Several painful conclusions can be drawn from last week's data leak and its unprecedented scope. Hopefully, the case will become a useful lesson for everyone involved in processing personal data.

One such conclusion regards how the incident was communicated. It seems to me that Allium UPI and the Prosecutor's Office forgot about the owners of the data. The data was stolen in mid-January, and the database owner learned of it a month later, which is when it notified the police, while the public only learned of the leak in April.

I'm sure there are reasons for holding off going public. It is likely that the thieves approached businessman Margus Linnamäe's company with a ransom demand, promising to return the data upon receiving the money. As long as there was a chance of getting the data back, it was not sensible from the company's point of view to go public.

When the leak was finally disclosed last week, it was recommended that journalists keep a part of the information to themselves. I believe that we should be maximally open in the case of such data leaks to let the owners of the information know exactly which details were leaked and what may be the associated risks.

Suggesting that openness could give the thieves ideas of how to use the data for blackmail or that it may lead to panic is hardly convincing. Rather, it is sensible to presume that the criminals will not lack creativity and that people need to be warned of dangers post haste.

The other lesson for entrepreneurs is that they need to be prepared for such leaks. Of course, it is important to bet on prevention and avoiding such cases of data theft in the first place. But even the most aware locks can still be picked.

That is why it is important to have a communication plan and guidelines for when customer or other sensitive business data does end up stolen. Companies could also have a policy on how to handle attempts to sell the info back to them.

The third lesson is how you handle the data you collect. For example, the question is raised why the data of the customers of the Apotheka pharmacy chain was in the hands of Allium UPI to start with, as well as why the data kept for so long and whether it really was absolutely necessary for providing the service.

Lesson number four has to do with data protection as the leak is evidence that Allium UPI did not keep it safe. I've heard the case compared to a bank robbery where employees simply left a bag of cash on the stairs behind the door.

It is crucial for the watchdog, or the Data Protection Inspectorate (AKI) in this case, to explain how the leak happened, what Allium UPI should have done but didn't, as well as how much would need to be invested to rule out such incidents. The background of a client data leak and a company's relevant omissions cannot really be filed under business secrets.

Wayward data cannot just be picked up again like so many spilled potatoes. But to minimize such data leaks in the future, it is necessary to talk about them openly because cybercriminals are already on the lookout for the next Estonian company that doesn't care about cybersecurity.

--

Follow ERR News on Facebook and Twitter and never miss an update!