The data was simply published by mistake. And while the details are still to be revealed, the IPSA breach raises a serious question: with such highly sensitive data on the line, are organisations doing enough to protect it?
At the moment it appears not. Private companies that fail to protect customer data are berated if outdated processes are found. Yet archaic processes seem to be the reason why government departments are struggling to protect confidential information. It’s unlikely the IPSA breach would have happened if the way in which it stored and published data was modernised in line with the private sector.
MPs are high-profile individuals whose information would most certainly be of interest to certain parties. So what should IPSA, and the government in general, do in terms of protection?
Bring storage into the 21st Century
The way in which IPSA stores its data has to be improved. As it stands, IPSA collates and stores data manually in spreadsheets. Not only is this outdated, but it is dangerous, as made evident by the breach.
Rather than spreadsheets, it should look to store its information in a secure, cloud-based programme that has specific processes in place to ensure security and safe storage. Systems exist that mean MPs can capture and submit receipts, for example, digitally without the need for hard copies. These can then be stored and sorted automatically within one centralised platform.
The IPSA breach was an accident, but next time it could be a malicious attacker, and IPSA will want to be sure it’s not offering up its data in unsecured spreadsheets. If all documents are submitted and stored electronically in the cloud, then the chances of a breach, be it intentional or not, are greatly reduced.
Make big bang spreadsheet dumps a thing of the past
Storage is not the be all and end all. IPSA was formed following the MP expenses scandal where it was revealed to the public the extent of expense abuse that existed within the walls of Whitehall. Its job is to oversee and regulate MPs’ business costs and expenses, so that no more moats or ornamental duck islands slip through the cracks. This means releasing data to the public is just as crucial to IPSA as storing it is. After all, its primary purpose is as a publishing engine to ensure the transparency of MP expenses.
As it stands though, when IPSA releases data, it does so through a spreadsheet. A spreadsheet that in some cases contains tens of thousands of entries. They are difficult to search and they are difficult to analyse. But they are even more difficult to scan for errors. It took IPSA four hours before it realised it had uploaded the wrong document – and it will undoubtedly happen again if it persists with spreadsheets.
IPSA needs to modernise its approach to data publishing. It can still make its data available to the public, which is a vital service, but rather than a data dump; it should provide it through an online portal. This removes the possibility of so-called “fat finger errors” as the risk of uploading one document rather than another is removed. This kind of technology is a core component for a large amount of the private sector, and by fundamentally reforming how data is dealt with, surely many of the issues that arise would be reduced.
Ultimately, IPSA’s data breach should act as a wake-up call to the organisation and to wider government departments in general: modern systems need to be adopted. The private sector is held responsible for its data, and will be even more so when the EU’s new ruling on data privacy – the General Data Protection Regulation – comes into play in 2018. It’s time the government was held to the same standards.
Dafydd Llewellyn is MD of UK SMB at Concur
Share this story