Data Leak
A data leak is when data is accidentally or intentionally disclosed to unauthorised people.
Behaviours

SB014: Asks security professionals for help with security issues
Asking for help can help people learn. Security professionals can advise on how best to approach and resolve ...

SB015: Completes assigned security awareness training successfully
Security Awareness training is an important part of organisational security. Completing awareness training ensures ...

SB045: Informs organisation about unnecessary access to data or systems
Having access to more data or systems than is needed to carry out a role creates unnecessary risk. Notifying a ...

SB048: Uses a privacy screen when working with sensitive information in shared spaces
Privacy screens prevent opportunistic onlookers from viewing sensitive information. They should be used when ...

SB050: Does not allow sensitive work-related matters to be overheard in shared spaces
Sensitive topics should not be discussed in shared spaces. This includes public spaces and workspaces frequented ...

SB051: Updates a document's classification if its sensitivity changes
A document's classification may change overtime as information is removed or added. Updating its classification ...

SB055: Reads organisational security policy
Security policies help reduce risk by increasing the chance that people will understand what to do to keep their ...

SB056: Highlights security controls that prevent or disrupt ability to work sensibly
Sometimes security controls can prevent or disrupt job activity. In these instances controls may be ignored to ...

SB060: Correctly categorises information
Many organisations categorise information and documents according to their level of sensitivity. (i.e. Top Secret, ...

SB067: Securely disposes documents containing sensitive data once no longer needed
Documents containing sensitive data should be disposed of securely after use. Such as by shredding or using ...

SB068: Leaves vacant desks clear of sensitive information
Sensitive information left on a vacant desk presents a security risk. Documents should be securely stored or ...

SB091: Does not forward work information to personal email addresses
Does not forward any work-related emails to their personal email addresses. This ensures that sentisive ...

SB094: Does not use personal devices for work unless authorised to do so
Has separate work and personal devices. Only uses personal devices for work if authorised by the employer, using ...

SB095: Does not share film recordings or photos from work locations
Sharing photos, videos or posting descriptive information about your workplace through your personal online ...

SB096: Does not carry sensitive work information or unauthorised devices to countries with high security risks
Does not carry sensitive work information or unauthorised devices to countries with high secuirty risks. Carrying ...

SB100: Takes additional measures to prevent eavesdropping when working outside the office
Ensures smart devices are turned off or not in the vicinity when discussing sensitive workplace information.

SB151: Does not use weak passwords
Using a weak password puts an account at risk of data breaches, takeovers, and various cyberattacks. Some sites ...

SB156: Discloses credentials to a phishing site
Disclosing credentials to a phishing site places the individual and their organisation at risk of account ...

SB156a: Discloses credentials to a simulated phishing site
Disclosing credentials to a phishing site places the individual and their organisation at risk of account ...

SB159: Does not click a phishing link
Clicking on a phishing link could lead you to a fake website that asks for private credentials, or tricks you into ...

SB161: Reports a suspected phishing email
Reporting phishing emails notifies IT or security teams that employees are being targeted by cyber attackers. ...

SB161b: Reports a simulated phishing email
Reporting phishing emails notifies IT or security teams that employees are being targeted by cyber attackers. ...

SB163a: Does not open a simulated phishing email
Opening a simulated phishing email informs the IT or security team that employees might be at risk of taking ...

SB164: Does not open an attachment in a phishing email
Opening attachments on phishing emails could lead to malware infections and cyberattacks.

SB164a: Does not open an attachment in a simulated phishing email
Opening an attachement in a simulated phishing email informs the IT or security team that employees might be at ...

SB177: Does not lose device through theft or negligence
Losing devices containing sensitive information through theft or negligence increases the likelihood of cyber ...

SB177a: Does not lose mobile device through theft or negligence
Losing a mobile phone or tablet containing sensitive information through theft or negligence increases the ...

SB177b: Does not lose laptop/desktop through theft or negligence
Losing laptops/desktops containing sensitive information through theft or negligence increases the likelihood of ...

SB182: Does not send sensitive information out of the business (email or otherwise)
Sending sensitive information out of business increases the risk that it might fall into the hands of people not ...

SB183: Does not send emails to unintended recipient(s)
Sending emails to the incorrect recipient increases the chance of sensitive company or personal information being ...

SB184: Does not share a file containing confidential information
Sharing files containing confidential information might increase the risk that unauthorised individuals see or ...

SB185: Does not post confidential information in a public messaging channel
Posting confidential information in a public messaging channel can be viewed by anyone and could be leaked ...

SB186: Does not post PII in a public channel
Posting Personally identifiable information (PII) in a public channel allows anyone to view the information and ...

SB187: Does not share a file containing PII
Sharing files containing Personally identifiable information (PII) could expose PII to someone other than the ...

SB188: Does not share sensitive information with unauthorised recipients
Sharing sensitive information with unauthorised recipients is harmful for the company and places the integrity of ...

SB195: Completes policy attestation
Most organizations today have multiple compliance requirements and contractual obligations that require all ...

SB198: Does not use unapproved device for work purposes
Using unapproved devices for work purposes increases security risks. This could be for a variety of reasons ...

SB198a: Does not use unapproved mobile device for work purposes
Using unapproved mobile devices for work purposes increases security risks. This could be for a variety of reasons ...

SB202: Stores documents appropriately for their level of sensitivity
Documents should be stored in a manner that is appropriate for their level of sensitivity. Organisations are ...
Case study
UK Software Company, 2020
In 2020, a UK-based software company exposed information belonging to 193 individual law firms. The company hosted the information in an unsecured online database.
When the owner of the database could not be identified, whistle-blowers alerted the National Cyber Security Centre (NCSC). It was later discovered the database – which revealed hashed passwords, legal documents and passport numbers – could be accessed by anybody with a browser and internet connection. Worse still, over 10,000 of the database’s files had been available online for years.
The software company involved claimed the files were a part of public records. Since the owner of the database could not be traced, much of the information is still available online.
To prevent such breaches, the NCSC recommends organisations complete cyber security awareness training, monitor information access and report security incidents immediately.
BlueLeaks
In June 2020, amidst the outrage surrounding George Floyd’s death and increased concerns about police misconduct and brutality, thousands of sensitive files from police departments across the United States were leaked online.
The collection of leaked files, dubbed “BlueLeaks” were made searchable online. Criminals gained access to these files by breaching a Texas web design and hosting company that maintained state law enforcement data-sharing portals.
The 270 gigabytes worth of files contained data from 200 police departments, fusion centers, and other law enforcement training and support resources. The files ranged from FBI reports to police bulletins. The dates of these files spanned nearly 24 years.
The hacker collective Anonymous claimed responsibility for the breach, and the information was made public by activist group Distributed Denial of Secrets. U.S authorities are attempting to shut down the servers which continue to host the leaked information.
Marriott, 2018
In 2018, hotel chain Marriott discovered its reservation system had been breached, leaking the data of millions of customers.
The breach was discovered when an internal security tool was found trying to access the guest reservation database. A forensics team later discovered the tool had been compromised in 2014!
While it is still unclear how the tool was breached, security analysis revealed that a Trojan malware was present in the system, most commonly downloaded from phishing emails.
Expenses related to the breach and its aftermath cost Marriott $28 million. Further, in 2019, the UK’s Information Commissioner's Office fined Marriot £99 million for violating privacy rights. Marriott is also obligated to cover any fraud-related expenses which the victims of the leak may experience.
Speaking about the incident, the UK’s National Cyber Security Centre said that many lessons can be learned from Marriott’s errors. These include encrypting data, checking emails for signs of deception, and verifying messages from unknown contacts.