Data Breaches and Cyber Threats: learning from the ICO
22/07/24There has been a lot of recent discussion around data breaches and cyber threats, most notably the recent cyber-attack on London hospitals’ pathology services, and the recent Netflix documentary that has resurfaced the elicit Ashley Madison data breach from back in 2015.
The Information Commissioner's Office (ICO) has recently published their “Learning from the mistakes of others” report which provides a useful reference guide to issues of concern to the regulator. In this insight, we summarise the key points around security incidents and include some tips on how to tackle them. The UK GDPR defines a ‘personal data breach’ as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Data breaches and cyber-attacks affect many organisations, both in the public and private sector.
With developing technologies and a criminal industry of extorting organisations where data has been maliciously obtained, there has been a rise in the number of incidents reported to the ICO. In a recent report published by the ICO, it explained that over 3,000 cyber security breaches had been reported in 2023. Such incidents include harvesting customer data on payment platforms through the installation of malware, to sending out phishing emails on the off chance an employee will click on a compromising link.
Damage to individuals, disruption, or legal and regulatory enforcement action can flow from security incidents. Where the ICO has ‘flagged’ issues previously in their guidance, it seems more likely that enforcement action will be taken where a similar incident occurs in the future. The ICO flag that they have taken enforcement action in the past in relation to:
- external connections without security, such as multi-factor authentication (MFA)
- failure to log and monitor systems, and act when there is unexpected exfiltration or there are unexpected RDP connections from the internet
- failure to act on alerts from endpoint protection, such as anti-malware or anti-virus. This includes when there has been successful removal of malware, as the possibility of an advanced persistent threat (APT) exists
- weak or no passwords on internal accounts or failure to use unique passwords across multiple accounts, particularly for privileged, administrator or service accounts
- failure to mitigate against known vulnerabilities, applying critical patches promptly, where possible. Enforcement action has been taken where organisations have failed to address known vulnerabilities for more than a year, and in some cases, many years.
Key Points
The ICO’s recent learning report explains that the leading causes of reported security incidents are:
- Phishing – this is very common in the workplace, and is typically done through sending scam emails to individuals, with the intention of tricking them into downloading malware or sharing account details and passwords accidently.
- Brute force attacks – this a term that refers to criminals using trialling and error techniques, whereby they guess username and password credentials, in the hope of obtaining access.
- Denial of service – this is where criminals attempt to overload a network or website, in an attempt to cripple the system, rendering it useless.
- Errors – this refers to incidents where security settings have not been correctly configured, and therefore creates a weakness in the system.
- Supply chain attacks – this is where a supplier’s systems are infiltrated, and then used to infiltrate your own local systems. The London based NHS hospitals that have recently been affected by a cyber-attack, were infiltrated via the supplier Synnovis.
This list is not exhaustive, and one of the big contributory factors in security incidents is human error.
Our top tips
Whilst organisations cannot eliminate the risk of a security incident happening entirely, the steps below are identified as helping prevent or mitigate the likelihood of an event occurring, and its impact:
- Implementing rigorous security measures – strong passwords, multi-factor authentication, and the use of encryption can reduce the risk of unauthorised access. This sits hand in hand with access limitation, where limiting access to sensitive information to only those who require it could be an influential factor in mitigating the impact of a data breach. Industry standards should be followed.
- Regularly updating systems, patch-testing, and backing systems up – regular updates allows for bug fixes, and ensures systems are running on the latest version of software.
- Training – teaching employees about incidents, what to look for, and how to prevent them reduces the likelihood of human error.
- Employment contracts – these should include restrictions to stop employees from soliciting or taking sensitive information, or any other information of significant value.
- Robust policies – having in place the correct policies and procedures, keeping them under review, and auditing compliance can be influential in tackling any kind of business continuity event, such as a reportable data breach. Many security incidents occur without warning, and are typically time sensitive. Ensuring employees know what to, and when to do it is essential when a quick response is needed. This is important from a compliance perspective as there are statutory timescales in which some incidents need to be reported. In addition to a strong incident response plan, other policies for consideration include bring your own device, clear desk, and remote working policies.
Ensuing there is an organisation-wide understanding on what an incident looks like, the common causes, the impact, and the proactive steps needed to respond, are essential for enhancing good information security practices. Further useful resources can also be found on the National Cyber Security Centre website (www.ncsc.gov.uk), which is the technical authority for cyber security in the UK.
How Capsticks can help
Capsticks supports organisations in meeting their legal requirements, including navigating the intricacies of responding to security incidents, and reporting matters appropriately under Articles 33 and 34 of the UK GDPR.
We can support organisations in a number of ways, including:
- drafting robust policies and procedures
- helping assess the severity of an incident, and whether it meets the threshold to report to the ICO, and those affected
- advising on the different options available in response to an incident, and the risks and benefits of each course of action
- recovery of sensitive material including delivery-up injunctions
- liaising with the ICO on behalf of organisations and supporting with responses to investigations or proposed enforcement action
- liaison with data subjects, including in responding to subject access requests, which may be more common after an incident occurs
- handling and responding to data breach claims.
If you have any queries around what's discussed in this article, or would like discuss how we may be able to help with any other information law issue, please contact Andrew Latham, Emma Godding, Lauren Danks, Tana Dryden-Strong or Charlotte Bolt.