Tag: Databreach

Capita Fined £14m for GDPR Data Breach 

The Information Commissioner’s Office (ICO) has issued a £14m fine under the UK GDPR to professional and outsourcing services company Capita. This follows a cyber-attack in March 2023 which saw hackers gain access to 6.6 million people’s personal data; from pension and staff records to the details of customers of organisations Capita supports. For some people, this included details of criminal records and financial data. 

The ICO said Capita “failed to ensure the security of processing of personal data which left it at significant risk”. Capita plc has been fined £8m and Capita Pension Solutions Limited has been fined £6m, giving a combined total of £14m. The original notice of intent totalled £45m. The ICO and Capita have now agreed to a “voluntary settlement” whereby Capita has admitted liability and agreed to pay the fine without appealing.  

Background 

The cyber- attack began when a malicious file was unintentionally downloaded onto an employee device. Despite a high priority security alert being raised within 10 minutes of the breach and some immediate automated action being taken, Capita did not quarantine the device for 58 hours, during which the attacker was able to exploit its systems. Nearly one terabyte of data was exfiltrated. On 31st March 2023, ransomware was deployed onto Capita systems and the hacker reset all user passwords, preventing Capita staff from accessing their systems and network.  

The ICO received at least 93 complaints in relation to this attack. In mitigation, Capita offered 12 months of credit monitoring to affected customers with Experian, as well as setting up a dedicated call centre for those people. It provided weekly updates to us on uptake, with over 260,000 people activating the credit monitoring service. 

ICO Findings 

The ICO investigation found that Capita failed to implement appropriate technical and organisational measures to safeguard the data they held. This included: 

  • Failure to prevent privilege escalation and unauthorised lateral movement: 
  • Capita did not implement a tiering model for administrative accounts. This allowed the attacker to escalate privileges, move laterally across multiple domains and compromise critical systems. 
  • These failings were flagged as a vulnerability on at least three separate occasions but were not remedied. 
  • Failure to respond appropriately to security alerts: 
  • A high priority security alert was raised within ten minutes of the breach, but Capita took 58 hours to respond appropriately, against a target response time of one hour. 
  • Capita’s Security Operations Centre was understaffed, and in at least six months before the incident fell well below the target response times for responding to security alerts. 
  • Inadequate penetration testing and risk assessment: 
  • Systems processing millions of records, including some sensitive data, were only subject to a penetration test upon being commissioned and were not subject to any subsequent penetration test. 
  • Findings from penetration tests were siloed within business units. Risks identified that affected the wider Capita network were not universally addressed. 

The ICO has highlighted key areas where organisations should be taking proactive steps to reduce security risks, such as: 

  • Regularly monitoring for suspicious activity and responding to initial warnings and alerts in a timely manner; 
  • Sharing the findings from penetration testing across the whole organisation so risks can be universally addressed; 
  • Prioritising investment in key security controls to ensure that they are operating effectively; and 
  • Checking agreements and responsibilities between data controllers and data processors. 

Capita Pension Solutions Limited was fined as a data processor. It processes personal data on behalf of over 600 organisations providing pension schemes, with 325 of these organisations also impacted by the data breach. This is only the second time a data processor has been fined by the ICO. In March 2025, Advanced Computer Software Group Ltd, a key IT and software provider for the NHS and other healthcare organisations, was fined £3,076,320. Hackers exploited a vulnerability through a customer account that lacked multi-factor authentication, gaining access to multiple health and care systems operated by Advanced. The ICO investigation found that personal data belonging to 79,404 people was taken. This included phone numbers, medical records, and even details on how to access the homes of 890 individuals receiving at-home care. 

This is the fifth GDPR fine issued by the ICO in 2025; four of these have been in relation to cyber security incidents.  In March an NHS IT supplier was fined £3million, in April a £60,000 fine was issued to a law firm and in June 23andMe, a US genetic testing company, was fined £2.31 million

We have two workshops coming up (How to Increase Cyber Security in your Organisation and Cyber Security for DPOs) which are ideal for organisations who wish to up skill their employees about cyber security. See also our Managing Personal Data Breaches Workshop.

Charity Receives £18,000 GDPR Fine

On Monday, a Scottish Charity (Birthlink) received a GDPR Monetary Penalty Notice of £18,000 after it destroyed approximately 4,800 personal records, up to ten percent of which may be irreplaceable. 

Birthlink is a charity specialising in post-adoption support and advice, for people who have been affected by adoption with a Scottish connection.
Since 1984 it has owned and maintained the Adoption Contact Register for Scotland. The Register allows adopted people, birth parents, birth relatives and relatives of an adopted person to register their details with the aim of being linked to and potentially reunited with family members. 

Key findings from the Information Commissioner’s Office (ICO) investigation include: 

  • Handwritten letters and photographs from birth parents amongst items destroyed 
  • Some people’s access to part of their family histories and identities may have been permanently erased due to systematic data protection failures 
  • Poor records management means true extent of actual loss will never fully be known 
  • The charity had limited knowledge of data protection obligations and lacked cost effective and easy-to-implement policies and procedures, which would likely have prevented the destruction. 

Background 

In January 2021, Birthlink reviewed whether they could destroy ‘Linked Records’ as space was running out in the charity’s filing cabinets. ‘Linked Records’ are files of cases where people had already been linked with the person they sought and can include handwritten letters from birth parents, photographs, and copies of birth certificates.  

Following a February 2021 Board meeting, it was agreed no barriers to the destruction of records existed but that retention periods should apply to certain files and only replaceable records could be destroyed. Due to poor record keeping, it is estimated some records were destroyed on 15 April 2021 with a further 40 bags destroyed on 27 May 2021.  

In August 2023, following an inspection by the Care Inspectorate, the Birthlink Board became aware that irreplaceable items had in fact been destroyed as part of the overall record destruction. It reported the incident to the ICO. 

ICO Findings 

The ICO investigation found the following infringements of the UK GDPR: 

  1. Birthlink’s destruction of manual records containing personal data of approximately 4,800 of its service users without authorisation or lawful basis (“Relevant Processing”) occurred as a result of its failure to implement appropriate organisational measures ensuring the security of the personal data contained in the records. In this regard, the ICO found that Birthlink contravened Articles 5(1)(f) and 32(1)-(2) of the UK GDPR (security). 
  1. A significant contributing factor leading to the Relevant Processing, was Birthlink’s failure to demonstrate compliance with the data protection principles in accordance with Article 5(2) of the UK GDPR. Birthlink has accepted that there was limited understanding of the UK GDPR at the time of the Relevant Processing until around March 2023 when it introduced data protection training for its staff. 
  1. Despite acknowledging the high risk to affected service users arising from the Relevant Processing, Birthlink did not notify the ICO of the personal data breach until 8 September 2023. A delay of two years and five months represents a marked departure from the obligation to notify the ICO within 72 hours of becoming aware of a personal data breach in accordance with Article 33(1) UK GDPR. 

Why a fine now? 

This fine comes two weeks after the catastrophic data breach involving the Ministry of Defence (MoD) was reported, following the High Court lifting a superinjunction. In February 2022, an MoD official mistakenly emailed a spreadsheet containing personal details of over 18,000 Afghan nationals who had applied to move to the UK under the Afghan Relocations and Assistance Policy (ARAP). The data breach also contained personal details of more than 100 British officials including those whose identities are most closely guarded; special forces and spies.  

Despite the scale and sensitivity of the MoD data breach, the ICO decided not to take any regulatory action; not even a reprimand! In its press release, the ICO praised the MoD’s internal investigation and mitigation efforts, stating that “no further regulatory action is required at this time”.  

The ICO has been heavily criticised for their inaction. The Commons Defence Committee said it would launch its own inquiry, and Dame Chi Onwurah, chair of the Commons Committee for Science Innovation and Technology, said that it is writing to the Information Commissioner pushing for an investigation. Following this, the Information Commissioner issued a further statement explaining the ICO approach.  

Of course no one is suggesting that the ICO fine for Birthlink is an attempt by the ICO to move on from the MoD non-enforcement but readers may at least be wondering why a relatively small Scottish charity is fined whilst a large government department (which has been fined previously in similar circumstances) has faced no action at all.  

This case shows the importance of good records management in ensuring GDPR compliance. Our forthcoming workshop will help you implement records management best practice and understand how it can help manage the personal data lifecycle. 

ICO Reprimands Law Firm for GDPR Breach 

Last week, the Information Commissioner’s Office (ICO) issued a reprimand to a Hampshire law firm following a data breach that affected over 8,000 individuals. 

Levales Solicitors LLP, a law firm specialising in criminal and military law, was reprimanded after an unknown cyber-attacker gained access to its secure cloud-based server.
The attacker used legitimate credentials to infiltrate the system, eventually leaking personal data on the dark web including  

  • Name, Address, Date of Birth
  • National Insurance Numbers 
  • Criminal data, including allegations, investigations, and prosecutions 
  • Details of complainants, victims (including children), and legally privileged information 
  • Prisoner Numbers, Health Status, and previous convictions 

A total of 8,234 data subjects were affected by the breach, with 863 individuals considered at high risk of harm due to the nature of the sensitive data involved.
This included data related to serious offences such as murder, terrorism, sexual offences, and matters involving vulnerable adults or children. 

The ICO’s reprimand focuses on the infringement of two key articles of the UK GDPR: 

  • Article 32(1)(b): The need to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems. 
  • Article 32(1)(d): The requirement to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks involved. 

What Went Wrong? 

The ICO found that Levales Solicitors LLP failed to ensure the ongoing confidentiality of its systems, making it vulnerable to the cyberattack (Article 32(1)(b)). Several critical issues were identified by the ICO: 

No Multi-Factor Authentication (MFA): MFA, a basic yet crucial security measure, was not in place for the domain account affected by the breach. This allowed the attacker to access the system using stolen credentials. Despite its simplicity, MFA is considered one of the most effective ways to prevent unauthorised access. 

Weak Password Management: Levales had no clear password policy in place at the time of the breach, relying instead on computer prompts to guide password strength and updates. The lack of a formalised approach to password management further exposed the firm’s systems to risk. 

Unknown Point of Compromise: Levales Solicitors LLP was unable to determine how the attacker obtained the credentials, demonstrating a lack of sufficient oversight into how the breach occurred. 

The ICO also criticised Levales for failing to implement appropriate technical and organisational security measures (Article 32(1)(d)). Notably: 

Outsourced IT Management: Levales had outsourced its IT management but had not reviewed or updated security measures since 2012. The firm was unaware of basic security processes, such as detection, prevention, and monitoring systems in place with their third-party provider. 

Inadequate Contract Reviews: The ICO expects that organisations outsourcing services conduct regular reviews to ensure security measures are up-to-date and appropriate. Levales had not reassessed their IT service contract since signing it, leaving potential vulnerabilities unchecked. 

The National Cyber Security Centre (NCSC) provides a 12-step guide on supply chain security, which advises that vulnerabilities within contracts can be easily exploited if the responsibilities and security measures between the provider and controller are not clearly defined or regularly reviewed. 

Despite these significant failings, the ICO did acknowledge that Levales had taken remedial steps following the breach, including: 

  • Introducing Multi-Factor Authentication (MFA) for all user accounts. 
  • Updating service contracts with third-party providers to ensure better security. 
  • Conducting a comprehensive review of existing systems and prioritising firewall upgrades. 

After taking all factors into consideration, including the remedial steps taken by Levales, the ICO decided to issue a formal reprimand under Article 58(2)(b) of the UK GDPR.  

Key Takeaways  

The decision reflects the seriousness of the firm’s failings in securing sensitive personal data and underscores the importance of robust data security practices for all organisations, particularly those handling highly sensitive information. All businesses are advised to take the following steps to comply with GDPR requirements: 

  • Implement Multi-Factor Authentication (MFA) for all accounts to reduce the risk of credential theft. 
  • Ensure that password policies are robust and regularly reviewed. 
  • Review contracts with third-party service providers to confirm that appropriate security measures are in place and understood by both parties. 
  • Regularly assess and update security systems to ensure they remain effective against evolving cyber threats. 
  • Document and monitor the security measures in place, ensuring that they are tailored to the specific risks associated with the data being processed. 

This is not the first time that a law firm has been found to be in breach of GDPR.
In 2022 fined Tuckers Solicitors LLP £98,000 for a data breach of GDPR.
The fine followed a ransomware attack on the firm’s IT systems which saw the attacker had encrypting 972,191 files, of which 24,712 related to court bundles.  60 of those were exfiltrated by the attacker and released on the dark web.  Some of the files included Special Category Data. Tuckers reported the breach to the ICO as well as affected individuals through various means including social media.  

The ICO concluded that were a number of areas in which Tuckers had failed to comply with, and to demonstrate that it complied, with the Security Principle. Their technical and organisational measures were, over the relevant period, inadequate.
Amongst other things the lack of Multi-Factor Authentication was highlighted by the ICO. 

Data security is a cornerstone of GDPR compliance, and reprimand involving Levales Solicitors LLP highlights the potential consequences of not taking proper precautions. Organisations should treat this as a wake-up call to evaluate and strengthen their own data protection measures, particularly in areas where sensitive or high-risk data is involved. 

We have two workshops coming up (How to Increase Cyber Security in your OrganisationandCyber Security for DPOs) which are ideal for organisations who wish to up skill their employees about cyber security. See also ourManaging Personal Data BreachesWorkshop. 

Enjoy reading our blog? Help us reach 10,000 subscribers bysubscribingtoday! 

London Hospitals Hit By Major Cyber Attack

The Independent reports this afternoon that two major London hospital trusts have had to cancel all non-emergency operations and blood tests due to a significant cyber attack. Both King’s College Hospital Foundation Trust and Guy’s and St Thomas’ Hospitals Foundation Trusts have seen their pathology systems compromised by malware.

Synnovis, the service provider responsible for blood tests, swabs, bowel tests, and other critical services for these hospitals, was targeted in this attack. The impact is widespread, affecting NHS patients across six London boroughs. The affected hospitals include Guy’s Hospital, which operates the Evelina children’s hospital, Harefield Hospital, King’s College Hospital, Princess Royal University Hospital, Royal Brompton Hospital, and St Thomas’ Hospital.

On Monday, Synnovis confirmed the severity of the attack, which has disrupted services for tens of thousands of patients. As the hospitals work to mitigate the damage and restore services, the incident highlights the vulnerability of healthcare systems to cyber threats and the far-reaching consequences such attacks can have on patient care.

The Information Commissioner’s Office is yet to comment. 

We have two workshops coming up in September (Introduction to Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to up skill their employees about data security. See also our Managing Personal Data Breaches Workshop.  

Navigating Turbulence: Qantas App Privacy Breach Sparks Concerns 

Today a number of news outlets are reporting that Australian airline Qantas is investigating a privacy breach on its app. Customers discovered that they had access to the personal details of other travellers, including boarding passes and frequent flyer information. This discovery has raised significant concerns about data security and privacy among Qantas app users. 

Qantas responded to the situation, acknowledging the issue and assuring customers that it was under investigation. Within three hours of the breach being detected, the airline claimed to have resolved the problem and issued a public apology for any inconvenience caused. 

Despite initial fears of a cyberattack, Qantas stated that the breach was likely due to a technology glitch, possibly linked to recent system updates. However, the extent of the breach was troubling, with some users reporting the ability to view multiple passengers’ details with just a few clicks. 

Customers shared their experiences on social media platforms, recounting instances where they were confronted with strangers’ personal information upon opening the app. Concerns were further amplified when reports emerged of individuals being able to manipulate flight bookings, raising questions about the app’s security measures. 

In response to the breach, Qantas advised affected users to log out and log back into the app to mitigate the issue. The airline reassured customers that there were no indications of travellers using incorrect boarding passes as a result of the breach. 

Social media channels buzzed with criticism of Qantas, with users sharing screenshots of the glitch and raising awareness of potential phishing attempts. Allegations surfaced of fake Qantas customer care accounts soliciting personal information from users under the guise of assistance. 

Does the UK GDPR apply here? 

In October 2020, the UK Information Commissioner’s Office fined British Airways £20million, under the GDPR, for a cyber security breach which saw the personal and financial details of more than 400,000 customers being accessed by attackers.   

Whilst Qantas has said that this incident was not due to a cyber-attack, it will certainly face questions about its handling of customer data under Australian data protection laws. It is also possible that Qantas, an Australian company,  is the subject of a probe by the UK Information Commissioner’s Office under the UK GDPR if, as is likely, UK data subjects are affected by the incident.  

Article 3(2) of the UK GDPR gives it an extra territorial effect. It states:  

“This Regulation applies to the relevant processing of personal data of data subjects who are in the United Kingdom by a controller or processor not established in the United Kingdom where the processing activities are related to: 

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the United Kingdom; or 

(b) the monitoring of their behaviour as far as their behaviour takes place within the United Kingdom.” 

Applying this principle, On 4th April 2023, the ICO issued a £12.7 million fine to TikTok, a US company owned whose parent company is owned by Beijing based ByteDance, for a number of breaches of the UK GDPR, including failing to use children’s personal data lawfully.   

As Qantas works to address the fallout from this breach and restore trust among its customer base, the incident serves as a stark reminder of the importance of robust data security measures in the digital age. It highlights the vulnerability of personal data in online platforms and underscores the need for companies to prioritise the protection of customer data. 

We have two workshops coming up (How to Increase Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security. We have also just launched our new workshop, Understanding GDPR Accountability and Conducting Data Protection Audits.  

ICO Reprimand for NHS Patient Data Breach

In a concerning revelation of data security lapses, NHS Fife has been formally reprimanded by the Information Commissioner’s Office (ICO) following an incident where an unauthorised individual accessed sensitive patient information. The breach occurred in a hospital ward and highlights key learnings for all organisations regarding security protocols for personal data.

Incident Overview

The case came to light after the ICO, discovered that the personal information of 14 patients was compromised. The incident, which took place in February 2023, involved an individual who was able to access secure documents and participate in administering care to a patient, highlighting a lack of identity verification checks at the hospital.

ICO Investigation Findings

The ICO’s investigation unveiled several deficiencies in NHS Fife’s approach to data protection. Notably, staff training on safeguarding personal information was found to be inadequate. The ICO found training rates across the hospital were at only 42% although on the ward it was at 82%. This low rate was attributed to the Covid-19 Pandemic and a three-year training cycle. Additionally, the ICO pointed out that the hospital’s CCTV system had been mistakenly turned off by a staff member before the incident as part of wider energy-saving measures being implemented across the hospital. Although this would not have prevented the incident, it further complicated the recovery of the missing documents as the individual was not able to be identified.

Natasha Longson, ICO Head of Investigations, stressed the importance of stringent data security in healthcare. “Patient data is highly sensitive and needs the highest level of security. Trust in data security is pivotal when accessing healthcare services,” she remarked. 

Echoes of NHS Lanarkshire Incident

This is not the first instance of such a breach within the NHS system. Months earlier, NHS Lanarkshire faced a similar reprimand for unauthorised staff use of WhatsApp to share patient data over the course of two years, leading to data access by a non-staff member.

In the Lanarkshire incident, between April 2020 and April 2022, 26 staff at NHS Lanarkshire had access to a WhatsApp group where patient data was entered on more than 500 occasions, including names, phone numbers and addresses. Images, videos and screenshots, which included clinical information, were also shared. While it was made available for communicating basic information only at the start of the pandemic, WhatsApp was not approved by NHS Lanarkshire for processing patient data and was adopted by these staff without the organisation’s knowledge. A non-staff member was also added to the WhatsApp group in error, resulting in the inappropriate disclosure of personal information to an unauthorised individual. Additionally, it is worth bearing in mind, public sector organisations face the added risk of WhatsApp communications being disclosed to court proceedings after the High Court ruling in July of this year. The product of that ruling is currently being played out for us now

Corrective Measures and Recommendations

In response to this incident, NHS Fife has introduced new procedures, including stringent sign-in and out systems for documents containing patient data and updated ID verification processes. The ICO has also recommended that NHS Fife enhance its data protection strategies by conducting more frequent training for staff and providing clear written security guidelines as well as updating policies and procedures whilst clearly highlighting archived policies. The ICO also requested to be updated on these measures in a six-month follow up. 

Organisations can use these findings to ensure that all the recommendations mentioned above are being implemented within their organisations. The ICO added:

“Every healthcare organisation should look at this case as a lesson learned and consider their own policies when it comes to security checks and authorised access. We are pleased to see that NHS Fife has introduced new measures to prevent similar incidents from occurring in the future.”

Learn more about data breaches with our UK GDPR Practitioner Certificate. Dive into the issues discussed in this blog and secure your spot before spaces run out.

Cyber Security Breaches Survey 2022: What DPOs need to know

Cyber security breaches are on the rise. Virtually every day there is a news story about a high profile organisation being hacked and personal data being lost or stolen. Last week the BBC reported that thousands, if not millions, of people could have lost money in the second largest crypto hack in history. Ronin Network, a key platform powering the popular mobile game Axie Infinity, has had $615m (£467m) stolen. More recently UK retailer, The Works has been forced to shut shops temporarily and suspend new stock deliveries after a cyber-attack.

And it’s not just the private sector. In January we learnt that Gloucester City Council’s website was hacked affecting online revenue and benefits, planning and customer services. The work of Russian hackers(allegedly) could take up to six months to resolve and affected servers and systems may need to be rebuilt.

Data Protection Officers need to be aware of the latest incidents and advice when it comes to cyber security breaches. The recently published DCMS Cyber Security Breaches Survey is important reading for all DPOs. It explores the policies, processes, and approaches to cyber security for businesses, charities, and educational institutions. It also considers the different forms of cyber-attack these organisations face, as well as how they are impacted and their response.

Cyber Attacks

The survey results show that in the last 12 months, 39% of UK businesses identified a cyber-attack. Of these, the most common threat vector was phishing attempts (83%). Of the 39%, around one in five (21%) identified a more sophisticated attack type such as a denial of service, malware, or ransomware attack. Despite its low prevalence, organisations cited ransomware as a major threat, with 56% of businesses having a policy not to pay ransoms. Note recently the GDPR fine issued to a firm of solicitors who suffered such an attack. Interestingly they too chose not to pay the hackers. 

Frequency and Impact

Within the group of organisations reporting cyber-attacks, 31% of businesses and 26% of charities estimate they were attacked at least once a week. One in five businesses (20%) and charities (19%) say they experienced a negative outcome as a direct consequence of a cyber-attack, while one third of businesses (35%) and almost four in ten charities (38%) experienced at least one negative impact. It is interesting that the survey focussed on charities too. July 2021 saw the first GDPR fine to a charity. The transgender charity Mermaids was fined £25,000 after the ICO found that it had failed to implement an appropriate level of security to its internal email systems, which resulted in documents or emails containing personal data being searchable and viewable online by third parties through internet search engine results.

Cost of Attacks

The survey found the average estimated cost of all cyber attacks in the last 12 months was £4,200. Considering only medium and large businesses; the figure rises to £19,400. Of course such incidents also mean a loss of reputation and customer trust. In October 2020, the ICO fined British Airways £20million for a cyber security breach which saw the personal and financial details of more than 400,000 customers being accessed by hackers. British Airways also had to settle legal claims for compensation from affected customers. 

Cyber Hygiene

The government guidance ‘10 Steps to Cyber Security’ breaks down the task of protecting an organisation into 10 key components. The survey finds 49% of businesses and 40% of charities have acted in at least five of these 10 areas. In particular, access management surveyed most favourably, while supply chain security was the least favourable.

Board Engagement

Around four in five (82%) of boards or senior management within UK businesses rate cyber security as a ‘very high’ or ‘fairly high’ priority, an increase on 77% in 2021. 72% in charities rate cyber security as a ‘very high’ or ‘fairly high’ priority. Additionally, 50% of businesses and 42% of charities say they update the board on cyber security matters at least quarterly. Our new webinar “GDPR and the Charity Sector Webinar” is ideal for raising awareness amongst charity trustees.

Size Differential

Larger organisations are correlated throughout the survey with enhanced cyber security, likely as a consequence of increased funding and expertise. For large businesses’ cyber security; 80% update the board at least quarterly, 63% conducted a risk assessment, and 61% carried out staff training; compared with 50%, 33% and 17% respectively for all businesses. Our GDPR Essentials e learning course contains a specific module on keeping data safe which warns of the most common cyber hacking/phishing tactics.  

Risk Management

Just over half of businesses surveyed (54%) have acted in the past 12 months to identify cyber security risks, including a range of actions, where security monitoring tools (35%) were the most common. Qualitative interviews however found that limited board understanding meant the risk was often passed on to; outsourced cyber providers, insurance companies, or an internal cyber colleague.

Outsourcing and Supply Chain

Small, medium, and large businesses outsource their IT and cyber security to an external supplier 58%, 55%, and 60% of the time respectively, with organisations citing access to greater expertise, resources, and standard for cyber security. Consequently, only 13% of businesses assessed the risks posed by their immediate suppliers, with organisations saying that cyber security was not an important factor in the procurement process.

Incident Management

Incident management policy is limited with only 19% of businesses having a formal incident response plan, while 39% have assigned roles should an incident occur. In contrast, businesses show a clear reactive approach when breaches occur, with 84% of businesses saying they would inform the board, while 73% would make an assessment of the attack.

External engagement

Outside of working with external cyber security providers, organisations most keenly engage with insurers, where 43% of businesses have an insurance policy that cover cyber risks. On the other hand, only 6% of businesses have the Cyber Essentials certification and 1% have Cyber Essentials plus, which is largely due to relatively low awareness. The importance of this was highlighted in the recent GDPR fine issued to Tuckers solicitors.

The DCMS Cyber Security Breaches Survey is important reading for all Data Protection Officers and IT staff. Aligning with the National Cyber Strategy, it is used to inform government policy on cyber security. It should also be used to stay abreast of cyber security developments and formulate your own organisation’s cyber security strategy.  

Our Managing Personal Data Breaches workshop will examine the law and best practice in this area, drawing on real-life case studies, to identify how organisations can position themselves to deal appropriately with data security incidents and data breaches, in order to minimise the impact on customers and service users and mitigate reputational damage.

Law Firm Fined For GDPR Breach: What Went Wrong? 

On 10th March the Information Commissioner’s Office (ICO) announced that it had fined Tuckers Solicitors LLP £98,000 for a breach of GDPR.

The fine follows a ransomware attack on the firm’s IT systems in August 2020. The attacker had encrypted 972,191 files, of which 24,712 related to court bundles.  60 of those were exfiltrated by the attacker and released on the dark web.  Some of the files included Special Category Data. Clearly this was a personal data breach, not just for the fact that data was released on the dark web, but because of the unavailability of personal data (though encryption by the attacker) which is also cover by the definition in Article 4 GDPR. Tuckers reported the breach to the ICO as well as affected individuals through various means including social media

The ICO found that between 25th May 2018 (the date the GDPR came into force) and 25th August 2020 (the date on which the Tuckers reported the personal data breach), Tuckers had contravened Article 5(1)(f) of the GDPR (the sixth Data Protection Principle, Security) as it failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The ICO found its starting point for calculating the breach to be 3.25 per cent of Tuckers’ turnover for 30 June 2020. It could have been worse; the maximum for a breach of the Data Protection Principles is 4% of gross annual turnover.

In reaching its conclusions, the Commissioner gave consideration to Article 32 GDPR, which requires a Data Controller, when implementing appropriate security measures, to consider:

 “…the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”.

What does “state of the art” mean? In this case the ICO considered, in the context of “state of the art”, relevant industry standards of good practice including the ISO27000 series, the National Institutes of Standards and Technology (“NIST”), the various guidance from the ICO itself, the National Cyber Security Centre (“NCSC”), the Solicitors Regulatory
Authority, Lexcel and NCSC Cyber Essentials.

The ICO concluded that there are a number of areas in which Tuckers had failed to comply with, and to demonstrate that it complied, with the Security Principle. Their technical and organisational measures were, over the relevant period, inadequate in the following respects:

Lack of Multi-Factor Authentication (“MFA”)

MFA is an authentication method that requires the user to provide two or more verification factors to gain access to an online resource. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyber-attack e.g. a code from a fob or text message. Tuckers had not used MFA on its remote access solution despite its own GDPR policy requiring it to be used where available. 

Patch Management 

Tuckers told the ICO that part of the reason for the attack was the late application of a software patch to fix a vulnerability. In January 2020 this patch was rated as “critical” by the NCSC and others. However Tuckers only installed it 4 months later. 

Failure to Encrypt Personal data

The personal data stored on the archive server, that was subject to this attack, had not been encrypted. The ICO accepted that encryption may not have prevented the ransomware attack. However, it would have mitigated some of the risks the attack posed to the affected data subjects especially given the sensitive nature of the data.

Action Points 

Ransomware is on the rise. Organisations need to strengthen their defences and have plans in place; not just to prevent a cyber-attack but what to do when it does takes place:

  1. Conduct a cyber security risk assessment and consider an external accreditation through Cyber Essentials. The ICO noted that in October 2019, Tuckers was assessed against the Cyber Essentials criteria and found to have failed to meet crucial aspects. The fact that some 10 months later it had still not resolved this issue was, in the Commissioner’s view, sufficient to constitute a negligent approach to data security obligations.
  2. Making sure everyone in your organisation knows the risks of malware/ransomware and follows good security practice. Our GDPR Essentials e learning solution contains a module on keeping data safe.
  3. Have plans in place for a cyber security breach. See our Managing Personal Data Breaches workshop

More useful advice in the ICO’s guidance note on ransomeware and DP compliance.

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We also have a few places left on our Advanced Certificate in GDPR Practice course starting in April.

advanced_cert

GDPR Fine for Charity E Mail Blunder

A Scottish charity has been issued with a £10,000 monetary penalty notice following the inadvertent disclosure of personal data by email. 

On 18th October, HIV Scotland was found to have breached the security provisions of the UK GDPR, namely Articles 5(1)(f) and 32, when it sent an email to 105 people which included patient advocates representing people living with HIV. All the email addresses were visible to all recipients, and 65 of the addresses identified people by name. From the personal data disclosed, an assumption could be made about individuals’ HIV status or risk. 

The Information Commissioner’s Office (ICO) is urging organisations to revisit their bulk email practices after its investigation found shortcomings in HIV Scotland’s email procedures. These included inadequate staff training, incorrect methods of sending bulk emails by blind carbon copy (bcc) and an inadequate data protection policy. It also found that despite HIV Scotland’s own recognition of the risks in its email distribution and the procurement of a system which enables bulk messages to be sent more securely, it was continuing to use the less secure bcc method seven months after the incident.

On the point of training, HIV Scotland confirmed to the ICO that employees are expected to complete the “EU GDPR Awareness for All” on an annual basis.  The ICO recommended that staff should receive induction training “prior to accessing personal data and within one month of their start date.” Act Now’s e learning course, GDPR Essentials, is designed to teach employees about the key provisions of GDPR and how to keep personal data safe. The course is interactive with a quiz at the end and can be completed in just over 30 minutes. Click here to watch a preview. 

HIV Scotland was also criticised for not having a specific policy on the secure handling of personal data within the organisation. It relied on its privacy policy which was a public facing statement covering points such as cookie use, and data subject access rights; this provided no guidance to staff on the handling of personal and what they must do to ensure that it is kept secure. The Commissioner expects an organisation handling personal data, to maintain policies regarding, amongst other things, confidentiality (see our GDPR policy pack).

This is an interesting case and one which will not give reassurance to the Labour Relations Agency in Northern Ireland which had to apologise last week for sharing the email addresses and, in some cases ,the names of more than 200 service users. The agency deals confidentially with sensitive labour disputes between employees and employers. It said it had issued an apology to recipients and was currently taking advice from the ICO.

Interestingly the ICO also referenced in its ruling, the fact that HIV Scotland made a point of commenting on a similar error by another organisation 8 months prior. In June 2019, NHS Highland disclosed the email addresses of 37 people who were HIV positive. It is understood the patients in the Highlands were able to see their own and other people’s addresses in an email from NHS Highland inviting them to a support group run by a sexual health clinic. At the time HIV Scotland described the breach as “unacceptable”. 

The HIV Scotland fine is the second one the ICO has issued to a charity in the space of 4 months. On 8th July 2021, the transgender charity Mermaids was fined £25,000 for failing to keep the personal data of its users secure. The ICO found that Mermaids failed to implement an appropriate level of security to its internal email systems, which resulted in documents or emails containing personal data being searchable and viewable online by third parties through internet search engine results.

Charities need to consider these ICO fines very carefully and ensure that they have polices, procedures and training in place to avoid enforcement action by the ICO. 

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a few places left on our Advanced Certificate in GDPR Practice course starting in January.

Labour Relations Agency Data Breach: Ibrahim Hasan’s BBC Interview

95505eee-53d6-4784-89be-605782852235-2

The Labour Relations Agency in Northern Ireland has apologised for sharing the email addresses and, in some cases the names, of more than 200 service users.

https://www.bbc.co.uk/news/uk-northern-ireland-58988092

Here is Ibrahim Hasan’s interview with BBC Radio Ulster:

More media interviews by Ibrahim here.