So last week I blogged about a breach of security at a major company that was actually extremely isolated and I am totally satisfied that this was a breach contractually outside of their control and hopefully will land in litigation with the company who breached their contract and terms of reference with the originating company.
So what actually happened is that tech refresh took place with equipment being taken offsite under contract by a industry regulated company specialising in recycling corporate IT hardware whose job it is to sanitise and where applicable destroy or recycle / remarket IT equipment to the "third market" that is eBay etc.
Unfortunately this third party failed utterly to understand their responsibility and re-marketed this multi function laser printer containing sensitive and potentially compromising information that is once more entirely in the hands of the originating customer, the data controller in the eyes of the ICO. Considering they are ISO 27001, 14001 and 9001 certified they demonstrated a total and utter failure both to their customer and to the needs of data sensitivity. I'd assume they just lost a customer and I certainly would have major concerns over their capabilities and can't see them being a continued supplier of the organisation concerned.
I am entirely satisfied having seen first hand the processes that this major organisation has in place, having worked with their IT staff since last week and having met with one of their IT managers today in person that they have been failed badly by a supplier.
Word of caution, data has a lifecycle. When you handle something non specific such as an MFP, a router, a network boundary device, switch, firewall or the like - kill it before it goes to your third party recycler. Heres where having a CUPS print server could have saved a world of pain. Don't rely on the manufacturers to assist you, most hardware vendors do not take security seriously and sacrifice price point and features over security management capabilities. Heres where Software Defined Networking in Cloud is going to prove invaluable.
My thanks go to the CEO, IT staff and the Public Relations person at the company concerned for having jumped on this and proved that lessons do need to be learnt in all organisations of every size but that they have been able to show me, in writing, and to demonstrate proveable thought leadership around IT process management.
Oh and they replaced the printer which will go in my soon to be massively downsized office (a pregnant wife giving me clear instructions to give away hardware and to hire a skip) up the road in Devizes in the next few weeks before the baby arrives.