UK Gov. Accidentally Releases New Year Honours Addresses Spreadsheet

The risk of spreadsheet-based data breaches – and 3 ways to reduce it.

This week saw another example of an organisation storing sensitive, personal data in an Excel spreadsheet and then sharing it by mistake. This time it was the UK government accidentally publishing the addresses of more than 1,000 New Year Honour recipients in a spreadsheet online. Inexcusable these days given the current focus on data protection – but in reality, it’s easily done. So how can you ensure that you don’t make the same mistake?

Below are my three recommendations for mitigating this spreadsheet-based risk.

1. Don’t save sensitive personal data in spreadsheets

It may seem a pretty obvious thing to say but if you don’t save sensitive personal data in a spreadsheet in the first place then problem solved!

Sensitive data should be recorded and managed in a secure database. If you need to download the data think about which fields you really need and whether you can anonymise the data.

2. Put in place strong policies and procedures around spreadsheet use and distribution

You should give your team clear guidelines for how data is used, stored and distributed in spreadsheets. Putting in place strong spreadsheet policies and procedures that are communicated and understood by all data users helps everyone know what they should and shouldn’t do.

These spreadsheet policies and procedures should be backed up by system controls that control what users can do. As an example most companies who regularly manage very sensitive data (such as banks) have system controls that block the external emailing of any spreadsheets, restrict access to websites that would allow a user to upload a spreadsheet and block external storage devices such as USB sticks.

3. Use Excel’s encryption functionality

My final recommendation for mitigating the risk of storing sensitive data in spreadsheets is using Microsoft Excel’s built in encryption. This involves protecting the spreadsheet with a password so that only people who know the password can open it. This means that if the spreadsheet is shared by mistake no-one will be able to open it.

One quick caveat – Whilst Microsoft have improved their spreadsheet encryption it can still be broken if someone really wants to.

To summarise...

The financial and reputational impact on your business of mistakenly sharing a spreadsheet containing sensitive data can be high. By employing the above three recommendations within your own business you will be able to avoid falling foul of this unfortunately all-too-common pitfall.

How we can help

Full Stack Modeller is a comprehensive training course that has a best practice focus. You will learn how to standardise your approach modelling and mitigate the risks implicit in spreadsheet based modelling.

Full Stack's Financial Modelling Errors Series

See our complete financial modelling error series here.