ICO reports security failures across all sectors as fines continue to ramp up in 2019

Since May 2018 when GDPR kicked, the ICO has been progressively investigating data breaches identified to them and no-one has been spared in their enforcements.  From local Government officials illegally accessing personal data, to public bodies (including HMRC for data harvesting), to the Metropolitan Police (responding to Subject Access Requests), the NHS (for illegally accessing medical records), to regulated industries and small businesses carrying out unsolicited communications by email or telephone (affecting up to 4.5 million unsuspecting contacts).  Even in one extraordinary case, a Council employee shared unredacted data about alleged gang members profiled on a police intelligence ‘Gang Matrix’ database to other Council staff and external organisations. This ended up on social media and was then used by the gang members themselves.  Unbelievable, but sadly true.

Amicus ITS Director of Technology, Security & Governance, JP Norman commented:  “The ICO are striking a balance between the severity of a breach individually, the volume of data affected and the harm and distress caused by the breach of security and lack of protocol.   We can see from the  enforcement notices published across 2018-19, the huge variety of cases that the ICO have dealt with in the last 18 months and ultimately this illustrates data responsibility is in the hands of every individual, with fallout picked up by the organisation/company directors”.

Big headliner fines this Summer featured the £183.4m fine published to British Airways following the 2018 cyber incident where users logging in to BA’s website were diverted to a fraudulent site where their personal details, payment information and travel plans were harvested.  This represented 1.5% out of a total possible fine of 4% of global turnover.  Plus, the £99.2m fine to Marriott International hotels group for a data breach whereby 339 million guest records globally were exposed over several years following a merger and lack of due diligence and security measures being adopted.  Both organisations are seeking to defend their position. Other big names included: Equifax (£500,000), Uber (£385,000), and Yahoo! (£250,000) for cyber security failures.

Against this backdrop, the ICO Annual Report for March 2018-19 published in July 2019 recognised that 82% of personal data breaches investigated had been closed with no further action, as corrective measures to avoid a repeat had been taken or were being acted upon, which we should take as positive news as organisations learn to manage their data more responsibly.

JP Norman adds:  “All organisations face the same responsibilities around data management and data security.  At the heart of good practice is education and staff training. This can identify what is appropriate when sharing data and that if approved, it is done lawfully and safely.   Organisations, institutions and businesses of any size must have a Data Protection Officer (DPO), who may also be the Data Controller if appropriate. These representatives need ready access to policies and guidance around data security and measures to be taken in the event of any breach, which can be evidenced and practised as part of a smart Business Continuity Plan.  This can be intimidating for businesses of even medium size to get to grips with and act confidently so we often see the DPO function outsourced”.

Amicus ITS recognises the challenges organisations face and earlier this year published our new Virtual Data Protection Officer service on G-Cloud 11 for public sector customers.  Notably, this service is equally available to SMEs.  Any organisation that is unsure if it has the right security policies and security measures in place can contact Amicus ITS in confidence.  If the service is taken up, this security consultancy could not only save you £000s but also help protect against reputational damage which can be priceless.  Call our Sales team today for a free initial discussion on +44 2380 429429.

Amicus ITS’ privacy policy can be found here

Lessons learned from the TalkTalk Cyber Attack


The Background to the cyber breach
• TalkTalk customer base 4 million users
• 21 October 2015 attack resulted in 157,000 individual personal records being compromised, with 16,000 bank and sort codes accessed and 28,000 tokenised credit card numbers.

Who was to blame?
Well obviously from a criminal point of view, there were actually five people known to be involved, four of whom were teenagers who have been arrested by the police.  However in truth, the real culprit is TalkTalk, in their failure to protect the data of their customers and learn the lessons from previous breaches across the preceding 12 month period.

So what are the lessons learned from this high profile cyber attack for all UK businesses and organisations regardless of size?
All businesses should expect to be breached.  TalkTalk failed to plan ahead despite the experiences of each breach:

Action 1:  Arrange for a full security review (pen testing, social engineering checks, dumpster diving (ensuring your confidential waste is disposed of properly), remote access connections, patch management etc..

Talk the Tech Talk
Disconcertingly for a company which reported gross revenue in 2014 of £1.7 billion ($2.65 billion), TalkTalk failed to invest sufficiently firstly in information security specialists and secondly, the technology to help withstand breaches.

Action 1: Ensure that your Board’s PR spokesperson has had media training and uses the right technical terms (“sequel” being mispresented for SQL”

Action 2: Ensure that nothing is revealed by a representative of your organisation going on camera (whether video or still) that discloses anything about your company or your technical infrastructure. A simple look up of the Open Web Application Security Project (OWASP) a not for profit software information sharing website, which would have given TalkTalk the heads up to correcting the latest threats and vulnerabilities

Know your network and understand security
Much of the public distress about this high profile cyber attack was that no-one in the management team could confirm whether the stolen customer data had been encrypted.

Action 1:  Ensure that a member of the Board understands data security, comprehends and can talk about Cloud – and understands the technical infrastructure of the organisation.

Speak the truth
In the TalkTalk scenario, the CEO claimed that they were “head and shoulders better than some of our competitors and some of the media bodies that were throwing those particular stones.”

This fell on ‘stony ground’ for Dido Harding when she said this to The Sunday Times and that under the U.K.’s 1998 Data Protection Act, TalkTalk was “not legally required” to encrypt customer data.   If the customer is a victim of a cyber attack, the deed is done and that bond of trust is forever damaged.

Respect your customer’s data as being your crown jewels
The Data Protection Act 1998 requires a duty of care of the organisation’s data controller to look after everyone’s data – their own and that held by them of their customers.

With the value of data for cyber criminals increasing with every strand of personal detail, criminals can profit from many types of customer data.  This does not have to be actual credit card or bank details, it can be any Personal Identifiable Information (PII), that when pieced together, forms a profile of the individual which the criminal can then sell on to 3rd parties.

Whilst there is no current UK legislation yet to mandate businesses and organisations to encrypt their data irrespective of the type of business, it is an easy preventative software step in order to protect your organisation. This simple move could save your organisation embarrassment and potentially millions of pounds in lost revenue – but critically, lost trust.