ICO investigates FIFA over world cup ticket data loss

According to newspaper reports, as many as 35 000 fans' details were sold by a FIFA commercial operation, although the ICO is quoted by Computer Weekly as saying that the agency's initial enquiries "suggest the information in question consists of the name, date of birth and passport number of approximately 7200 individuals" were sold on.

Data security specialist Imperva's CTO Amichai Shulman said that the reports question the internal security practices within football's international governing body whose IT managers who really should know better.

"It confirms something we've been saying for some time, namely that most organisations defend their digital assets against external attack, but they ignore the internal threat at their peril", he said.

According to Shulman, this serious breach of trust could have been avoided if FIFA had monitored – and secured – the access to football fans personal data by their staff, as well as the association's files and databases.

By allowing only carefully controlled access to data, the rogue member of staff would have realised s/he could not get away with accessing the information in the first place, he said.

Shulman added that the employees did not hack into the database - it was an internal attack where they abused normal functionality and privileges granted to them.

"This was probably a case of over privileged users as these low level employees probably should not have been granted access to that data in the first place", he said.

Imperva's CTO says that the data leak begs the question why four-year-old data was lurking on FIFA's databases, which, in itself, he says, suggests that controls on the database were completely inadequate.

Over at fellow IT security vendor Safend, meanwhile, Edy Almer, the firm's vice president of marketing, said that the case highlights the need for companies to broaden their attitude towards data loss.

Risk management, he explained, is crucial and cases such as this demand the need for effective management processes and education surrounding data loss protection.

A DLP system, he went on to say, would have likely detected the leak and protected stakeholders from the consequences.

"Companies should make certain that data has been encrypted, and securely audited/logged. In doing this, misplaced data can be accessed and tracked by IT departments and in due course; can be destroyed to avoid the information landing in the wrong hands", he said.

"Organisations need to ensure that data is properly stored, secured and encrypted to prevent a loss of this kind", he added.

 

 

 

What’s Hot on Infosecurity Magazine?