Ouest-France, a French media outlet recently reported on a revealing case of data leak management. The leak has impacted the local city council of Laval. It was due to a system misconfiguration. The case shares some similarities with recent headlines of AWS S3 Cloud storage security misconfiguration in Australia where confidential data from both private and public organisations have been directly exposed.
The case also relates to the challenges faced by many small and medium sized organisations in best managing the protection of their data, such as:
- Applying the necessary access control configurations. Where is the data located? How valuable is it? Who has access to it? How well is it protected and by whom?
- Detecting access control misconfigurations, data exposures and unauthorised data accesses. Data leaks are often detected and revealed by third-parties instead of the impacted organisations themselves. In the case of the French city council report, it was detected and reported by a curious citizen.
- Reporting data leaks efficiently. In the case of the French city council, the well-intended citizen reported the case to a journalist specialised in cyber security. It seems the citizen did not know where else to go. The journalist reportedly first raised the case with the council, but it was unacknowledged. 11 days later, the journalist then reported the case to a French authority (CNIL), which acknowledged the case and managed it with the council.
- Taking accountability for data protection. Ouest-France’s report suggests that data protection is at risk due to city councils IT budget constraints and their reliance on the security mindset of third-party IT service providers. To me, the case suggests a lack of accountability and governance for data protection, which is disappointing.
- Cyber security education is lacking, and it is the biggest opportunity for improvement. I agree with Eric Filiol.