Tuesday, November 12, 2013
Probe determines MNsure data breach was inadvertent
An investigation has now concluded that the MNsure breach was inadvertent, rather than malicious.
Earlier this year, MNsure experienced a data breach when an employee sent an email containing a variety of sensitive information to an insurance broker. In the wake of this discovery, an investigation was launched by the Minnesota Office of the Legislative Auditor. As Minnesota Public Radio reported, this investigation has now concluded that the breach was inadvertent, rather than malicious. While this may be encouraging, it also highlighted the need for higher grade secure file sharing solutions for organizations that handle sensitive data.
An accident waiting to happen
According to the investigation, while the data breach was an accident, MNsure's policies, or lack thereof, made it very likely that such an incident would occur.
"Our findings demonstrate that what occurred was more than 'an HR issue' involving one employee," the report stated, according to the news source.
"MNsure officials made decisions that contributed directly to the disclosure of private data," the report concluded.
Specifically, the report pointed out that the organization did not make satisfactory secure email solutions available to employees, Minnesota Public Radio noted. For example, workers needed to manually encrypt all emails that were sent to people outside of the state government.
Furthermore, the investigation questioned whether the company's employees received sufficient data security training.
As this incident and the follow-up investigation made clear, many data breaches are caused not by malicious hackers, but rather through carelessness combined with a lack of safeguards and support. In the majority of cases, better policies and resources can greatly reduce the risk that a data breach will occur.
Perhaps the most significant revelation to be found in this investigation is the reliance on manual encryption. While these tools may keep encrypted emails safe, they put a serious burden on employees. Almost inevitably, an employee will be forgetful or cut corners and, as a result, send out an unprotected message that contains sensitive information, as happened in this case.
This is why firms should consider embracing secure file sharing solutions that do not require manual processes to ensure protection, but can rather automatically secure any files sent or received by users. This eliminates the need to remind employees to follow a time-consuming step, thereby increasing both security standards and overall productivity for the organization.