5 Ways to Prevent Data Interception and Theft

The GDPR (General Data Protection Regulation) sets out a framework for processing personal data in a respectful and secure way.

Critically, the Regulation tells organisations to take risk-based and proportionate action. It doesn’t provide a prescribed list of dos and don’ts.

Nevertheless, data breaches continue to occur – and make the headlines. Sometimes, they’re caused by human error – a failure to use Bcc when sending emails, for example, which the Central Young Men’s Christian Association was recently fined for by the ICO (Information Commissioner’s Office).

Unfortunately, many other data breaches involve a malicious actor, which can lead to data theft and interception.

This blog explains:

  • What data interception and data theft are; and
  • How to protect yourself against data interception and theft.

What are data interception and data theft?

Data interception and data theft are two ways for an unauthorised actor to gain access to an organisation’s sensitive information.

Both terms describe the improper access of information and constitute a data breach. However, ‘data interception’ and ‘data theft’ signify slightly different things:

Data theft

Data theft refers to an unauthorised person obtaining confidential or sensitive information in any way. This can include:

  • Unauthorised access;
  • Unauthorised data transfers; and
  • Physical theft of papers or hardware.

Data interception

Data interception is a specific type of data theft, referring to information captured during transmission.

This can happen via an MITM (man-in-the-middle) attack, for example – a hacking technique that exploits how data is shared between a website and a user’s device.


How to prevent data interception and theft

Here are five ways you can mitigate the risks, and avoid the financial and reputational damage associated with data theft:

1. Understand what data you’re processing, how and why

Again, the GDPR requires a risk-based and proportionate approach, along with “appropriate technical and organisational measures”.

But you can’t know what your risks – or appropriate measures – are until you understand the basics:

  • What personal data are you processing?
  • How are you processing that data?
  • Why are you processing it?

As our head of consultancy Louise Brooks explains:

“If you have a good overview of this context, you can better understand exactly what risks you’re exposing personal data to. Without that knowledge, you can’t protect the data effectively while you’re processing it.

This exercise also tells you where your ‘pinch points’ are [i.e. where those risks might materialise] in your systems and processes.

In turn, that information can inform your broader risk appetite and help focus your efforts on where to deploy further security mechanisms – over and beyond the basic ones most organisations have in place.”

2. Implement appropriate technical and organisational measures

Yes, okay, this is just an extension to our first suggestion. But it’s an important one.

Depending on your processing activities and risks, here’s a list of technical and organisational measures you could consider:

  • Regularly backing up data.
  • Encrypting data at rest and in transit.
  • Data pseudonymisation and anonymisation.
  • Actively assessing and managing vulnerabilities.
  • Restricting access on a need-to-know basis only.
  • For third parties, conducting due diligence and establishing clear contractual agreements on data use, security and privacy.

Note that these measures are suited to ‘traditional’ data processing activities as well as AI-based systems.

However, this list excludes one notable organisational measure:

3. Staff awareness training

As mentioned at the start of this blog, human error can cause data breaches. But this isn’t the only way staff might cause a data security incident.

According to Verizon’s 2024 Data Breach Investigations Report, 68% of data breaches involved a “human element”, which includes both human error and falling for a phishing attack.

Social engineering attacks like phishing are a common attack vector. Threat actors use it to steal sensitive data and install malware, among other things.

The best defence against phishing is staff awareness training. This has the added benefit of being cost-effective, as well as contributing to a positive compliance culture.

As Louise explains:

“A positive compliance culture empowers staff – and the organisation as a whole – to make the right decisions when it comes to data protection.

The right culture ensures that data protection is the foundation upon which all business activities involving personal data are based.”

If you’d like more concrete ideas on engaging staff in data protection, this blog highlights 118 ways to help embed data protection in your workplace culture.

4. Give extra training to staff with data protection responsibilities

Ideally, you should take a ‘layered’ approach to staff training.

So, at the bottom of the ‘pyramid’, you have general awareness training, covering how to avoid data breaches, how to respond to DSARs (data subject access requests), and so on.

For the upper layers, Louise suggests:

“Nuanced training for those responsible for securing, or who regularly handle, personal data. That can range from DPOs to staff in HR, finance and sales.

And specific training for senior management, so they can better understand the risks associated with processing personal data, the organisation’s compliance obligations, and how to make effective decisions with those things in mind.”

5. Plant ‘sleepers’ into your data

As a preventive measure, this one doesn’t help with threat actors. Data seeding does, however, prevent malicious use by employees and contractors.

As our privacy consultant Mark James explains:

Data seeding involves planting synthetic details called ‘sleepers’ or ‘asset seeds’ into a database. These then allow organisations – specifically, data controllers – to monitor how that data is used, and when it might be lost or stolen.

By planting asset seeds, and informing staff and suppliers about them, you’re giving them an extra incentive to stick to their contracts, and not misuse the data – thus preventing data theft.


What if data is stolen anyway?

Unfortunately, data interception or theft – or other types of data breaches – can happen despite your best efforts. A determined attacker, given enough time, effort and resources, will be able to find their way through your defences.

Should that happen, data seeding can – once again – prove invaluable.

Planting sleepers allows you to detect unauthorised use of your data. In other words, data seeding offers a simple yet effective way of detecting data theft or interception.

As Mark explains:

“Even though many people have never heard of data seeding, it’s becoming more common.

In fact, in some industries, such as commercial data providers and recruitment agencies, data seeding, used as a simple data loss identification tool, is already seen as a best practice.

Those organisations recognise that they must protect the data they’re responsible for, and that data seeding offers a useful early detection mechanism. The earlier you become aware of a data breach, the easier and cheaper it’ll be to mitigate the damage. ”

To learn more about how data seeding works and its benefits, check out our full interview with Mark:


We first published a version of this blog in April 2022.

Author

  • Kyna Kosling

    Kyna (pronounced “KEE-na”) has worked at GRC International Group since January 2018, and posted on the blog since October 2023. She spends a lot of her time interviewing subject-matter experts and crunching numbers.

    View all posts

Add a Comment

Your email address will not be published. Required fields are marked *