to help enterprise security across Europe
The resource centre for busy senior executives seeking the latest insights into IT Compliance & Privacy issues for major organizations
sarbaines oxley ofcom communications regulator
Latest Resources      data protection register
compliance resources privacy resource center

Breaking Global News
Global Compliance and Privacy News
- Breaking News, updated every 30 minutes
•   Compliance, Privacy and Security
•  Money Laundering
•  Phishing
•  Regulatory Issues
•  SOX, Basel 2, MiFID

You Tell Us:

We use SSL Technology for web data entry points:

What is SSL?

Are Smartphones Endangering Security? - Wick Hill
Dealing with Internet Security Threats - Ian Kilpatrick
How the New EU Rules on Data Export Affect Companies in and Outside the EU - Thomas Helbing
Farmers' Data Leak Highlights Old Technology Use - Wick Hill
Saving Money with SFTP - Wick Hill
UK Information Commissioner targets firm selling vetting data - Eversheds e80
12 Key Steps to Internet Security - Wick Hill
Telephone Monitoring Legality in the UK - Dechert
Firewall or UTM - Wick Hill
UK Information Commissioner demands mobile device encryption - Eversheds e80
Data loss - liability, reputation and mitigation of risk - Eversheds e80
Phorm, Webwise and OIX - BCS Security Forum
The challenges of PCI DSS compliance - Thales, Russell Fewing
"Quality" Data Vendor Spams us! Editor astounded!
National Gateway Security Survey 2008 - Wick Hill
Unified Threat Management - Watchguard Technologies

news archives
0 | 1 | 2 | 3 | 4 | 5 |
6 | 7 | 8 | 9 | 10 | 11 |
12 | 13
[What is this?]

Industry Blogs
Tim Berners Lee's Blog
Tim Callan's SSL Blog
Davis Wright Tremaine's Privacy & Security Law Blog
Emergent Chaos Blog
Michael Farnum's Blog
Phillip Hallam-Baker's Blog - The dotFuture Manifesto: Internet Crime, Web Services, Philosophy
Stuart King's Security and Risk Management Blog
David Lacey's IT Security Blog
Metasploit Official Blog
Jeff Pettorino's Security Convergence Blog
Jeff Richards's Demand Insights Blog
David Rowe's Risk ManagementBlog
Bruce Schneier's Security Blog
Larry Seltzer's Security Weblog
Mike Spinney's Private Communications Blog
Richard Steinnon's Threat Chaos Blog
The TechWeb Blog
Tim Trent's Marketing by Permission Blog
Rebecca Wong 's DP Thinker Blog

23 February Newsletter
Newsletter Archives are located in "News"

Industry Update
Internet Security Intelligence Briefing - November 2005
Find out the latest trends in e-commerce, web usage & the latest threats from adware/Spyware

Phorm, Webwise and OIX
- BCS Security Forum

'The Any Era has Arrived, and Everyione has Noticed' - Stratton Sclavos - VeriSign
Identity Security - Time to Share
Malicious code threats - iDefense
Public Alerts - updated as they happen from
Public Alerts - updated as they happen from Websense
Public Advisories - updated as they happen, from iDefense
Phoraging - Privacy invasion through the Semantic web: a special report by Mike Davies of VeriSign

Privacy Laws & Business International E-news, Issue 57
Privacy Laws & Business UNited Kingdom E-news, Issue 60

Security Reviews
February 2007 - VeriSign Security Review
The security review archive is here

Case Studies
Finance Industry
Case Study Example

A case study on a Finance industry company.

White Papers
VeriSign® Intelligent Infrastructure for Security
VeriSign® Intelligent Infrastructure: An Overview
Identity Protection Fraud Detection Service - description of the service
Life of a Threat - Video on Threat Management Lifecycle
Optimizing Enterprise Information Security Compliance - Dealing with all the audits
For a full list of all whitepapers, visit our Whitepaper library

Legal Notices
Privacy Policy
Terms of use

basel 2 sarbanes oxley
data controller notification binding corporate rules BCR data transfer third countries third part data transfer basel 2 regualtor regulation regulate FSA banking network security RSA encryptin algorithm Bits sacked bank staff
Blogs compliance Reports compliancy Legislation Data Protection Case Studies data privacy White Papers data protection act News information commissioner Events security standards Links information security iDefense
Retail Solutions

Roche Diagnostics – Anatomy of a serious data breach

compliance and privacy

Current News Updates

Roche Diagnostics – Anatomy of a serious data breach

On Wednesday 9 May 2007, the Roche Diagnostics marketing team must have been very happy. The very first edition of ‘Reach' had been sent to all the people who had registered for the Accu-Chek newsletter. Accu-Chek is a range of diabetic monitoring equipment for the patient's own use, and is well known and well respected, as is Roche Diagnostics. But, as the newsletter hit inboxes, they learned that things had gone very wrong indeed, and that highly confidential medical data about patients was haemorrhaging from their database.

The Data Breach

The details of the marketing disaster are already in the press, and are followed in detail by the blog ‘Marketing by Permission'. The facts are very simple:

  • Data records for random individuals were visible to any recipient who clicked the ‘update my profile' link
  • The data records included details of drug régimes the patient was on, such as warfarin
  • Full personal details, including email and street addresses and phone numbers were revealed

These, especially the medical element, which is sensitive personal data as defined by the UK 's Data Protection Act 1998, are required by law to be kept securely and not transmitted to third parties without the express consent of the individual whose records they are.

That alone would have been enough to say “This was a total disaster”, but there was more to see that showed a very poor process for the approval of marketing campaigns:

  • The transaction to update one's profile, assuming one could ever see one's own data, was not behind SSL technology. No padlock, no https:, no encryption.
  • There was no login or password process to protect the data form inadvertent release

Such things are an act of pure naïvety, and such carelessness shows a limited understanding of the compliance needs of any marketing organisation. The final piece of this disastrous jigsaw was the refer a friend scheme.

Refer a Friend is a simple area to get right. There is a simple checklist of things to do in order to be both lawful and ethical:

  1. Make the email address (at least) of the referring friend a mandatory field
  2. Use the referring friend's email address in the body of the email sent, plus any other details they have provided
  3. Make the subject “<friend> wants you to see this” (or similar wording)
  4. Open the text with “<friend> has visited our site at <url> and filled out the form there to suggest you visited. If you do not recognise <friend> you may have received this as a mistyped email address. You do not need to take any action. We do not keep your data on any database because of this referral, and you have not been subscribed to anything at all, nor have your details been passed anywhere at all. In fact we keep no records of the matter. We were simply happy to sent this on <friend's> behalf.”
  5. Then put your marketing message, call to action or whatever you choose
  6. Then close with “You will hear nothing else from us as a result of this referral. You have not been added to any database and there is no need to ask for removal”
  7. Finally, close with the name of your organisation, the street address, and the generic email address of your Chief Privacy Officer, together with a link to your privacy policy.
  8. Note the self imposed restrictions on data, and stick to them
  9. Send a copy to the referring person. The “cc” field is ideal.
  10. Optionally consider querying the referring person's domain and email address to determine if they are valid prior to sending the referral. Invalidity implies mischief. Do not send a referral from a mischief-maker
  11. If you expect high volume mischief, prior to implementation, deploy a CAPTCHA check as part of the referral process to minimise the potential for automated abuse
  12. Ensure the page where the friends are to be referred has a correct Fair Processing Notice (statement of what will happen to the data entered) to ensure that the referring friend can make an informed decision about submission or not

Roche Diagnostics has number 1 correct. It pre-fills the email address of the referring party. In fact the pretty much handled 1-3. The remainder they fall short on. Why does this matter?

  • Personal data is not to be used willy nilly. The use of the data must be declared at the point where the data is captured, especially is there is any scope at all for confusion
  • Brand protection is important. Taking immense care in areas like this shows that you value your own brand. And if you as the principal value the brand there is a chance that we, as customers will value it also.

The one very peculiar thing they did was to forward the email that they had sent, with the same ‘Update my Profile' link. Now, today, no-one can say what record that link was pointed at. It could have been anything form a blank record for a new subscriber to the record of the person who forwarded it. It was probably the random data that the newsletter allowed access to in this case, and we assume that whole system will be scrapped because of the security breach.

So we should add a 13th rule: Never, ever, forward a link to someone else's data record when referring a friend.

Proper Process to avoid embarrassment

The areas that appear to be absent within Roche Diagnostics are the following:

  1. Always involve the Chief Privacy Officer in the planning of all campaigns
  2. The Chief Marketing Officer bears responsibility for all campaigns. The campaign must be inspected and all links tested under the direct authority of the CMO and outside the team who owns the campaign. A physical signature is required that this has been done before the campaign may be issued
  3. The CIO is responsible for the delivery of and security of data to the CMO for all campaigns. The campaign must be checked under the direct authority of the CIO and a physical signature of approval and fitness or purpose is required before the campaign may be issued
  4. The CPO is responsible for the lawful and ethical use of personal data. Since data protection legislation is the criminal law, not the civil law, it is not only embarrassing if data escapes, but it is, potentially, an unlawful act. The CPO must be satisfied that the data is properly protected, that it is used only for the purpose for which it was collected and that it cannot escape. A physical signature to this effect is required before the campaign may be issued

Had this process been in place the probability of such an appalling breach of confidence would have been reduced to infinitesimally small. The campaign would have been a success, not a failure, and Roche would not have received the unwelcome adverse publicity. As it stands, while their brand us substantial enough to resist the damage, and their products are sufficiently distanced from their name to avoid damage by association, this campaign has probably cost them more in firefighting than it has brought them in revenues or loyalty.

RMS Titanic would not have sunk if there had been better attention to detail in the design of the tops of the bulkheads. Roche's newsletter needed better bulkheads


This site is independent of all its sources
The contents of the site are sourced from across the industry. All copyrights are acknowledged.