A financial services company wanted to understand if the pandemic and consequential staff home working in 2020-21 had given rise to personal identifiable information (PII) being recorded and accessible in the service desk system - contrary to data privacy policy and GDPR. Aim was asked to undertake a discovery and cleansing assignment using dataBelt® to find out.

 

Situation

 

This international financial services company comprises a number of business units offering a range of financial services and products. 

Like most organisations in March 2020, the company asked all its staff to work from home as much as they could. The IT support team and staff adapted quickly to the new situation and carried on as near to normal as possible.

But after 14 months of largely remote support and following discussions internally with the company’s Data Protection Office, the head of IT services suggested it might be prudent to check whether remote support had in fact led to personal identifiable information (PII) being recorded in closed support tickets of the service desk system. If this was the case, then there was a risk of GDPR non-compliance and possibly data breach which could be reported to the Information Commissioner’s Office (ICO) followed by a fine.

Aim was invited to check on the data, find out if there was a non-compliance issue, the size of the problem and to remediate it.

               

Solution

 

The Aim data team deployed its world-leading data governance and management software platform dataBelt^® to undertake the due diligence review of the data in the service desk system. After connecting to the service desk system database using dataBelt^®’s open API and connector architecture, the initial scan of data was planned for closed tickets. Given the driver was PII data, the type that might be expected to be captured as part of remote support was mainly ID data such as personal address and personal telephone number if equipment needed to be shipped to home locations. And possibly certain health conditions requiring non-standard IT equipment to be delivered.

 

Because dataBelt^® would be looking for text strings, the platform was configured with search criteria drawn from its library of extensive regex (regular expression) patterns for personal ID and health conditions. In the initial scan, dataBelt^® ingested in minutes 500,000 tickets and the same number again of ticket histories and other objects, and the search identified a large number of search hits using the regex patterns. It also became clear that PII data other than ID and health was being uncovered. For example, references to customers in financial difficulties, bank account and credit card information and even system user IDs and passwords had found their way into the service desk system. A clear case of privacy data leakage. Further scans were then run to ensure all PII data of any type had been discovered and tagged by dataBelt^®.

 

Results

 

The final scan proved that there were over 850,000 PII data references spread across 35% of the tickets, going back almost 5 years.

Not only was PII data discovered that was relevant to remote support during the pandemic, but financial and health PII data had been entering the system from other business units well before 2020. Furthermore, business units and corporate IT systems had been auto-creating user IDs and passwords and recording them in service desk tickets. 

The dataBelt^® analysis was able to show the company not only the PII data volumes by type, but also their lineage by business unit, by year and by IT system.

The amount of PII privacy data leakage was alarming, but remedied as the Aim data team was authorised to use dataBelt^® to redact the PII data leaving a redaction message in place of it and to commit back the redacted and clean data to the service desk system database.

This was a vitally important result which mitigated what had been a significant and ongoing risk to the company for some years and prevented a possible major data breach, GDPR non-compliance and considerable fine from the ICO – as well as impacting the company’s reputation for data security. It also allowed the them to pinpoint the areas where security controls and processes needed to be improved.

For the company to have completed such an exercise manually using spreadsheets would have taken a team of analysts 6 - 12 months to complete – rather than the 3 weeks use of dataBelt^®’s heavy-lifting technology. The success of the assignment has meant that the company has signed-up to use dataBelt^® on a regular basis to ensure compliance of its data in the service desk system and is planning on extending dataBelt^®’s remit for data discovery and cleansing across the whole enterprise.

 

For more case studies, please click here.

 

 For more information about our products and services, please contact us here.