Cyber Security Breaches Survey 2022: What DPOs need to know

Cyber security breaches are on the rise. Virtually every day there is a news story about a high profile organisation being hacked and personal data being lost or stolen. Last week the BBC reported that thousands, if not millions, of people could have lost money in the second largest crypto hack in history. Ronin Network, a key platform powering the popular mobile game Axie Infinity, has had $615m (£467m) stolen. More recently UK retailer, The Works has been forced to shut shops temporarily and suspend new stock deliveries after a cyber-attack.

And it’s not just the private sector. In January we learnt that Gloucester City Council’s website was hacked affecting online revenue and benefits, planning and customer services. The work of Russian hackers(allegedly) could take up to six months to resolve and affected servers and systems may need to be rebuilt.

Data Protection Officers need to be aware of the latest incidents and advice when it comes to cyber security breaches. The recently published DCMS Cyber Security Breaches Survey is important reading for all DPOs. It explores the policies, processes, and approaches to cyber security for businesses, charities, and educational institutions. It also considers the different forms of cyber-attack these organisations face, as well as how they are impacted and their response.

Cyber Attacks

The survey results show that in the last 12 months, 39% of UK businesses identified a cyber-attack. Of these, the most common threat vector was phishing attempts (83%). Of the 39%, around one in five (21%) identified a more sophisticated attack type such as a denial of service, malware, or ransomware attack. Despite its low prevalence, organisations cited ransomware as a major threat, with 56% of businesses having a policy not to pay ransoms. Note recently the GDPR fine issued to a firm of solicitors who suffered such an attack. Interestingly they too chose not to pay the hackers. 

Frequency and Impact

Within the group of organisations reporting cyber-attacks, 31% of businesses and 26% of charities estimate they were attacked at least once a week. One in five businesses (20%) and charities (19%) say they experienced a negative outcome as a direct consequence of a cyber-attack, while one third of businesses (35%) and almost four in ten charities (38%) experienced at least one negative impact. It is interesting that the survey focussed on charities too. July 2021 saw the first GDPR fine to a charity. The transgender charity Mermaids was fined £25,000 after the ICO found that it had failed to implement an appropriate level of security to its internal email systems, which resulted in documents or emails containing personal data being searchable and viewable online by third parties through internet search engine results.

Cost of Attacks

The survey found the average estimated cost of all cyber attacks in the last 12 months was £4,200. Considering only medium and large businesses; the figure rises to £19,400. Of course such incidents also mean a loss of reputation and customer trust. In October 2020, the ICO fined British Airways £20million for a cyber security breach which saw the personal and financial details of more than 400,000 customers being accessed by hackers. British Airways also had to settle legal claims for compensation from affected customers. 

Cyber Hygiene

The government guidance ‘10 Steps to Cyber Security’ breaks down the task of protecting an organisation into 10 key components. The survey finds 49% of businesses and 40% of charities have acted in at least five of these 10 areas. In particular, access management surveyed most favourably, while supply chain security was the least favourable.

Board Engagement

Around four in five (82%) of boards or senior management within UK businesses rate cyber security as a ‘very high’ or ‘fairly high’ priority, an increase on 77% in 2021. 72% in charities rate cyber security as a ‘very high’ or ‘fairly high’ priority. Additionally, 50% of businesses and 42% of charities say they update the board on cyber security matters at least quarterly. Our new webinar “GDPR and the Charity Sector Webinar” is ideal for raising awareness amongst charity trustees.

Size Differential

Larger organisations are correlated throughout the survey with enhanced cyber security, likely as a consequence of increased funding and expertise. For large businesses’ cyber security; 80% update the board at least quarterly, 63% conducted a risk assessment, and 61% carried out staff training; compared with 50%, 33% and 17% respectively for all businesses. Our GDPR Essentials e learning course contains a specific module on keeping data safe which warns of the most common cyber hacking/phishing tactics.  

Risk Management

Just over half of businesses surveyed (54%) have acted in the past 12 months to identify cyber security risks, including a range of actions, where security monitoring tools (35%) were the most common. Qualitative interviews however found that limited board understanding meant the risk was often passed on to; outsourced cyber providers, insurance companies, or an internal cyber colleague.

Outsourcing and Supply Chain

Small, medium, and large businesses outsource their IT and cyber security to an external supplier 58%, 55%, and 60% of the time respectively, with organisations citing access to greater expertise, resources, and standard for cyber security. Consequently, only 13% of businesses assessed the risks posed by their immediate suppliers, with organisations saying that cyber security was not an important factor in the procurement process.

Incident Management

Incident management policy is limited with only 19% of businesses having a formal incident response plan, while 39% have assigned roles should an incident occur. In contrast, businesses show a clear reactive approach when breaches occur, with 84% of businesses saying they would inform the board, while 73% would make an assessment of the attack.

External engagement

Outside of working with external cyber security providers, organisations most keenly engage with insurers, where 43% of businesses have an insurance policy that cover cyber risks. On the other hand, only 6% of businesses have the Cyber Essentials certification and 1% have Cyber Essentials plus, which is largely due to relatively low awareness. The importance of this was highlighted in the recent GDPR fine issued to Tuckers solicitors.

The DCMS Cyber Security Breaches Survey is important reading for all Data Protection Officers and IT staff. Aligning with the National Cyber Strategy, it is used to inform government policy on cyber security. It should also be used to stay abreast of cyber security developments and formulate your own organisation’s cyber security strategy.  

Our Managing Personal Data Breaches workshop will examine the law and best practice in this area, drawing on real-life case studies, to identify how organisations can position themselves to deal appropriately with data security incidents and data breaches, in order to minimise the impact on customers and service users and mitigate reputational damage.

The EasyJet Data Breach: GDPR Fine Arriving?

robert-hrovat-3hTBB-ISAJg-unsplash

On 19th May 2020 it was reported that in January 2020 EasyJet was subject to what they describe as a “highly sophisticated” cyber-attack, resulting in the personal data of over 9 million customers being “hacked”. Detailed information about the attack is sparse, with most media sources repeating the same bare facts. Some of the information below is based on the media reports and emails sent to EasyJet customers. At the time of writing there was no information about this on the Information Commissioner’s Office web site.
What little information is available points to a number of breaches of the General Data Protection Regulation (GDPR) which could result in the Information Commissioners Office (ICO) imposing a monetary penalty.

However, in view of the ICO’s reassessment of its regulatory approach during the current Coronavirus pandemic and reports that it has further delayed the imposition of its £183 million fine against British Airways, readers may be forgiven for thinking that EasyJet will not be on the receiving end of a fine any time soon. In any event, it seems likely that the ICO will be forced to consider the fact that EasyJet, along with the whole airline industry has been very severely affected by the Coronavirus and faces huge financial pressures.
The consequences for EasyJet in respect of this breach will remain unclear for many months and may disappoint customers whose personal information has been stolen.

Breach of Security

All Data Controllers must comply with the data protection principles set out in Article 5 of GDPR. In particular, Article 5 (1) (f) (the security principle) requires Data Controllers to process personal data in a manner that “ensures appropriate security” of the personal data that they process. That  includes protecting against “unauthorised or unlawful processing and against accidental loss, destruction or damage.” This obligation to process personal data securely is further developed in GDPR Article 32 which requires Data Controllers to implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. The steps that a Data Controller has to take will vary, based upon “the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”. In other words, Data Controllers must implement security measures that are “appropriate to the risks” presented by their processing, which reflects the GDPR’s risk-based approach. So, for example, a village hairdresser will not be expected to take the same amount of security precautions as an international airline handling personal data (and often Special Category Data) about millions of people. We do not know what cyber-security precautions EasyJet had in place to prevent this-attack, however it is arguable that it should have reviewed its security arrangements (which it may well have done) in the wake of the British Airways attack that was widely reported in September 2018.

There is no doubt that the incident amounts to a “personal data breach” under GDPR Article 4 (12) since it involves a breach of security leading to the unauthorised access of the personal data of about 9 million people. Of the 9 million people affected, 2,208 had their credit card details stolen.

Breach Notification

When a Data Controller becomes aware of a “personal data breach” it must notify the ICO “without undue delay, and where feasible not later than 72 hours after becoming aware of it” (GDPR Article 33). The controller is relieved from this duty where the breach is “unlikely to result in a risk to the rights and freedoms of natural persons”. That does not appear to be the case here given both the scale of the attack and the fact that the hackers gained access to customers’ credit card details and travel plans. The media reports indicate that the ICO was informed about the attacks that took place in January 2020, but there is no indication exactly when it was informed. If EasyJet did not notify the ICO within the time frames of Article 33, then this constitutes a further breach of the GDPR.
Phased notification is allowed though when a Data Controller does not have all the full details of the data breach within the 72 hours. This is likely to be the case in the EasyJet case where they instructed an immediate forensic investigation to establish the nature and extent of the breach, but the initial notification should have been within the 72 hour period as per Article 33.

Notifying Easy Jet Customers

GDPR Article 34 requires a Data Controller to notify any Data Subjects when the personal data breach is “likely to result in a high risk to the[ir] rights and freedoms”. The threshold for communicating a data breach to Data Subjects is higher than for notifying  the ICO and therefore it will not always be necessary to communicate with affected Data Subjects.
Data Controllers must assess the risk on a case by case basis. However, the Article 29 Working Party Guidelines on Breach Notification suggests that a high risk exists when the breach may lead to identity theft, fraud or financial loss. This would appear to be the case in the EasyJet breach. The GDPR does not state any specific deadline for notification but it does say that it should be “without undue delay”.

Media reports suggest that EasyJet customers were notified in two separate tranches.
The first notification to customers, whose credit details were stolen, was sent by email in early April. The second tranche, to all other customers, was sent by 26th May.
Customers who received emails at the end of May were advised that their name, email address and travel details were accessed (but not their credit card or passport details).
The purpose of notifying customers is to enable them to take steps to protect themselves against any negative consequences of the breach. The email suggested that customers take extra care to avoid falling victim to phishing attacks.

It remains to be seen whether EasyJet customers were notified “without undue delay” given that the airline became aware of the breach in January but the first notification to customers whose credit card details were stolen was not until end of April. It is plausible that this may have been too late for some customers. If this is the case then not only would this result in a  further breach of the GDPR, but could expose EasyJet to claims for compensation under GDPR Article 82. Indeed, according to SC Magazine, a law firm has already issued a class action claim in the High Court. Note that according to Google v Lloyd (and now under GDPR) claimants not do now have to show direct material damage to claim compensation.

Will Easy Jet Be Fined?

The details available to date certainly suggest a breach of Article 5 (1) (f) and possibly Article 32. In addition, it may be the case that EasyJet failed to notify their customers without undue delay and have breached Article 34. Breaches of these provisions could theoretically result in the ICO imposing a monetary penalty of up to 4% of EasyJet’s total worldwide annual turnover in respect of a breach of Article 5 and up to 2% of its total worldwide annual turnover for breaches of Articles 32 and 34.

It is too early to compare the circumstances of the EasyJet breach with the British Airways breach. The numbers of Data Subjects whose credit card details were involved in the BA attack was reported to be half a million (compared to 9 million with the EasyJet attack). However the number of people whose credit card details were stolen in the BA attack was much greater (about 380,000 booking transactions), although British Airways notified its customers immediately. Therefore the scale and gravity of the two breaches are not identical. The ICO will need to take these factors into account in deciding on the level of any fine. The maximum that she could fine is (as stated above) up to 4% of EasyJet’s annual turnover. It is not clear what this figure is but the EasyJet Annual Report for 2019 states that the company’s total revenue in 2019 was £6,385 million. In contrast BA’s total revenue was £12.2 billion. The fine will almost certainly be smaller than that imposed on British Airways, but it really remains to be seen how the ICO will react to the financial pressure that EasyJet are clearly under as a result of the Coronavirus pandemic. All we can do is watch this space.

This and other GDPR developments will be covered in our new online GDPR update workshop. Our next online  GDPR Practitioner Certificate course is  fully booked. A few places left  on the course starting on 2nd July.

online-gdpr-banner

 

Who’s afraid of the big bad cloud?

canstockphoto6394773

By Frank Rankin

For when you first begin to undertake it, all that you find is a darkness, a sort of cloud of unknowing; you cannot tell what it is…

The Cloude of Unknowynge, Anonymous, 14th Century

When it comes to IT, “Cloud” is still a scary word for many organisations. The language doesn’t help – “Cloud” suggests an arrangement that is (literally) nebulous rather than the mature industry expected to be worth almost 200 billion dollars per year by the end of the decade[i]. The apprehension is largely expressed in terms of concerns around the robustness of security (let’s call those Principle 7 concerns) and the suspicion that cloud providers will store data willy-nilly on data servers in far-off, none-European lands (we’ll call those Principle 8 concerns).  But often these concerns are raised without real attempts to explore what these are or look at the solutions and controls offered by cloud providers and others.

To be clear of our terms, let’s borrow from the US government definition: “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” [ii]

In other words, computing capacity is purchased as a commodity with the supplier, in contrast to an organisation purchasing and managing its own servers or software. And that means a transfer of controls.

Models of cloud computing range from Software as a Service (SaaS) such as Office 365 and Google Docs, through Platform as a Service (PaaS) to Infrastructure as a Service (IaaS) where the purchaser buys virtualized capacity and runs its own software.

Depending on the flavour of Cloud service being used, the scale of that transfer of controls varies as the diagram below illustrates.

From Cloud Security and Privacy by Mather and Kumaraswamy

And it is that transfer that is a source of nervousness for organisations. But it needn’t be. The cloud providers have invested heavily in information security and see good security as a market differentiator. Vendors such as Microsoft and Amazon Web Services advertise their certification to ISO27001:2013 and other national and international standards, and provide (within reason) detailed descriptions of their security arrangements.  It is up to the purchaser of cloud services to make our own risk assessment with regard to our information assets, and assess the adequacy of the offerings of the cloud vendors.

While using cloud does involve the transfer of controls, we should be honest enough to recognise whether this is likely to offer an improvement in the efficacy of those controls. To take one example, your own IT colleagues may be good and conscientious at applying software patches and updates, but it is unlikely that they can respond as timeously and consistently as the big cloud providers.

In making our assessments, we can be guided by resources such as the UK Government Cloud Security Principles against which suppliers listed on the G-Cloud are expected to self-assess.

Where the purchaser sees a need for further security controls in addition to the out-of-the-box cloud offerings, there is an extensive eco-system of third party vendors who specialise in add-on solutions for security, records management and other governance challenges around the cloud.

As long as the transfer of control is done transparently, and an organisation has clearly mapped out the locus for each required security control (on premise, core cloud offering or third-party solution) then you should be in a good position to assure yourself of the ongoing robustness of your information security on the cloud.

So much for Principle 7 of the Data Protection Act 1998.

The data protection concerns relate to the globalised nature of cloud provision. Perhaps in the early stages, the big cloud players in the USA didn’t always “get” European privacy concerns.

But the cloud providers have matured in their understanding of these issues.  That is why, for example, Microsoft offer European customers guarantees that their Office 365 or Azure solutions will be hosted within Europe (Dublin and Amsterdam at the moment with a U.K. data centre due to open shortly.) The larger vendors, such as Amazon, are happy to provide European customers with data processing agreements which incorporate the Model Clauses, and in some cases have received Article 29 Working Party approval of their contractual terms.

Think of the relationship between cloud customer and vendor as just like any of your existing relationships between data controller and data processor – only on a larger scope and scale.

And the shift in the EU General Data Protection Regulation (GDPR) (I am not going into Brexit here, but our GDPR expert has explained here, GDPR is still relevant post-Brexit) where data processors will be liable for data processing actions they take which go against or beyond the instructions of the data controller should only increase the level of assurance for European cloud purchasers. (More on the security requirements of GDPR here.)

A risk-based approach to assess the offerings of a cloud vendor should give assurance that the requirements of Principle 8 of the Data Protection Act 1998 are met.

Act Now is not in the business of promoting cloud providers – they do a good enough job of that themselves. But concerns around data protection and information security need not be a barrier to adopting cloud-based technology. Colleagues or stakeholders who argue that these issues are show-stoppers may have an incomplete understanding of the current state of play, or may have another agenda in mind.

So, in considering transferring information assets to the cloud, information governance practitioners should:

  • Carry out an information risk assessment, including a realistic understanding of threats and identifying the possible risks arising from keeping the data on the premises.
  • Make sure that information governance and security issues are “front-loaded” and made central to the procurement process: Many of the key controls and protection for the organisation have to be in the terms of the contract.
  • Understand the geographical location of the provider’s data centres and, where relevant, include contractual terms stating where your data must be held.
  • Survey the available third party security and governance add-on tools for cloud, but be wary of the vendors claims and measure the value of their offerings against a realistic understanding of your specific risks.

Ultimately, whether to move to the cloud or not will be a decision for the wider business, but privacy and information security professionals can help to make that decision an informed one.

Frank Rankin is an information security, FOI and records management expert. Amongst other courses he is currently delivering our Practitioner Certificate in Freedom of Information (Scotland).

 

[i] http://www.bloomberg.com/news/articles/2014-04-24/cloud-spending-by-companies-outpaces-predictions-forrester-says

[ii] http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf

%d bloggers like this: