Around 11 GB of personal data belonging to US Special Operations Command Staff was accidentally leaked by an admin error recently.
The names, locations, salaries and the US version of National Insurance numbers were leaked in this embarrassing mistake that could literally be a serious issue of national security.
Concerns are that the staff may be targeted by enemies of the US who may use the information to find them and gain military intelligence. It’s believed that several of the staff are Special Forces analysts with top level government clearances, but this remains to be confirmed. The staff who were affected by the leak are employed by Potomac Healthcare; many of them doctors, nurses, and mental health support staff.
An accidental discovery
The data leak was discovered by Chris Vickery, a researcher who works for a security company called Mackeeper. When he found the leak, he immediately notified Potomac Healthcare, highlighting the risk the leak had on national security. However, it wasn’t until he warned other governmental authorities that action was taken to remove the leak.
Not uncommon
This type of leak is not uncommon. Quite often, there is no malicious intent; just an administrative error like failing to hide email recipients’ identities from each other, or an overzealous worker working on confidential files at home on a non-secure device. In any event, malicious or not, data leaks can have a huge impact on victims and, in this case, the national security of a nation. In a world where almost everything is digitalised for ease of use and access, it’s all too easy to make a mistake and inadvertently put thousands or millions of people at risk with a single click of a button.
Duty to prevent data leaks and hacks
Companies and organisations have a legal duty to make sure that the personal information they hold and/or have access to is safe and secure at all times. Personal information belongs to its owner, and they have the right to share it with whomever they like – so anyone with access to it must respect the owner’s privacy, and only use it in a specified way that the owner has consented to. In some cases, personal information may be kept or accessed on behalf of the owner, like the government keeping their citizens names and addresses for tax reasons, or hospitals keeping medical records for when they next pay a visit. Regardless of who keeps that information, they still have that legal duty to keep it safe.
Here, Potomac Healthcare kept their employee’s personal information to keep a record of who their staff were, and financial details so that they could pay them. However, the company failed in their legal duty to protect that information, and it’s likely that they will be heavily criticised for not having implemented necessary security measures to prevent such an error occurring.
We can only hope that Mr Vickers was the only one who saw the leak and that none of the private information was accessed.