Data Breach Trends October 2015
Introduction In October 2015 the Information Commissioner s Office (ICO) published the latest data breach trends including incidents by quarter, type of incident and incidents by sector. We wanted to take the data available and turn it into an easy to read report, as we felt that the information available is something that anyone with an interest in security should have read. Typically, data security is managed by the IT team, but the impact is further reaching. It is not outside the realms of possibility that an enforcement action from the ICO could involve a financial penalty (which would have to be dealt with the finance team), additional training to be carried out (IT and HR), more than likely a disciplinary process for the person who caused the data breach (HR) and press control measures may need to be put in place too (marketing & PR functions). The point? Leaving data security up to one person (or a small team of people) is wholly unacceptable, whilst it is easy to say that everyone is responsible for managing data security, this is also not the right answer. Unfortunately, we don t have the solution - that is down to you, and your business. What we can do is give you some of the key information that the ICO has made available to make yourself better prepared of the consequences, and the types of breaches that have occured recently.
About the data Key information is readily available from the Information Commissioner s website www.ico.org.uk Data breach trends data can be found at https://ico.org.uk/action-weve-taken/data-breachtrends/ Notices of enforcement can be found at https://ico.org.uk/action-weve-taken/enforcement/ The most recent data was published on the 11th March 2015, comparison data was published on the 3rd November 2014. Zylpha do not have any relationship with the ICO and information is provided for information and illustrative purposes only. About the ICO The Information Commissioner s Office (ICO) is The UK s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. ICO Key Facts Total staff headcount 383 Calls to the ICO helplines 259,903 Public prompted awareness of data protection rights 87% Data Protection Cases received 14,738 Data Protection Cases closed in 30 days or less 58% Privacy and Electronic Communication Regulations Concerns reported 161,720 About Zylpha Headquartered in Southampton, Zylpha is an innovative specialist offering tools for the legal profession including secure electronic document production and delivery. The company, which was founded by CEO Tim Long, has won widespread acclaim in both the legal and local government sectors for its systems, which transform secure communications for court and case management bundles. South Wales Police The ICO has issued South Wales Police with a 160,000 fine for losing a video recording which formed part of the evidence in a sexual abuse case. The DVDs contained film of an interview with a victim, who had been sexually abused as a child. Despite the DVDs containing a graphic and disturbing account, the discs were unencrypted and left in a desk drawer. Page 3
Data Breach Incidents Other Local Government Legal Justice Health General Business Finance, insurance & credit Education Charitable & voluntary Central Government 0 50 100 150 200 250 Ministry of Justice A monetary penalty notice has been served on the Ministry of Justice for 180,000 over serious failings in the way prisons in England and Wales have been handling people s information. On 24 May 2013, a portable hard drive stored in a prison s Security Department and used to back up the prisoner intelligence database, was discovered to be missing. The hard drive had not been password protected and was left unencrypted. The information on the hard drive related to 2,935 prisoners and included confidential and highly sensitive personal data such as their name, date of birth, length of sentence, offence(s), physical description including details of any distinguishing marks, intelligence information such as links to other prisoners or organised crime, involvement with drug use, prison discipline, establishment location and some victim and/or visitor details. Page 4
Incident Type 100 90 80 70 60 50 40 30 20 10 0 Insecure webpage (inc hacking) Info uploaded to web-page Data sent by email to inc rep Verbal disclosure Data posted/faxed to inc rec Loss/theft of unencrypted device Loss/theft of paperwork Insecure disposal of hardware Insecure disposal of paperwork Failure to redact Other principle 7 data failure Serious Fraud Office The Information Commissioner s Office (ICO) has fined the Serious Fraud Office 180,000 after a witness in a serious fraud, bribery and corruption investigation was mistakenly sent evidence relating to 64 other people involved in the case. Aberdeen City Council A monetary penalty notice has been served on Aberdeen City Council after inadequate homeworking arrangements led to 39 pages of personal data being uploaded onto the internet by a Council employee. Page 5
Incidents by Sector Charitable & Voluntary Finance, insurance & credit Education General Business Local Government 0 2 4 6 8 10 12 14 16 18 Insecure disposal of hardware Verbal disclosure Information uploaded to webpage Insecure disposal of paperwork Insecure webpage (inc hacking) Failure to redact data Loss or theft of unencrypted device Other principle 7 failure Data sent by email to incorrect recipient data posted or faxed to incorrect recipient Loss or theft of paperwork Direct Assist Ltd A personal injuries claims management company Direct Assist Ltd has been issued with a monetary penalty by the ICO for making direct marketing calls to people without their consent. Between January 2013 and July 2014, the ICO and the Telephone Preference Service (TPS) registered 801 concerns about the Bolton-based company which offered access to solicitors for personal injury insurance claims. Wolverhampton City Council The ICO has issued an enforcement notice against Wolverhampton City Council, following an investigation into a data breach at the council that occurred in January 2012. The breach was caused when a social worker, who had not received data protection training, sent out a report to a former service user detailing their time in care. However, the social worker failed to remove highly sensitive information about the recipient s sister that should not have been included. Page 6
Department of Justice Northern Ireland A monetary penalty notice has been served on Department of Justice Northern Ireland after a filing cabinet containing details of a terrorist incident was sold at auction. North East Lincolnshire Council A monetary penalty notice has been served on North East Lincolnshire Council after the loss of an unencrypted memory device containing personal data and sensitive personal data relating to 286 children. NHS Surrey A monetary penalty notice has been served on NHS Surrey following the discovery of sensitive personal data belonging to thousands of patients on hard drives sold on an online auction site. Page 7
For more information contact Zylpha: T: 01962 658 881 E: sales@zylpha.com www.zylpha.com