The consequences of poor data security.
Another day, another development in the Facebook story. On May 1, WhatsApp co-founder and CEO Jan Koum said he was leaving the company and its new parent, Facebook. The Washington Post reported that Koum has walked away after clashing with Facebook over its “attempts to use its personal data and weaken its encryption”.
Koum’s departure comes hot on the heels of his fellow WhatsApp co-founder Brian Acton, who resigned earlier this year, and shortly afterwards tweeted the hashtag #deletefacebook. Koum and Action were almost evangelical about data privacy on the app they created, and Facebook’s alleged plan to undermine this was apparently behind the fall out.
Koum and Action, it should be said, are rare examples of executives who resigned from their company over concerns about how data privacy might be compromised. The now all-too familiar pattern is a huge media story about an organisation suffering a damaging data breach, and then – days or weeks later – the accountable executive is fired, or in most cases, allowed to resign. To date the most notable exception is Facebook: Despite its recent drama stacking up to be the most controversial data breach ever, founder Mark Zuckerberg has neither resigned nor been sacked. This despite being savaged by politicians at Congressional hearings and growing calls for his head.
It is possible that Zuckerberg may be forced to leave the company he started – “in his dorm room at Harvard” as he is fond of repeating – in order to save it. He may find himself the newest – but by no means the last – member of a club no-one aspires to join – people who have lost their jobs due to a data breach. It is also likely that Australia will soon add to their ranks now that it is mandatory to disclose data breaches following the introduction of the Notifiable Data Breaches scheme in February this year.
The following examples illustrate the severe consequences to senior leaders when their organisations fall victim to the three main causes of data breaches – system failure, human error and malicious attack.
- Joe Sullivan, Chief Security Officer, UBER
Sullivan was fired after the 2016 data breach when the records of 57-million customers and 600,000 drivers were held for ransom by hackers. Another three senior managers also left the company in the wake of Sullivan’s sacking. UBER hasn’t released chapter and verse on the hack, but some experts reckon that ‘carelessness’ opened the door to the hackers, who then demanded a $100,000 ransom to delete the information.
- Ranga Jayaraman, chief digital officer, Stanford University Graduate Business School
One of the world’s most prestigious business schools, Stanford was forced to admit that it had left confidential student and staff data exposed on three separate occasions over the past two years after files were saved onto a shared server. The server allowed public access to the personal information of nearly 10,000 non-teaching staff members, as well as confidential financial aid information for MBA students, reports of sexual violence and student disciplinary records. The business school’s IT team was made aware of the breach in February 2017 but reportedly failed to report the problem to the dean of the business school. Ultimately it cost chief digital officer Ranga Jayaraman his job.
- Amy Pascal, Sony Entertainment
The former boss of one of Hollywood’s powerhouses made a number of indiscreet comments about well-known actors and President Obama in private emails that were hacked. Not long after the news hit the press she was sacked, but the gossip around her salacious views on people in the movie industry drowned out news that the hack had also compromised the private and confidential data of Sony employees. The hack was perpetrated by Guardians of Peace, a group linked by the US government to North Korea, supposedly in response to the movie satire The Interview that spoofed the North Korean leader.
- Anders Ygeman and Anna Johansson, Swedish Government
Politicians are not safe from the fall out of data breaches. In mid-2017, Anders Ygeman, Sweden’s home affairs minister, and Anna Johansson, the infrastructure minister, resigned after a breach that may have led to large-scale disclosure of citizens’ sensitive personal information. The data breach was one of the largest ever in Sweden, and led to calls for Prime Minister Stefan Löfven to call an early election.
The question always asked after these alarmingly frequent events is what could be done to prevent them. Data security is a huge field and no longer the sole domain of the chief information/technology/digital officer in any organisation. It is increasingly seen by regulators and shareholders as the responsibility of the entire leadership team and a governance function of the board of any organisation.
As a chief risk officer, CEO, or even chairman, how do you prepare and protect your company against a breach? You can start by asking yourself the following questions:
- Is data management and security a standing item at leadership team meetings?
- How is your data used? Do you share your data with other organisations to help you refine your business strategies?
- If you do share your data, how do you retain control of the data and ensure it is protected?
- What guarantees do you have that your partner organisations have solid protocols and systems for handling data? Data sharing is as strong as the weakest link.
- Do you know how to fix a data breach? The Global Advanced Threat Landscape Report 2018 said more than half of the business leaders surveyed did not know how to respond to a cyber security incident.
One of the ways that the leaders of any organisation – whether it is a company or Government – can start mitigating cyber risks is to move away from old models of data sharing, and adopt secure data collaboration.
IXUP is a pioneer in this field. Our patented software environment uniquely encrypts every cell of information and matches commonalities across multiple databases in near real time. This means that two or more organisations can work together to obtain meaningful insights without any of the parties involved seeing each other’s data, and without compromising any of the confidentiality guarantees made to customers or citizens.
Moving to secure data collaboration means that you can provide greater comfort to your customers, shareholders and regulators about how you manage your cyber security. It could also help you keep your job.