September 2023 - GDPR Tech

Recently, in a webinar panel discussion moderated by Juha Sallinen, the colossal data breach at Pegasus Airlines in 2022 came under the spotlight. Panel members included Nina Barzey, a lawyer and advocate, and Petri Aalto, a modern workplace and security solution architect.

The data breach of Turkish Pegasus Airlines in 2022 reignited discussions around unstructured data and the nuances surrounding its security, especially in cloud environments. With the breach compromising about 6.5TB of data, in this case equivalent to whopping 23 million file, the experts are pushing for better strategies and policies in handling such vast amounts of information. The exposed data was stored in an AWS S3 bucket – a cloud storage solution.

The discussion gravitated towards several vital questions: What measures should organizations adopt to avoid such breaches? Is cloud storage of personal information safe? Who holds the responsibility when such breaches occur?

Data Breach: The Case of Pegasus Airlines

Pegasus Airlines’ breach exposed approximately 23 million files, all stored in an AWS S3 bucket. The fact that such a large dataset was improperly secured and without any password in a cloud environment prompts crucial questions:

Is it safe to store personal data in the cloud?
How can breaches like this be prevented?
What are the implications for individuals whose data has been leaked?

Architectural Challenges and Design Solutions

Petri Aalto, an expert on the panel, identified potential root causes of such breaches. He pointed out that many organizations opt for cloud storage simply because it’s economical. Other times, mergers, acquisitions, or data migrations drive the shift. Regardless of the reasons, if there’s no proper architectural design and risk assessment, such breaches are bound to occur. Another concern he raised was the possible absence of proper security processes when business units use personal credit cards to make cloud purchases.

Moreover, as businesses look to automate their operations, ensuring that security protocols are maintained and updated becomes paramount. Otherwise, the ease of cloud storage could be offset by the vulnerability it presents.

Legal Ramifications and International Data Transfers

While the advantages of cloud storage are evident, the legal complications cannot be ignored. Nina Barzey, another panellist, points out that businesses often overlook GDPR guidelines. For example, where data is stored becomes irrelevant if the organization isn’t clear about the nature of the data they possess. Barzey emphasized the importance of educating staff about data privacy rules. According to Barzey, even if top management is familiar with regulations like GDPR, it’s often the case that the general staff isn’t.

Barzey also pointed out that storing data in the cloud, especially sensitive information, poses severe challenges. These challenges range from the legal implications of international data transfers to ensuring proper oversight over sub-suppliers or IT suppliers. Furthermore, the transfer of data from one country to another, as in the Pegasus case where a Turkish company stored data on an American-based cloud, brings in complexities related to data privacy laws.

Recognizing and Addressing the Data Breach

One of the more pressing issues highlighted during the conversation was the responsibility that comes with data control. If a company, as a data controller, collects data from subjects, they must be accountable for how their IT suppliers manage that data, especially in a cloud environment. Without this insight, there’s a clear breach of data protection laws like GDPR.

“If you are a data controller who owns and collects data from data subjects, it’s imperative that you maintain oversight over any sub-suppliers, including IT providers. This is a primary reason why public authorities in Sweden often opt out of storing sensitive or integrity-sensitive data in the cloud; they can’t conduct a thorough legal analysis of all the data. Many major IT and cloud service providers don’t permit scrutiny of their internal operations. A breach occurs when an organization, such as one using a cloud, doesn’t maintain proper insight and control over stored data, violating GDPR guidelines. If you can’t oversee your sub-suppliers, it’s advisable not to engage them. However, the level of oversight might vary based on the data’s sensitivity, whether it’s highly confidential or basic details like contact information. Ultimately, the onus of responsibility rests with the data controller,” Barzey notes.

Such large-scale data breaches are alarming, primarily when they involve personal details. Barzey emphasizes the importance of notifying affected individuals, particularly when sensitive data, such as health-related information, is involved.

Nina Barzey, Partner and Advocate (lawyer) at Barzey Advokatbyrå AB

The Cloud Dilemma: Public vs. Private

Different cloud types bring various security measures. The debate between public and private clouds often centres on the kind of data being stored. Aalto suggests that the nature of the data should dictate the choice. For instance, sensitive data might be best placed in private clouds, while less critical data can reside in public clouds. Public clouds, private clouds, and on-premises services all have their pros and cons. The decision on which one to opt for should be rooted in an organization’s data strategy, considering the kind of data to be stored.

“The nature of the data largely dictates the choices we make. When considering the private or public cloud, decisions hinge on specific requirements. What do you expect from your service provider? There are ongoing debates regarding the security of public cloud services compared to in-house solutions. For instance, while we might consider using our own HSM module to encrypt data, we must also ensure that our encryption mechanisms and processes align with those in a public cloud environment,” Aalto summarized.

The Way Forward

In conclusion, the Pegasus Airlines breach serves as a potent reminder of the challenges and responsibilities tied to unstructured data. Summarizing the discussion, Juha Sallinen asserted that organizations must prioritize understanding their data and they need a robust data strategy. This strategy should define the type of data to be stored and the preferred storage mediums. Monitoring and ensuring adherence to this strategy is just as crucial.

An approach backed by legal compliance and accountability would likely yield a resilient data protection framework, minimizing the risks of breaches in the future. From a legal standpoint, Nina advocates continuous training. Ensuring staff understand the nature and importance of the data they handle is crucial for maintaining data integrity and security. Encrypting sensitive data and deploying techniques like data loss prevention can further enhance security.

Gain further understanding by viewing the entire webinar. Click here to view it for free!

Explore Further and delve into “Unstructured Data Threats and Expert Solutions” in our premier blog post. Click here to read more!

Meet the Webinar Panellists

Juha Sallinen: Founder and manager of GDPR Tech, Juha brings to the table a deep understanding of data protection and its real-world applications.

Nina Barzey: Hailing from Sweden, Nina is a seasoned lawyer who spearheads her own advocate bureau. A specialist in data privacy law, she’ll be shedding light on the legal intricacies of our discussion.

Petri Aalto: Based in Finland, Petri is a solution architect with a rich history of crafting and implementing global architectural designs. His vast experience with various global organizations offers a unique perspective on today’s topics.

In the realm of data management, the term “unstructured data” has increasingly become a buzzword. While the data-driven future beckons us with promise, it’s essential to manage the vast amounts of unstructured data effectively and securely. In the latest webinar presented by Juha Sallinen, the founder and manager of GDPR Tech, the complex world of unstructured data took centre stage. Juha was joined by a distinguished panel of Nina Barzey and Petri Aalto who brought different perspectives to the conversation. The webinar discussion was not just about understanding what unstructured data means but also about identifying the potential risks associated with it and how to manage them effectively. Let’s decode the message the panel shared.

Defining Unstructured Data

According to an IDC whitepaper from 2019, it’s anticipated that by 2025, most of the data will be considered unstructured. But what exactly is unstructured data? Unlike structured data, which is organized in rows, columns, and databases, and is easily searchable and protected, unstructured data is quite the opposite. Examples of structured data might be a customer list in a CRM or a well-maintained database of transactions. Unstructured data, on the other hand, can be files, spreadsheets, emails, or even IoT-generated data. It’s not stored in a specific format or location, making it hard to track, manage, and protect.

The Growth and Challenges of Unstructured Data

Each year sees an exponential growth in data, especially with the shift towards cloud storage. However, despite the growth and the evolution of storage mechanisms, much of this data remains unstructured. Alarmingly, it’s estimated that 80-90% of organizational data is unstructured, and about 60% of that is either cold or dark data. This refers to data that’s outdated and should either be deleted, archived, or purged.

Yet, the challenges don’t end there. Many organizations lack clarity on data ownership. The question of “Who owns this piece of data?” often goes unanswered. Without clear ownership, it becomes a challenge to make decisions regarding data retention or protection. And, many a time, sensitive data finds its way into inappropriate storage spaces like public file servers or unprotected SharePoint sites. Compounding these challenges are inconsistent access management processes and the ever-evolving landscape of technology, which often leaves users confused about the correct protocols for storing and sharing data.

Risks of Mismanaged Unstructured Data

In the webinar, Sallinen and the panel pointed out a few glaring issues that arise from mishandling unstructured data:

Lack of Data Ownership: Without clear ownership, decision-making becomes a challenge.
Inadequate Data Protection: Often, unstructured data isn’t adequately secured, making it accessible to anyone within an organization.
Sensitive Data in the Wrong Places: Health data, for instance, might be found in unprotected servers or shared sites.
Issues with Identity Access Management: Even if processes are in place, they’re not always followed.

These mishandlings can lead to significant data breaches, with vast amounts of data being lost to third parties. From ACER reporting a loss of 160GB of data to Panasonic admitting a breach due to unauthorized access, the examples are numerous and alarming.

Gaining Control Over Unstructured Data

Addressing these challenges requires a holistic approach. Organizations need to relook at their security and privacy strategies, map out data architecture, and have a clear retention policy. The data access strategy also needs revisiting to ensure that only authorized personnel have access to sensitive data.

One of the primary recommendations from Sallinen is to conduct a data assessment. Understanding where the data resides, its format, ownership, relevance, and legal base is crucial. The age-old data privacy acronym of CIA – Confidentiality, Integrity, and Availability – was reiterated. Data should be confidential, unchanged (maintaining its integrity), and available only to those authorized to access it.

Five-Step Approach to Unstructured Data Management

Based on the studies and GDPR Tech data assessments, approximately 15% of the data has been actively used within the last year. Sallinen’s approach towards addressing the unstructured data challenge can be summarized in a few steps:

End-User Communication: Engage with the end-users, inform them about data assessments, and motivate them for data cleaning.
Fix Access Issues: Remove any blanket access rights, ensuring data is only accessible to relevant users.
Data Governance: Ensure your data governance plans align with the reality on the ground.
Archive or Delete Old Data: Regularly purge outdated data.
Classify Data Content: Understand the nature of data, ensuring compliance with data privacy laws at all levels.

One of the tools Sallinen also mentions is data mapping. By classifying data based on its content and relevance, organizations can pinpoint potential issues and act accordingly. It’s about finding the proverbial “needle in the haystack.”

Effective Management of Unstructured Data for Tomorrow’s Growth

The world of data is vast and constantly evolving. While unstructured data presents significant challenges, with the right strategies and practices in place, organizations can mitigate risks. As Sallinen and the panel put it, it’s about planning, acting, checking, and then repeating the cycle. With diligent management and consistent reviews, unstructured data doesn’t have to be an enigma. Instead, it can be an asset that, when harnessed correctly, can drive value and growth.

The future might be data-driven, but it’s up to organizations today to ensure that this data is managed effectively and securely.

Discover more insights by watching the full webinar. Click here to view it for free!

Dive Deeper and explore “The Future of Unstructured Data: Lessons from the Pegasus Airlines Data Breach” within this webinar series. Click here to read the full article!

Meet the Webinar Panelists

Juha Sallinen: Founder and manager of GDPR Tech, Juha brings to the table a deep understanding of data protection and its real-world applications.

Order our newsletter!

Contact us

Services

Additional info