As I reached into my bag, I knew something was wrong

As I reached into my bag, I knew something was wrong

"We can't make it more fun, but we can make it easier" - sounds a well-known slogan of the Dutch tax authorities. When it comes to working securely, that 'easier' sometimes seems to be missing. We have to do more and more: use more passwords, more two-factor authentication, take more actions. Yet we know that securing our data - just like locking our bike on the street - is just a thing you need to do. UU Teacher Irma also experienced this when she lost her keychain -- with her USB stick still on it.

It was a Friday morning, early October, in the city centre of Utrecht. Outside, the first leaves were falling from the trees heralding autumn. Irma: "The moments when - as a cyclist - you start thinking about bicycle lights again, because it gets dark earlier. I immediately thought about my safety there. Funny how that works: when it relates to yourself, it is something very natural. You naturally want to eliminate risks." Irma had supervised a study group with students that morning, as she had done the previous weeks. Their study involved a group of young adults with various psychiatric conditions.

You only clean up after cooking, right?

Irma continues her story. "We were totally absorbed in the research. Sometimes you get so excited about something, especially if you work together intensively, that you are 'in the zone'. We were not at all concerned with how to store data from our research." When asked if she had then never been taught anything about the safe storage of data, Irma replies: "Well, of course we knew that we had to store it in a good way at the end, but not so much during the research. For us, I think it felt a bit like a kitchen that you only start cleaning up after cooking. During the 'cooking process', we didn't bother about any technical stuff at all, but just enjoying ourselves with kitchenware and cutting boards."

It will be fine -- I thought

Irma walked out the building after the work for the research was done for that day. She would continue working at the Uithof that afternoon. At the end of the day, she went home. "When I arrived at home, I realized I was missing my keychain when I wanted to open the door. I searched in vain in my bag for my keychain. Fortunately, my husband was at home with the children, so I was not in front of a closed door". "Forgot your keys?" he asked laughing and loudly, in an attempt to raise his voice above the sound of the playing children. I almost began to doubt whether I had brought them at all. But it was weekend for know: I would look for them later, it will be fine".

Suddenly you realize: it's a data breach

While dining, Irma suddenly realized something. The keys themselves suddenly became a lot less important. She had a USB stick attached to her key ring with her research and student data on it. Irma: "At first I tried to justify it to myself. Those keys could be somewhere on my desk at work, or maybe in my safe. Or they might have been stolen, but in that case I couldn't help it if the USB stick was still attached, could I? These were all thoughts running through my head. I could even picture it being in the newspaper: Data research UU on the streets because of careless lecturer". After the weekend, Irma went back to her workplace. However, the keys were nowhere to be found.

The redeeming email with double feeling

Moments later, Irma received an email in her mailbox. A colleague (unknown to her but also working in the city centre) had found her keychain. He indicated that he had found her keys in a corridor of the building where she had been. He had been able to retrieve her name and email address in a Word file on her USB stick. Irma: "I was immensely relieved that my keychain was found. But it also felt a bit strange that someone had been snooping around on my USB stick. I could understand that he was doing that to find out who the keychain belonged to, but what else had he seen? All the details of the young adults and their psychiatric conditions? The pictures of them? It almost had to be". Irma picked up the keychain the same day. Out of discomfort, she did not dare ask what else this person had seen on the USB stick.

Test your knowledge

Irma's story (which is not her real name due to privacy reasons) is no exception. In the news, we read things like this regularly. Also, from such an incident, you are obliged to report a data breach. How to prevent this? Transport data securely. You can do this online via SURFfilesender or check the Data Storage Finder; a guide through the range of IT solutions for storing and managing data. Or, If you have no other options, via a secure USB stick with an access code. Employees and students can use SURFfilesender free of charge at any time. And please take a look at our phishing quiz. A great way of brushing up on your knowledge of phishing!

Questions?

Do you have questions about information security, or want advice on handling data? If so, please contact informatiebeveiliging@uu.nl by e-mail.