This week, we’ve been speaking to the mediaFootnote 1 about an incident at the Passport Office: a person using their online application form found that they could access others’ personal documents by changing one variable in the URL displayed in their browser. The Globe and Mail and Slashdot report that this was likely the result of an error in the code behind the web page – or an omission in the code.
We’re still looking into the incident, but thought it was valuable to point out that not all data breaches are caused by fraud or theft. In some cases, personal information is left exposed because employees and organizations have left their data management systems unsecured.
They may have not updated their systems to the latest encryption standard, they may not require their employees to think up robust passwords, or they may have made a decision to wait for a more stable version of the software.
In the end, however, these organizations and their employees are making decisions about security of their clients’, customers’ and colleagues’ personal information.
And sometimes that personal information leaks out.
At that point, a software or hardware issue becomes a matter of personal concern. The appropriate reaction from an organization is contrition and an expressed dedication to resolve the breach quickly and fully.
Oh, and a commitment to reforming the personal or organizational habits that led to the lax security in the first place.