime attacks like phishing have already risen. With rising levels of uncertainty of employment & negative growths in income, disgruntled employees might take sensitive data when they leave an organisation. Even for the honest worker, there is no guarantee, that he would return all assets like USB token and remember to erase entire company data from his personal devices. Further, with falling incomes, companies would try to cut all expenses, perhaps those on information security administration as well, in order to save few more pennies.
What can be done?
Organisations should not see this as a case of ‘data loss’ alone, and what they should remember is that the company’s reputation itself is at stake. In addition, don’t forget the penalties imposed due to Data Protection & Privacy Laws in force. Organisations handling potentially sensitive data should not routinely invest in some data protection tools and gain false assurance, as these tools, despite having a positive role, suffer from many of the limitations of early intrusion detection and intrusion prevention systems like potentially high numbers of false positives and associated inconvenience to legitimate business users. In addition, these organisations should invest sufficient time and effort in creating policies and practises – like access controls to key & critical applications, log management – aimed at preventing data loss.
Educating the end-users about their responsibilities to organisation and customer data, would be more effective than locking down USB ports or disallowing devices. The problem of data breaches is NOT just with the technology, as popularly perceived, and the solution lies more in focusing at the policies, processes and education. The returns on investment on these are more rewarding than on investments in technology.