What do Kate Middleton and, Apple and the Ministry of Social Development have in common? Poor information security leading to tragedies. They also show that information security has as much to do with culture as it does with technology.
Recently a pair of Australian radio hosts were able to obtain private information about the Duchess of Cambridge by phoning the hospital and pretending (in a not-believable fashion) to be the Queen and Prince Charles. This would merely have been outrageous, but with the news that one of the nurses involved in the call has committed suicide this farce has become a tragedy. The lessons that I draw from this story are different from most. Firstly, information security is everybody’s business, and , secondly that information security is more about people than about technology.
It seems clear that if the nurses had a better awareness of privacy and information security they would be unlikely to fall for what is a very unsophisticated form of social engineering attack. They should have verified the identity of the callers, and been more careful about releasing private information about a patient. If they had a better grounding in those principles then the tragic consequences could probably have been avoided.
I also note that this “attack” didn’t require any sophisticated technology – just a telephone. Like most social engineering attacks it relied on human fallibility. The same lesson can be learnt from my other two celebrated examples: the journalist who lost everything on his computers when his AppleID was hacked by a social engineering attack on Apple; and the recent privacy breach at the Ministry of Social Development when a journalist accessed confidential files from a public kiosk. The first example involves simple social engineering being used to get Apple to handover access to an AppleID. The second involved flaws in kiosk security controls. In both cases, while technology was involved, the root cause had more to do with culture and process failings than any technological wizardry on the part of the hackers. While this may be no news to information security professionals, to people like myself involved in the technology side it is a clear warning not to focus on the technology to the exclusion of everything else.