You are currently viewing Sensitive data should not go by fax!
Fax Machines - Dont use for sensitive data

Sensitive data should not go by fax!

You may want to check your calendars again. Even though we are now well into the 21st century, it seems that some organisations are still sending sensitive data by fax machine – and not just the NHS (who were fined £55,000 for the inevitable breach). It seems banks, who really should know better, cant help themselves.

Fax Machines - out of date and insecure - do not use for sensitive data
Fax Machines – Dont use for sensitive data

This month (August 2013), the ICO has issued a Civil Monetary Penalty (fine) of £75,000 to Bank of Scotland for repeatedly faxing customer’s sensitive data to incorrect fax numbers.

In the press release about the fine, the ICO notes that Bank of Scotland were even notified about the problem in 2009 but failed to take any corrective action. As a result, over 30 faxes were sent incorrectly. The faxes themselves included pay statements, bank account details, names, addresses etc. In all, an ideal haul for anyone looking to commit identity theft.

In light of this, the fine itself seems pretty trivial compared to what the ICO is able to issue. To emphasise this point, this is what Stephen Eckersley, Head of Enforcement at the ICO said:

To send a person’s financial records to the wrong fax number once is careless. To do so continually over a four year period, despite being aware of the problem, is unforgivable and in clear breach of the Data Protection Act.

It is unforgivable.

Protecting sensitive data – lessons learned

The first point we want to hammer home is that you should not use fax machines for sensitive data. You really shouldn’t. If you are doing this, then stop now.

However, if you really must, and you have it on your risk register, then learn to do it properly.

  • If you send sensitive data use pre-programmed numbers. Do not rely on busy staff hitting the correct buttons.
  • Manage the process. Have a way in which errors can be rectified when you discover them.
  • Keep records of what you are sending and who it is going to.
  • Work to eliminate the use of fax machines for your processes.

The last point is worth looking at in more detail.

If you use fax machines for sensitive data you absolutely must be looking at a way to remove them. Sending data by fax is only slightly better than a totally unencrypted email and, in some respects, has more room for error. Remember, your fax goes unencrypted over what is now likely to be an IP switched network. At least with email you can put controls on your exchange server and firewall.

If you are capturing sensitive data from your customers, you owe it to them and your business to do it properly. It is even more cost effective to do it properly.

Continuing to send sensitive data by fax is begging for an ICO sanction.

Take this opportunity to review your processes. Determine what sensitive data you are collecting and how you move it around your organisation.

In this example, Bank of Scotland were collecting application forms physically from customers and faxing them to a central processing unit. It is hard to think of a reason why this wouldn’t have been better sent over internal email. Most modern business copiers have an option to copy to internal email, so this would have even been possible from the branches themselves.

Banks, and the NHS, aren’t alone here. US-based organisations (e.g. the EC-Council, who should know better) seem to frequently ask for customers to fax credit card & bank details, which is crying out for problems. There are numerous online payment processors which reduce the need to have a member of staff collect the faxes and manually process the payment, as well as provide security to the customer. While US companies might not fear the ICO, the fact is they are risking their customers security, and this is rarely good for business.

Whatever  your situation, wherever you are based, stop using fax machines to send sensitive data. There really is a better way.

Taz Wake - Halkyn Security

Certified Information Systems Security Professional with over 19 years experience providing in-depth security risk management advice to government and private sector organisations. Experienced in assessing risks, and producing mitigation plans, worldwide in both peaceful areas and war zones. Additionally, direct experience carrying out investigations into security lapses, producing evidential standard reports and conducting detailed interviews to ascertain the details of the incident. Has a detailed understanding of the Security Policy Framework (SPF) and JSP440, as well as in depth expertise in producing cost-effective solutions in accordance with legislative and regulatory guidelines. Experienced in accrediting establishments and networks as well as project managing the development of secure, compliant, workable business processes.