Data Spill Management
Guide
JANUARY 2019
Introduction
A data spill is the accidental or deliberate exposure of information into an uncontrolled or unauthorised environment,
or to persons without a need-to-know. A data spill is sometimes referred to as information disclosure or a data leak.
Data spills usually fall into one of two categories:
The transfer of information to a system which is not authorised to handle the information. Such a transfer may be
performed via email or digital media.
The unauthorised disclosure of information on the Internet, including via web forums, social media and other
types of cloud-based storage.
Data spills are considered cyber security incidents and should be reported using the Australian Cyber Security Centre’s
(ACSC’s) Cyber Security Incident Reporting scheme.
Organisations should refer to the Australian Government Information Security Manual (ISM) for sanitisation
guidance for specific media following a data spill.
Data spill management overview
Educating users of system and web usage policies, as well as how to appropriately identify and handle information, can
greatly assist in preventing data spills. However, in the event of a data spill, organisations should use the following five
step process:
Identify. Recognise that a data spill has taken place.
Contain. Determine the breadth of the data spill.
Assess. Decide on the most appropriate course of action to address the data spill.
Remediate. Remediate the data spill based on the course of action chosen.
Prevent. Implement prevention measures to stop similar incidents from occurring in the future.
Step 1: Identify
Data spills are usually identified by users. Organisations should include in standard procedures for all users that they
notify an appropriate security contact of any suspected data spill or access to information that they are not authorised
to access.
1
Data spills can also be identified through monitoring, auditing and logging. For example:
Preventing non-protectively marked emails from being sent or received by an organisation’s email server or email
client.
Using data loss prevention tools that can warn users and alert administrators of possible security violations.
An immediate assessment should be performed to:
Track data flow, movement and storage locations of the spilled data to assist in determining what devices and
systems are affected.
Identify affected system users, including any external to the organisation.
Determine the length of time between the data spill and the identification of the data spill.
Step 2: Contain
Containment may involve physically isolating or logically separating affected systems from a network. Logical
separation can be achieved by temporarily removing software functionality or applying access controls to systems to
prevent further exposure.
For example, the containment process taken for a data spill involving an internal email may include:
Identifying the sender and recipients of the email, contacting them and directing them not to forward or access
the email.
Determining if it is necessary to retain a copy of the email so that the sensitivity of the information can be verified
by the information owner for a damage assessment.
Determining if it is necessary to delete the email from affected users’ inboxes as quickly as possible to prevent
further dissemination of the email.
Proceeding to the assessment phase to determine what further actions are required, including potential
sanitisation of the email server and workstations.
Step 3: Assess
After containment, to prevent further access and exposure of spilled data, a thorough assessment should be
performed. This includes:
Identifying affected system users, systems and devices. While the identification process highlights the systems
and users that are initially affected, a more thorough assessment should be performed after the containment
process. This should include devices such as workstations, backup storage, printers, print servers, network shares,
email inbox and servers, content filtering appliances, webmail and external systems. Organisations should involve
their system and network administrators in this process.
Contacting the information owner. The information owner should be contacted and notified of the data spill. The
information owner should be able to provide guidance on any specific handling requirements for the data, if
applicable, to minimise its exposure.
Contacting relevant authorities. Data spills should be reported using the ACSC’s Cyber Security Incident Reporting
scheme.
Performing a damage assessment. Organisations should perform a damage assessment to determine what harm
was caused by the data spill. Organisations should assume that the spilled data is compromised and base
remediation procedures or risk management on a worst-case scenario.
2
Step 4: Remediate
Organisations should work in collaboration with information owners to determine a satisfactory remediation of any
data spill noting remediation is usually achieved through a balance of technical controls and risk management activities.
For each system identified during the assessment stage, a remediation strategy should be developed that covers:
access controls to the data and the systems that hold the data
utilisation rate of memory storage (i.e. ability for the system to naturally overwrite free space through data
attrition and growth)
criticality of the system to the business (e.g. mission critical Storage Area Network or a user workstation)
the exposure duration of data (i.e. is it a recent exposure or has the data been exposed for a long period of time)
sanitisation options available for the media (e.g. raw disk overwrite, file overwrite or physical destruction)
disposal consideration of the asset at end of life (i.e. will the asset be resold or physically destroyed)
balancing the risk of drawing attention to the data versus accepting the damage
resources, impacts and financial costs to replace or sanitise affected systems.
All remediation actions, including their outcomes, should be appropriately documented.
Step 5: Prevent
Actions that cause data spills should be reviewed to determine why they occurred (e.g. non-adherence of policy, gaps in
existing procedures or absence of a technical control).
The review should result in the implementation of preventative measures to reduce the likelihood of future data spills
occurring. This may include additional user training or improved technical controls.
Further information
The Australian Government Information Security Manual (ISM) assists in the protection of information that is
processed, stored or communicated by organisations’ systems. This publication can be found at
https://www.acsc.gov.au/infosec/ism/.
The Strategies to Mitigate Cyber Security Incidents complements the advice in the ISM. The complete list of
mitigation strategies and supporting publications can be found at
https://www.acsc.gov.au/infosec/mitigationstrategies.htm.
Further information on the ACSC’s Cyber Security Incident Reporting scheme can be found at
https://www.acsc.gov.au/incident.html.
Contact details
Organisations or individuals with questions regarding this advice can contact the ACSC by emailing
asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371).
3
