ICO reports security failures across all sectors as fines continue to ramp up in 2019

Since May 2018 when GDPR kicked, the ICO has been progressively investigating data breaches identified to them and no-one has been spared in their enforcements.  From local Government officials illegally accessing personal data, to public bodies (including HMRC for data harvesting), to the Metropolitan Police (responding to Subject Access Requests), the NHS (for illegally accessing medical records), to regulated industries and small businesses carrying out unsolicited communications by email or telephone (affecting up to 4.5 million unsuspecting contacts).  Even in one extraordinary case, a Council employee shared unredacted data about alleged gang members profiled on a police intelligence ‘Gang Matrix’ database to other Council staff and external organisations. This ended up on social media and was then used by the gang members themselves.  Unbelievable, but sadly true.

Amicus ITS Director of Technology, Security & Governance, JP Norman commented:  “The ICO are striking a balance between the severity of a breach individually, the volume of data affected and the harm and distress caused by the breach of security and lack of protocol.   We can see from the  enforcement notices published across 2018-19, the huge variety of cases that the ICO have dealt with in the last 18 months and ultimately this illustrates data responsibility is in the hands of every individual, with fallout picked up by the organisation/company directors”.

Big headliner fines this Summer featured the £183.4m fine published to British Airways following the 2018 cyber incident where users logging in to BA’s website were diverted to a fraudulent site where their personal details, payment information and travel plans were harvested.  This represented 1.5% out of a total possible fine of 4% of global turnover.  Plus, the £99.2m fine to Marriott International hotels group for a data breach whereby 339 million guest records globally were exposed over several years following a merger and lack of due diligence and security measures being adopted.  Both organisations are seeking to defend their position. Other big names included: Equifax (£500,000), Uber (£385,000), and Yahoo! (£250,000) for cyber security failures.

Against this backdrop, the ICO Annual Report for March 2018-19 published in July 2019 recognised that 82% of personal data breaches investigated had been closed with no further action, as corrective measures to avoid a repeat had been taken or were being acted upon, which we should take as positive news as organisations learn to manage their data more responsibly.

JP Norman adds:  “All organisations face the same responsibilities around data management and data security.  At the heart of good practice is education and staff training. This can identify what is appropriate when sharing data and that if approved, it is done lawfully and safely.   Organisations, institutions and businesses of any size must have a Data Protection Officer (DPO), who may also be the Data Controller if appropriate. These representatives need ready access to policies and guidance around data security and measures to be taken in the event of any breach, which can be evidenced and practised as part of a smart Business Continuity Plan.  This can be intimidating for businesses of even medium size to get to grips with and act confidently so we often see the DPO function outsourced”.

Amicus ITS recognises the challenges organisations face and earlier this year published our new Virtual Data Protection Officer service on G-Cloud 11 for public sector customers.  Notably, this service is equally available to SMEs.  Any organisation that is unsure if it has the right security policies and security measures in place can contact Amicus ITS in confidence.  If the service is taken up, this security consultancy could not only save you £000s but also help protect against reputational damage which can be priceless.  Call our Sales team today for a free initial discussion on +44 2380 429429.

Amicus ITS’ privacy policy can be found here

The Panama Papers, an expensive lesson in having unsecured data

The ‘Panama Papers’ data breach of Panamanian legal, trust and accounting firm Mossack Fonseca revealed on 3 April 2016, consisted of a whopping 2.6TB of data covering over 11.5 million scanned and electronic files dating back to the 1970s and the fallout has been substantial globally and continues to grow day by day.

The hack of an email server which occurred at the start of 2015 was taken to German newspaper Süddeutsche Zeitung (“SZ”), however due to the immense scale of data for analysis, SZ brought US-based International Consortium of Investigative Journalists (ICIJ) on board.  400 journalists from 107 news organisations have pored over the documents and used special software OCR (Optical Character Recognition) and new graph database technology including Neo4j to help index and analyse the content.  The journalists then lifted connections such as people who share the same address who are not formally married, with material connections to suspicious bank accounts used for money laundering or other financial crimes and misdemeanours.

Whilst the announcement related to a mere 149 files out of the 11.5 million, the revelation that Mossack Fonseca was creating shell corporations in tax havens around the world for a substantial list of politicians and world figures, has increased the distrust of those in public positions who have either accessed and abuse public purse funds or sought tax avoidance for personal gain.

Who’s Who in the world spotlight?  In a swift snapshot from this initial reveal, Iceland’s Prime Minister Sigmundur Davíð Gunnlaugsson had to step down sharply following the news, whilst Argentinian President Macri and Ukranian President Petro Poroshenko await their fate.  Friends of Syrian President Bashar Assad Putin associates are facing scrutiny, whilst a number of FIFA officials have been implicated, along with soccer star Lionel Messi.  Celebrity producers include Hollywood’s David Geffen and Simon Cowell, plus singer Tina Turner and actor Jackie Chan. Meanwhile, in UK politics, PM David Cameron (through the tax affairs of his late stockbroker father and estate family gifts), has been forced to fend off accusations of immorality and lack of transparency by publishing personal tax returns.

So what for these people?
There will be massive consequences for any individual whose private financial affairs have been made public.  Their confidential business structures are now public, reputations will be damaged, no doubt lawsuits will be an end result and policy is likely to change.

So what for data controllers?
The breach highlights once again, this time on a massive scale, that organisations holding any personal data have no choice but to sit up and take acute note, re-review their own organisation’s security perimeters, policies, up to date licences, patch management and back up arrangements.


Local authorities committing 4 data breaches every day

big brother watch

A new study by privacy campaign group Big Brother Watch has identified an alarming amount of recorded data breaches by local authorities. Over a 3 year period there was 4,236 data breaches, with the authorities with the largest amount of recorded breaches listed below:

1.           Brighton and Hove City Council – 190
2.           Sandwell Council – 187
3.           Telford and Wrekin Council – 175
4.           Peterborough City Council – 160
5.           Herefordshire Council – 157
6.           Glasgow City Council – 128
7.           Doncaster Council – 106
8.           Essex County Council – 106
9.           Lincolnshire County Council – 103
10.         Wolverhampton City Council – 100

In addition to the amount of breaches, the attitude towards protecting data shown by local authorities is seen as alarming by Big Brother Watch’s director Emma Carr, stating the findings showed “shockingly lax attitudes to protecting confidential information”.

The study findings are based on feedback to Freedom of Information requests sent to all UK local authorities and includes; data lost over 400 times, 5000 letters sent to wrong address, sensitive or confidential information compromised in 260 cases and breaches involving personal data linked to children on 658 occasions.   With regard to the data loss, despite more than 400 instances of loss or theft, including 197 mobile phones, computers, tablets and USBs and 600 cases where information was inappropriately shared, just a single person has faced criminal sanctions and only 50 have been dismissed.  Southampton City Council recorded 50 data breaches.

The Information Commissioner’s Office, the Justice Select Committee and the Home Affairs Select Committee have all given their widespread support for imposing tougher penalties for the most serious of data breaches.  However, with only a fraction of employees disciplined or dismissed, one questions how seriously councils are taking protecting the privacy of the public?   A spokesman for the Local Government Association said: “Councils take data protection extremely seriously and staff are given ongoing training in handling confidential data.”   But on the face of the latest findings, this does not, by all accounts seem to the case.     Local authorities will need to prove that they can be trusted with digital security and that our personal data is safe with them, addressing both the security measures in place and policies around handling breaches once they have been found.

Friction in The White House over data authority lapse

US security services are facing a tricky period, following the lapse of The White House’s legal authority this week to gather all US citizens’ data through the Patriot Act, as the NSA and other agencies seek to defend national security.

The extension of the Patriot Act failed to reach a deal in the Senate this week.  In its place, congressmen voted to back the White House’s new Freedom Act and this new form of Data collection is likely to be approved in the near future.   The Freedom Act retains most of the Patriot Act revisions, but requires that records must be held by telecoms companies and that judicial warrants have to be made if the NSA needs to access specific information. It also explicitly prohibits the bulk collection of meta data.

Senate protagonist for change Rand Paul tweeted “It is officially a new day in America.  A day with more liberty and freedom”.  However, many of his Republican colleagues left the chamber in protest when he made his valedictory speech.  Mr Paul is also a Presidential candidate and this position may lose him votes down the line if, it is seen by those like experienced Senator John McCain, that he is putting “ambition before the security of the nation”.

This follows the revelations of former NSA whistleblower Edward Snowden in 2013 and the ensuing public outcry which demanded increased transparency in Government and organisations to declare what data they collect, how it is stored and how it is used.


This week’s technology news from Amicus ITS – Friday 26th April 2013

On the beat – BYOD lawsuit to change commercial habits?
Lack of clear policy and forward-thinking governance for mobile devices will be the highlight of a court case reaching Chicago shortly. The case relates to 200 police officers filing a claim for overtime after being pressurised into answering work-related calls on department issued Blackberries. This should be of interest to MDM providers and all businesses. The flexibility of BYOD and the easy approach thus far to consumer technology at work, is increasingly a topic that needs addressing by business. Thoughts of cost savings and a casual approach to mobile device management may end up having a very costly sting in the tail which businesses must start to address, and soon.

Once more unto the breach
Verizon’s recent Data Breach Report identified hacking as the cause in 52% of breaches in 2012. 80% of these came from authentication-based attacks. Using the same password on different accounts is all too common, but getting people to change their habits has proven difficult and organisations are too slow to roll out more complex barriers to security breaches. Two-factor authentication is a good start (where a phone device delivers a unique password to accompany the primary access on a computer) and is available on Microsoft accounts. Sadly it seems that only large scale attacks felt personally are currently getting any habits changed. How important is your information to you and what extra measures are you taking to keep it secure?

Head technology
No longer limited to just science fiction, Samsung and other researchers at the University of Texas are creating the technology to control tablets with just your brain. Researchers are using an EEG cap to monitor brain waves which lets testers launch Apps, choose music and basic menu control by thinking of its name. The process sounds similar to how voice activation tasks are currently handled. However instead of saying the phrase aloud – you think it. So far the system is said to have an accuracy rate between 80 to 95% and is still quite slow to use. However, as tablets and other devices become more accessible, the benefits particularly to disabled users will be substantial once fully developed.

No longer taking the scenic route
Smartphone technology “Fit4KidsCare” has been used to great effect at the Miami Children’s hospital in the States. This has centred on using triangulated Wi-Fi signals (vs satellite GPS) to bounce off WiFi access points situated around the hospital. It has enabled patients and their families to navigate quickly to their destinations, even whilst using lifts. With delays in patients reaching their hospital appointments and unfamiliarity with hospital environments, it is an interesting development that could have useful ramifications for the healthcare industry in the UK.

This weeks round up from Amicus ITS

£250,000 penalty for Sony
The Information Commissioner’s office (ICO) has fined Sony Computer Entertainment Europe £250,000 for breaching the Data Protection Act, The data breach penalty relates to the hacking of the Sony PlayStation Network Platform in April 2011, which compromised the personal information of over 77 million customers. At the time Sony took down their Playstation network for over 3 weeks, to rebuild a more secure online platform, with over 77 million world-wide affected this was one of the biggest security breaches in history, who will be next!

Office 365 Home Premium launched
Microsoft takes Office into the cloud and for the first time lets consumers pay via monthly subscription. As well as the ‘modern’ look, users also get perks such as extra SkyDrive storage and free worldwide Skype calls to landlines. This is a unique way of marketing the Office package, it makes Office very accessible through a price point that everyone can afford and in addition the ‘always connected’ features of the Cloud helps Microsoft fight software piracy, a win win for all I feel!.

Blackberry 10
RIM who recently changed their name to ‘Blackberry’ launched their latest and long awaited new platform Blackberry 10 in the UK on the 31/01/13. They decided to launch in the UK first as Blackberry’s UK’s market is one of their strongest, this launch is fundamental for the future of Blackberry. The Z10 and Q10 both look good and take the Blackberry style into truly modern phones. We believe it is unlikely to be enough to truly gain significant market share, but if there’s one market they will crack it will be the UK, so this is definitely one to watch.