Back in November 2013, telecomms company Orange signed a data protection charter.
Point one of the charter committed to protect the “security of customers’ personal data through its reliable processing and secure storage.”
And it seems it’s happened all over again, this time excluding the hashed passwords, but including customers’ dates of birth.
Current reports put the size of the latest breach at 1,300,000 records.
It seems that the data wasn’t stolen from one of Orange’s primary databases, but from an ancillary system used for sending promotional emails and text messages.
This highlights the problem that companies have when trying to vouch for security right through the business.
They have to make their promises on behalf of every programmer, of every IT staffer, of every server.
In fact, thay have to make their promises on behalf of every user, and of every device.
Indeed, they pretty much have to make their promises transitively on behalf of every contractor, service provider, marketing team, PR consultant, penetration tester, or other third party who might be entrusted with some or all of that data at any future time.
And channelling off data from core company databases for use by third parties – including other departments in your own company – always increases risk, because each time data is extracted and saved elsewhere, you have one more copy of that data to worry about.
Simply put you need to be able to answer the questions, “Do you know where your data is? Do you know who can get at it?””
Not knowing the answer to those questions could come back to haunt you, as happened twice over to Orange.