HR data exposures are becoming a major target for automated crawlers like the Office of the Personal Data Protection Committee (PDPC’s Eagle Eye). Last week, the PDPC launched “Eagle Eye,” a 24/7 automated crawler designed to scan the internet for exposed personal data. Unlike traditional systems that wait for complaints, Eagle Eye is a proactive tool, hunting for errors and vulnerabilities that can cost your company dearly.
Unlike traditional data protection systems that passively wait for complaints or reports, Eagle Eye is a proactive tool. It tirelessly searches for errors and vulnerabilities in your systems, working around the clock to identify where personal data—especially sensitive HR information—is being exposed. The stakes are high: data breaches can be costly, damaging not only a company’s reputation but also leading to substantial fines and legal consequences.
At the end of the day, building strong collaboration between HR and IT is crucial. We can’t write your cybersecurity policies, but we can help you build a team that communicates effectively and keeps data secure.
From embarrassing data leaks in packaging (like hospital patient records becoming snack bag wrappers) to forgotten Excel files, HR departments are among the top targets. Here are 5 critical vulnerabilities that Eagle Eye is actively searching for right now.
The Risk:
Many organizations mistakenly believe that their data is safe because it’s stored on a private server or behind a firewall. However, public data indexing through search engines like Google is a major vulnerability that many overlook. Eagle Eye can detect files that have inadvertently been indexed by Google or other search engines, exposing them to anyone searching the web.
A common example is when sensitive files, such as employee salary spreadsheets, are accidentally left in publicly accessible folders or shared in a way that allows them to be indexed by search engines. Once indexed, these documents are accessible to anyone with a search engine.
Example:
A payroll Excel file containing employee salary data might be uploaded to a shared company server without proper restrictions. If Google or another search engine indexes that file, anyone can search for terms like “salary” and find the file, exposing sensitive HR data to unauthorized parties.
The Fix:
Regularly perform a Google search for sensitive data on your company website or server to identify any documents that may have been indexed. You can use the following search operator to specifically look for potentially exposed files:site:yourcompany.com filetype:xls "salary".
If any files show up in the search results, immediately remove them from the public domain or adjust access restrictions. Also, ensure that search engines cannot index sensitive documents by using proper meta tags to block them from being crawled.
The Risk:
Cloud-based document sharing solutions, like Google Drive or Dropbox, are incredibly useful but can easily become a source of leaks if not properly configured. When documents are shared with the setting “Anyone with the link,” they can be accessed by anyone—inside or outside your organization. This includes automated bots like Eagle Eye that are specifically designed to find publicly accessible documents.
Example:
Imagine a Google Drive link containing employee contracts or personal health information being shared within the company. If the document’s sharing settings are left as “Anyone with the link,” it can be accessed by anyone, including external bots. Once a bot accesses the file, it can easily be indexed by Eagle Eye, making it discoverable by anyone on the internet.
The Fix:
Audit your team’s cloud storage practices. Ensure that no HR-related documents are shared with the setting “Anyone with the link.” Instead, change the sharing settings to “Restricted” or “Company Only” for all sensitive documents. Implement a policy that requires employees to always check document permissions before sharing, ensuring only authorized personnel have access to HR data.
The Risk:
In many organizations, employee accounts remain active long after they have left the company. This is a significant security risk. These “ghost” accounts are often overlooked by IT departments, and they serve as easy entry points for unauthorized access. Eagle Eye can identify these dormant accounts, particularly if they still have access to sensitive HR systems or data.
Example:
When an employee leaves, their email and login credentials should be deactivated immediately. However, in many cases, these accounts remain active in the company’s system. A former employee’s account can be exploited by unauthorized users to gain access to HR systems, potentially leading to the exposure of confidential data.
The Fix:
Work with your IT department to create a process for regularly reviewing all active accounts. Ensure that any former employee’s accounts are promptly closed or deactivated. It’s also advisable to conduct an audit of permissions periodically to ensure that only current employees have access to sensitive HR data.
The Risk:
Not all data breaches are digital. Physical records, such as printed payroll slips or employee medical records, can also be exposed if not handled properly. A case in point: a Thai hospital was fined 1.2 million THB because confidential patient data was sold to street vendors, who used it as packaging for snack foods [Read the news article here]. This type of leak highlights the risks associated with physical document disposal.
Example:
Imagine that a printed report containing confidential payroll information is discarded improperly. If the document is not shredded and is instead thrown in the trash, it could easily fall into the wrong hands, leading to exposure of sensitive employee data.
The Fix:
Educate employees about the importance of securely disposing of confidential physical documents. Implement a strict policy requiring all sensitive documents to be shredded, not thrown away. Set up secure shredding stations in every department where sensitive HR data is handled to ensure proper disposal.
The Risk:
When you outsource services like payroll processing, recruitment, or benefits management, your company still holds responsibility for the data being handled. If a third-party vendor mishandles your data, your organization could be liable. Eagle Eye doesn’t just scan your internal systems—it also looks at how your third-party vendors manage data.
Example:
If a third-party payroll company is storing employee payroll information on unsecured servers, Eagle Eye might find it during its scan, leading to a breach. Even if the vendor is responsible for the breach, your company may still be held accountable for failing to ensure proper security measures were in place.
The Fix:
Send a Data Security Confirmation email to all your third-party vendors asking them to outline their data protection practices, including how they store, encrypt, and delete sensitive data. Include data protection clauses in your vendor contracts to ensure that they meet your security standards. Regularly audit your third-party vendors to ensure compliance with your data protection policies.
Communication Between HR and IT is Key
Many of the risks listed above arise because HR and IT departments often work in silos, without sufficient communication. HR teams might not be aware of the technicalities behind data security measures, and IT teams might not understand the HR-specific risks involved with personal data. Regular communication between the two departments is essential to maintaining a robust data protection system.
The Benefits of Building Cross-Departmental Collaboration
Proactive communication between departments will ensure that HR data is properly protected. Regular cross-department meetings, clear data security policies, and well-defined roles can help ensure that both HR and IT teams are aligned on data protection goals.
Whether it’s Eagle Eye or new labor laws, modern HR managers need to be proactive about data security. Reactive measures, like responding to breaches after they’ve happened, are no longer enough. Eagle Eye is just one of many tools designed to ensure the privacy of personal data, and it’s imperative that HR departments take proactive steps to secure sensitive information.
If you want to ensure your HR data is secure and your organization is prepared for any data protection challenges, book a free consultation today. We’ll help you bridge the gap between your HR and IT teams, ensuring collaboration, communication, and strong data security practices across your organization.