Full Report
Joseph J. Lazzarotti of JacksonLewis writes: When Royal Cornwall Hospital responded to a routine Freedom of Information request in 2023, they had no idea they were about to expose sensitive staff data to the public. The hospital recently apologized after discovering that a spreadsheet published on their website contained hidden sickness absence data for 8,100 current and... Source
Analysis Summary
# Incident Report: Accidental Disclosure via FOI Request Metadata
## Executive Summary
In 2023, Royal Cornwall Hospital inadvertently exposed sensitive sickness absence data for 8,100 current and former staff members following the fulfillment of a routine Freedom of Information (FOI) request. The breach occurred because the data was present in hidden fields/cells within a published spreadsheet, remaining public until a user reported the exposed data. This incident highlights significant risks associated with metadata and unpublished information within electronic documents released under compliance obligations.
## Incident Details
- Discovery Date: Sometime after publication in 2023, upon notification by an accessing user.
- Incident Date: 2023 (Date of FOI fulfillment and publication).
- Affected Organization: Royal Cornwall Hospital.
- Sector: Healthcare.
- Geography: Cornwall, UK (Implied from organization name).
## Timeline of Events
### Initial Access
- Date/Time: 2023 (Date of FOI fulfillment).
- Vector: Intentional, legitimate public disclosure process (Freedom of Information fulfillment).
- Details: A spreadsheet containing sickness absence data for 8,100 employees spanning three years was published on the hospital's website as a response to an FOI request.
### Lateral Movement
- Not applicable. This was a data disclosure incident, not a network intrusion.
### Data Exfiltration/Impact
- The data was made publicly available on the hospital website. The information included hidden sickness absence data residing in the spreadsheet.
### Detection & Response
- Detection: When an individual accessing the published file noticed the hidden/recoverable content and reported it to the hospital.
- Response actions taken: The hospital apologized for the incident upon confirming the exposure.
## Attack Methodology
- Initial Access: **Procedural Error/Misconfiguration.** No external attacker was involved; the access vector was the organization's own public disclosure mechanism (FOI response).
- Persistence: Not applicable.
- Privilege Escalation: Not applicable.
- Defense Evasion: Not applicable.
- Credential Access: Not applicable.
- Discovery: Not applicable (Internal data was prepared for release).
- Lateral Movement: Not applicable.
- Collection: **Metadata/Hidden Data Exposure.** The mechanism of compromise was the failure to scrub or properly flatten the document content, leaving sensitive data visible via spreadsheet tools (e.g., hidden columns, tracked changes, or deleted content).
- Exfiltration: Not applicable (Data was published, not exfiltrated by an adversary).
- Impact: **Accidental Information Disclosure.**
## Impact Assessment
- Financial: Not disclosed in the source.
- Data Breach: Sensitive staff sickness absence data (identifying current and former employees, volume: 8,100 individuals, time frame: three years).
- Operational: Minimal immediate operational disruption, but significant time spent remediating and apologizing.
- Reputational: Negative impact stemming from the public apology and exposure of staff information.
## Indicators of Compromise
- Network indicators: None relevant (Data published via standard web server).
- File indicators: Spreadsheet file containing hidden data fields/columns.
- Behavioral indicators: Failure by the entity preparing the document to utilize proper Information Asset Management or document sanitization procedures prior to publishing.
## Response Actions
- Containment measures: Identification and removal of the compromised spreadsheet from the public website after discovery.
- Eradication steps: Likely including internal review of the sanitization process.
- Recovery actions: Issuing an apology to the affected staff members.
## Lessons Learned
- **Metadata Risks are Real:** Hidden information (metadata, hidden cells, tracked changes, comments) in electronic documents poses a significant risk, even when preparing compliant disclosures.
- **Compliance Requires Rigor:** Routine compliance actions, such as fulfilling FOI requests, must be treated with the same level of security scrutiny as targeted access attempts.
- **Time Exposure:** The confidential information sat publicly available for an "extended period" until manually discovered by a member of the public.
## Recommendations
- **Mandatory Document Sanitization:** Implement and enforce strict procedures for scrubbing all non-visible data (metadata, hidden sheets/columns, tracked changes) from *all* documents intended for public release.
- **Verification Layer:** Establish a mandatory secondary review process by an independent party (ideally one not involved in the initial population of the data) specifically focused on confirming the document's visible state matches the required scope *before* publication.
- **Training Focus:** Increase training for staff responsible for document preparation and release on the specific risks associated with digital document formats (e.g., Excel, Word) and "Inspect Document" tools.