Delighted to be able to bring you a post from Advent IM Co-Founder and Director, Julia McCarron.
Does the Automotive Industry need a Minder?
Last month the ICO saw its first ever resultant prison sentence for not only failure to protect data under the Data Protection Act but also a failing under the Computer Misuse Act.
Was this a big brand name, high profile legal firm or yet another NHS debacle? Actually no. This time the unlawful access of information was carried out by an employee in the accident repair business.
Imagine if you will a member of staff using a colleague’s log-in details to access personal details from a vehicle repair cost estimation application, and when he started a new job at a different car repair organisation he continued using the same login and password to access personal data. Whilst the act was criminal in the eyes of the law, I suspect the individual concerned didn’t even think about the repercussions of what he was doing – it was the path of least resistance, a means to an end, a habit even. A means in which to increase commission or sales using data from his previous employer, which was still at his disposable. He didn’t even technically steal in. In the old days someone would have walked out with a cardboard box of records and today a less detectable USB stick. His crime was to continue accessing the personal data through a shared application, and annoying previous clients with nuisance calls.
Having got to this point some of you may be thinking I seem to be saying that this is acceptable behaviour. I want to stress that I am not saying that at all. But having spent a good proportion of my life within the automotive sector I have to say that, other than the prerequisite IT system, very little has changed and in many ways the sector continues to operate in a 1970s bubble, especially independents ie those not part of a chain, and it is totally unconscious when it comes to information security.
If we backtrack and look at why this incident happened in the first place, there were clearly systemic problems right from the outset.
1. This industry is not information security savvy. If it was the following would not have occurred:
a. The individual’s colleague would never have shared their password to the application in question because they would have received staff awareness training on the pitfalls of sharing passwords and login details particularly where personal data was concerned.
b. Assuming the sharing of login details was accepted by the business for a legitimate reason, when any member of the team left the department/organisation the password should have been automatically changed as part of a leavers process to prevent unauthorised/unlawful access to the application post employment termination.
2. Whilst larger organisations may have IT teams that from a technical standpoint are more security aware, the independents and ‘high-street’ providers are generally very old fashioned in their approach. One of our team has worked in this industry in the past and acknowledges that accident repair in particular is highly pressured, as insurance companies try to push for cheaper rates. So any competitive advantage will probably be explored – lawful or not. This kind of unlawful act is probably more common than we know … it’s just this is the first time someone got caught.
3. The providers of the shared cost estimate application itself are also failing to fully assess the risks resulting in unlawful access to personal data they host. They cannot legislate for local failures to protect access but what they could do is introduce mandatory controls such as forcing password changes on a regular basis that require email verification. If that had occurred in this instance, whilst it would not have prevented the breach it would have minimised the impact. The individual would have been unable to change the password using email verification protocols because it would not have been his email receiving the verification link.
4. Without knowing the ins and outs of exactly how the application data is stored, managed and processed there are also potentially regulatory and legal ramifications on the providers of the shared cost estimate application and other applications like it as a data processor, possibly even controller, and a requirement to ensure that appropriate security controls are in place to protect an individual’s personal data.
As a further example of the complacency in the automotive industry, another member of our team went to test drive a car a couple of months ago at a “really nice family-run dealership” (and to be fair, he says they were nice). It was their policy to take a copy of your driving license (all drivers) and then apparently leave the copies and all the details of the potential financial arrangements as well as all the details pertaining to the car you might or might not be trading in on the side next to the customer coffee machine for all to see and read. What could possibly be wrong, or go wrong, with that? The team member in question had a little word in the ear of the salesman and went elsewhere.
It’s not one thing that caused this particular data breach and ultimately prosecution. But as an industry the severity of the lack of security awareness is clear. Organisations like the Society of Motor Manufacturers and Small Traders (SMMT) for example are ideally placed to promote initiatives around information security. In writing this blog I did search their website to see if they had stolen a march in this area but although the term ’cyber security’ is banded around, the focus seems mainly on vehicle security and AI, which might reduce car crime but isn’t going to educate or protect its 800 members on how best to protect personal data within their possession.
In this case, a crime was committed and that is not in question. I throwback to the 70s … the bubble within which this industry resides and to a classic comedy show called Minder that started in 1979 and was set in this very sector. Arthur Daley, the used car salesman and loveable rogue with his trusty sidekick, Terry the ex-boxer, there to protect Arthur from the ramifications of his dodgy dealings. (He could write the theme tune and sing the theme tune too by the way 🙂 ). Terry was the security control to Arthur’s cost evaluation application. Always protecting him from harm. If only everyone had a Minder in the industry today perhaps the risk to personal data within this sector would be minimised. One thing’s for sure, if passwords and login credentials continue to be shared, “The world’s your lobster my boy”.
- Posted by Ellie Hurst
- On 5th Dec 2018
- 0 Comments