Sucker punch: sensitive data breaches in document registries are a commonplace

Several municipalities in Estonia received a rude awakening recently, when they realized their public document registers contained very sensitive personal information about people’s disabilities, social benefits decisions or addresses, all easily accessible for anybody who took an interest.

Without Nortal’s new document scanner it would have taken them hours, if not days of manual labor to find the breaches.

This spring, Nortal’s team participated in the largest hackathon in the Baltic countries, Baltic Open & Big Data 2017. During the hackathon, the team created a technical solution that scans and identifies personal data from public registers. In the course of analyzing different public document registers and more than 10,000 documents, the team was able to identify both ordinary personal data (such as names and personal identification codes of individuals) and sensitive personal data.

The new tool consumed documents in various formats to determine whether the document contained personal data or not, considerably reducing the amount of manual work required and making identifying breaches easier and quicker. The results of the scan were reported to the Estonian Data Protection Inspectorate, who themselves then had a chance to test the tool. During their additional scans, more sensitive personal data was found from registries that are publicly accessible online.

According to the Inspectorate, public document registries are an important part of assuring the transparency of the government, but at the same time an effort has to be made to make sure there is no sensitive personal data freely accessible online for whoever knows the right search words.

Having a spring clean in organizations has become even more essential in light of the European Union’s new General Data Protection Regulation (GDPR). On 25 May 2018, life becomes significantly more complicated for all companies and public institutions that process any kind of personal data belonging to the residents of the EU. GDPR ensures that people become effective owners of their personal data, giving them the right to have an overview what kinds of data has been collected and what has been done with it.

Anyone who processes personal data in the EU will be subject to tighter regulation than what has been the norm so far. Personal data – names, identification numbers, location data, online identifiers such as e-mail addresses, information about a person’s beliefs, health, cultural or social identity etc – need to be protected from data breaches. Aside from the legal issues and fines arising from the GDPR, the data subjects whose data is breached would be vulnerable to surveillance and identity theft – threats increasingly relevant in an online society.

“Institutions are faced with the challenge of pinpointing where personal data is stored and processed in their organization, which business processes require processing of personal data, and why,” explained Artur Assor, Head of Data Protection at Nortal. “Therefore, having an overview of the documents that contain personal data is a prerequisite for knowing which data to protect, and allows organizations to focus compliance efforts where they are needed most.”

Assor assured that although becoming compliant with GDPR may sound like a spine-chilling task, it does have significant benefits. “It really forces you to get your house in order,” Assor said, pointing out that many organizations don’t even know what kinds of data they have, how it’s stored or how to use it to their advantage. “If allocated smartly, the funds you have to invest into GDPR compliance can actually help you find new business models. Nortal has the know-how to do that.”