Customer data abuse rife among UK companies

Nearly half of UK companies could be breaching the Data Protection Act (DPA) through the misuse of customer data, according to research published on Monday.

The study involved 100 UK IT directors, and found 44 per cent use genuine customer data when developing and testing applications. This is a breach of the second principle of the DPA, which states data should not be used for purposes other than that for which it was collected.

The research, conducted by Vanson Bourne, also found 48 per cent are only "vaguely familiar" with the detail of the Act itself.

Clarke said: "Lots of companies have taken stringent measures around the protection of customer data in the live production environment. But the numbers of people with no security clearance who can be exposed to that data can quadruple in the test environment."

Compuware said it was also concerned that 86 per cent of those surveyed admitted sending live customer data offshore, often for development and test purposes, with nothing more than a non-disclosure agreement (NDA).

The DPA is enforced by the Information Commissioner, which warned organisations need to take effective security precautions at all times, including when testing new systems.

A spokeswoman for the Office of the Information Commissioner said: "The use of live customer data for test purposes runs the real risk that personal details can be corrupted or fall into the wrong hands. Organisations are well advised to avoid using live customer details for test purposes to help ensure that they treat people's personal details properly and in compliance with the DPA."

Clarke said problems often arise with artificial data because "masking out parts of the data means you can't test some fields". This means many companies have resorted to using live data samples to make sure the test environment will mirror the processes that will inevitably link the live environment with other mission-critical applications.

Mike Thompson, principal research analyst for Butler Group, said Compuware's findings aren't unreasonable but said he doubted companies would have to make major investments to address the issue.

Thompson said: "Purely using data to test throughput is alright. It's the ability to identify the customer from the data used for testing that's the problem.

"There are tools out there that are valid for randomising the data so it doesn't refer back to customers' details but using a simple SQL statement to achieve this should equally solve any issue."

He added: "There is greater risk from offshoring, simply because you lose any internal controls you may have in place. There was a case only recently in the US where credit card details were stolen from a live environment."

Both Clarke and Thompson advised companies which send data offshore to ensure both they and their partners enforce strict controls.

Miya Knights writes for ZDNet UK