The recent media coverage of the Barclays’ data breach (http://www.computerweekly.com/news/2240214060/Barclays-under-scrutiny-after-leak-of-27000-customer-records) shows that even older customer data from defunct businesses and subsidiaries can have real value if it should fall into the wrong hands.
For a well-known brand, a data leak like this is hard to stomach, particularly if its customers have suffered financially. But the bigger consequence is one of trust and reputation which we all know takes a lifetime to build and only a second to lose.
This instance involved a deliberate theft of customer records for criminal purposes which only came to light because of a whistleblower. And while many data breaches don’t have such catastrophic consequences, how many companies can answer the question ‘how sure are we that we can detect and respond to someone taking sensitive data off the network?’ Probably not that many at all.
Even if the answer is yes, it probably wouldn’t have helped in this case as the data was attached to a company that is no longer trading; so it wouldn’t necessarily have been stored on the network.
The whole lifecycle of data must be considered. From when it is created to when it is disposed of, and everything in between. That includes when devices such as laptops and USB sticks come to the end of their useful lives, and when staff move to different roles or subsidiaries, or exit the business, as they are all too often the cause of data breaches.
The only way to protect business critical, private or sensitive data is to have policies in place that are rigorously followed by staff, and control who has access to the data in the first place.