Encrypt all the things!

You are reading a single comment by @Velocio and its replies. Click here to read the full conversation.

•

hippy

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/talktalk-gets-record-400-000-fine-for-failing-to-prevent-october-2015-attack/

Is there a difference between customer account numbers / sort codes and company's?

Because many companies publish their account details online in order to be paid by their customers.

I guess with more information, more possibility exists for social engineering an individual but why aren't people doing the same to BT or Virgin Media, for example?

•

Velocio in reply to @hippy
There are several things here:
1. Who publishes information matters. You can publish your own sensitive data, you cannot publish someone else's.
2. Sensitive data is different from personally identifiable data. Bank account information may be sensitive as a set of facts (this sort-code, that account number) but is only personally identifiable when associated with a name or address. Only the latter is the domain of the ICO.
Further on #2, addresses are not secret and do not need to be protected. Names are not secret and do not need to be protected. Associating a name to an address is now personally identifiable and needs to be protected.

This was written quickly, it's a guide only, but there are subtleties in data protection and PCI stuff.

•

hippy in reply to @Velocio

In terms of "published", what if it's stored and not published? What are 'reasonable means' required to protect an account number? Will a password protected login do or do the ICO require this data to be encrypted? Do these requirements change if the account details are linked to an individual?

About

Avatar for Velocio @Velocio started