author photo
By Bruce Sussman
Tue | May 4, 2021 | 10:34 AM PDT

Will your organization someday lose a multi-million dollar contract because of a shadow IT-related data breach?

That scenario is playing out in Pennsylvania right now. The Pennsylvania Department of Health says it will not renew its contract with the vendor conducting the state's contact tracing efforts.

This comes after the company, Insight Global, announced a data breach impacting more than 70,000 Pennsylvania residents and their diagnosis or exposure to COVID-19.

Employee use of shadow IT led to the data breach. This unfortunate situation is a crucial reminder for every organization.

What happened in this case of a shadow IT data breach?

At the start of the coronavirus pandemic, there was a lot of concern about contact tracing programs. Were the programs an invasion of privacy? Could they lead to discrimination against those who were diagnosed with a virus the world was trying to avoid? How would all of this health data be kept private and secure? 

That last question is being answered right now in Pennsylvania. You hope your personal information is private and secure, but you never really know.

Especially when employees handling your personal data workaround the official ways of sharing it. In the case of the Pennsylvania contact tracing effort, shadow IT and Google won the day.

Insight Global explains in its contact tracing data breach notification:

"Although Insight Global has robust security on its inhouse platforms, as part of an unauthorized collaboration channel, certain employees set up and used several Google accounts for sharing information. Documents related to contact-tracing collection were included among the information that may have been vulnerable to access."

What kind of information was being shared in these employee created Google accounts? This is what the breach notification spells out:

"At this time, we believe the impacted information consisted of names of individuals who may have been exposed to COVID-19, whether they were positive or negative for COVID-19, if they experienced symptoms, information about number of members in household, and for certain individuals, email and telephone numbers and information to address any needs for specific social support services."

Additionally, Health Department spokesman Barry Ciccocioppo told the Associated Press that sexual orientation and gender were also exposed through this use of shadow IT.

Reaction to this shadow IT data breach

According to the AP, the State of Pennsylvania paid Insight Global more than $28 million since March 2020. But not for much longer: "The Health Department plans to drop Insight Global once its contract expires in three months."

SecureWorld News reached out to two experts in privacy and security for reaction and ideas on how to avoid what happened in this case.

Rebecca Herold, CEO of The Privacy Professor and host of a popular privacy podcast, says she was not surprised to hear this shadow IT story:

"While many organizations have policies that prohibit storing or otherwise using personal cloud services, personal devices, etc., for business activities, most of the organizations have not provided training to employees about this, and very few include checking for the storage of business data in employee-controlled/owned/used cloud and computing devices as part of their risk assessment or other risk management practices.

I see way too many folks using personal Google drives, not to mention personal Dropbox, Box, iCloud, Slack, and other services, for business data and communications."

And Herold, who recently co-founded Privacy and Security Brainiacs, says the pandemic increased the risk organizations face because of shadow IT,  even if you think you have this area covered:

"Add to this the fact that too few organizations, when they were forced to accommodate work-from-home (WFH) employees upon sudden notice, did not take the much different type of home environment into consideration when establishing their WFH security and privacy policies, procedures, and oversight. As a result, they did not address the use of personal cloud services, apps, or devices within their WFH policies, procedures, and guidelines—much less provide any specific training for how to securely and appropriately (to meet legal compliance requirements) use such services and devices, along with what not to use.

In fact, over the past year, I've heard and seen many CISOs/security pros say that they have VPNs in place, so they 'really don't need to worry about very many other risks within the home and remote environments.' That is wrong."

Risk management relating to shadow IT

So what kind of steps can you take to mitigate your organizational risk from unauthorized technology use? Rebecca Herold sums it up like this:

"All organizations need to reevaluate their risk management programs and include employee/contractor/vendor-used cloud services, apps, and devices into the scope of their risk management programs and risk assessments, as appropriate to the purpose of each assessment."

And Jordan Fischer, Global Data Privacy Practice Group Leader at Beckage Law, says it can help to think of the challenges and solutions in these three ways:

  • "This event highlights one of the most challenging aspects of a security program: training and educating employees to understand why certain services are and are not used. So often, employees think it is harmful to find a workaround, but it can result in incidents like the one here."
  • "Creating a culture of transparency and communication is key: if, instead of finding their own solutions, employees have a regular channel to communicate and ask questions, shadow IT can be avoided (or at least minimized)."
  • "Get your employees involved, across all departments, in creating and implementing security solutions. If they are part of the process, they are less likely to go outside of the regular IT environment because they will better understand the trade-offs."

Perhaps this will help your organization avoid the pain and cost that Insight Global is feeling right now over the shadow IT incident in Pennsylvania:

"We deeply regret this happened and are committed to restoring the trust of any residents of Pennsylvania who may have been impacted. All necessary steps are being taken to secure any personal information, and we intend to learn and grow from this."

Comments