Category: Data Breach

How to Report a Data Breach to the Information Commissioner

Not all organisation data breaches need to be reported to the Information Commissioner’s Office (ICO).

ICO do recommend that any serious breach is reported to them, but it isn’t mandatory and ‘serious breaches’ are not defined. However, the following should assist data controllers in considering whether breaches should be reported:

  1. The potential detriment to individuals is the overriding consideration in deciding whether a breach of data security should be reported to the ICO. Detriment includes emotional distress as well as both physical and financial damage.

Ways in which detriment can occur include:

  1. exposure to identity theft through the release of non-public identifiers, eg passport number
  2. information about the private aspects of a person’s life becoming known to others, eg financial circumstances

The extent of detriment likely to occur is dependent on both the volume of personal data involved and the sensitivity of the data where there is significant actual or potential detriment as a result of the breach.

Where there is little risk that individuals would suffer significant detriment, for example because a stolen laptop is properly encrypted or the information that is the subject of the breach is publicly-available information, there is no need to report.

  1. The volume of personal data lost / released / corrupted: There should be a presumption to report to the ICO where a large volume of personal data is concerned and there is a real risk of individuals suffering some harm.
  2. The sensitivity of the data lost / released / corrupted:

How to Report a Breach

Serious breaches should be reported to the ICO using the DPA security breach helpline on 0303 123 1113 (open Monday to Friday, 9am to 5pm). Select option 3 to speak to staff that will record the breach and give you advice about what to do next or report in writing using the  DPA security breach notification form, which should be sent to the email address [email protected] or by post to the office address at:- Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

When a breach is reported, the nature and seriousness of the breach and the adequacy of any remedial action taken will be assessed and a course of action determined.

ICO may:

  • Record the breach and take no further action, or  Investigate the circumstances of the breach and any
  • remedial action, which could lead to further action;
  • Set a requirement on the data controller to undertake a course of action to prevent further breaches;
  • Start formal enforcement action which could lead to a fine of up to £500,000

For further information see https://ico.org.uk

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature

Are Data Breaches Common

The Proportion of Businesses That Have Had Breaches in one year

  Overall Micro Firms Small Firms Medium Firms Large Firms Admin/ Real Estate
% experiencing a cyber security breach or attack 24 17 33 51 65 39

 

Businesses that invest more in cyber security have more breaches than businesses that invest less. This may seem counter intuitive but it’s partly due to businesses that realise they are more at risk such as financial companies who then invest more. However, businesses where the online presence is minimal feel less at risk and invest less.

There is also the assumption that businesses that invest more in cyber security will be better at identifying such breaches.

Types of Breaches/Attacks

Viruses, spyware or malware 68%
Other impersonating organisation in emails or online 32%
Denial of service attacks 15%
Hacking 13%
Money stolen electronically 13%
Breaches from personally owned devices 8
Personal information stolen 8
Breaches from externally hosted web services 8
Unlicensed or stolen software downloaded 8
Money stolen via fraud emails or websites 6
Software damaged or stolen 5
Breaches on social media 3
Intellectual property theft 1

 

You can see that attacks of various kinds are very common. All businesses must take steps to protect against data breaches and all common forms of cyber-attack

Do you have an opinion on this matter? Please comment in the box below.

Fightback Ninja Signature

Data Breaches Facts

Hackers break into company computer systems and steal confidential information. i.e. they make copies of it for their own purposes.

The hackers might then ransom the data back to the owner or sell it to a competitor or sell it to other scammers or  might make us of it in phishing scams i.e. to get more confidential information which they can then sell to fraudsters.

This is big business and usually it’s the customers of the hacked business that suffer.

We give our private and financial information to companies to do business with them but we expect they will do everything necessary to keep that data secure.

Many companies do have excellent data security but some fall short.

The cost to a company of a data breach can include:-

  1. Creation of contact databases
  2. Regulatory requirements
  3. External experts
  4. Postal costs
  5. Communications set-ups
  6. Audit services
  7. Helpdesk
  8. Legal expenditures
  9. Reimbursement for customers
  10. Cost of cleaning up data

Besides the material costs, there may be reputation damage.

Recent research shows:-

  • The average cost of a data breach is $3.86 million
  • The average global total cost per record stolen is $141 but there is huge variance across incidents.
  • Companies in South Africa and India have the highest chance of data breaches whereas companies in Germany and Canada have the lowest.
  • The mean time to identify and contain a breach is 280 days
  • The faster the breach is recognised, then generally the lower the total cost
  • The increasing use of mobile platforms is increasing the chances of data breaches.

For information on how to recognise a cyber-attack see

https://fightbackonline.org/index.php/business/102-do-you-know-if-your-business-has-been-cyber-attacked

[facts taken from 2020 Cost of Data Breach Study]

If you’ve enjoyed this post or found it useful then do share – click on the post title then scroll down to the social media share buttons.

Fightback Ninja Signature

How to Deal With a Data Breach

If your business suffers a data breach i.e. hackers access your system and steal confidential information then you have a lot to do to deal with the breach, communicate with all affected parties and put in place better security to prevent another breach.

How well you deal with the breach often affects the total cost and the level of damage to your business reputation.

These four steps can help:-

1.         Investigate the Breach

  1. How did it happen?
  2. What was stolen?
  3. Can the hackers regain entry to your systems?
  4. Have the hackers left any malware on your systems?

You’ll need to know exactly what information was lost in the data breach.

Less sensitive information includes name, address. phone number etc. This can be used by scammers and cold callers but that information is readily available for most people through the phone directory, social media and the Electoral register.

More sensitive information includes date of birth, name, financial details, payment card details etc.  Combined with the less sensitive information this can be used for identity fraud.

If the stolen data includes names with login and passwords then you need to act fast to warn people to change their passwords.

2. Determine the Possible Damage

Once you know what data has been stolen, you need to understand how this can affect people i.e. how this data can be used by criminals. Will they likely sell the information to a competitor or to other scammers or ransom it back to you?

3.         Communicate with All Interested Parties

You need to inform all affected parties ASAP.  This may be customers, partners, staff, suppliers etc. If the breach is serious then you should inform the Information Commissioners Office.  If relevant inform the Police.

4. Increase Your Security

Unless you have security experts, you may need to hire experts to assess your systems and see how security can be improved. Start enacting those improvements straightaway and of course close off whatever method the hackers used to get into your systems.

A data breach can be very serious and must be dealt with quickly and efficiently to minimise damage to your reputation.

 Do click on the Facebook or Twitter icons on top right to follow Fight Back Ninja.

Fightback Ninja Signature

The GoDaddy Data Breach

GoDaddy is a strange name for an American Internet company, but they are well known in the US and UK as they provide Internet domain names and web hosting for more than 20 million customers worldwide.

However, the email addresses of up to 1.2 million active and inactive Managed WordPress customers exposed in a data breach.

The company say they identified suspicious activity in the Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement.

They notified the potentially affected customers that their web hosting account credentials had been compromised by an “unauthorized individual” who had gained access to login credentials that meant they could “connect to SSH” on the affected hosting accounts. SSH is an acronym for secure shell, a network protocol used by system administrators to access remote computers. SSH is, as you might imagine then, quite a useful attack vector for hackers.

Which Accounts Are Affected

The GoDaddy email said that the breach is limited only to hosting accounts and did not involve customer accounts or their personal information. It noted that no evidence was found to suggest that any files were modified or added to the affected accounts but fell short of mentioning if files had been viewed or copied. However, all impacted hosting account logins have been reset, and the email contained the procedure customers need to follow in order to regain access to the hosting accounts concerned. GoDaddy has also recommended, “out of an abundance of caution,” that users audit their hosting accounts.

GoDaddy said it will provide free security services to those affected for a year at no charge.

“On April 23, 2020, we identified SSH usernames and passwords had been compromised by an unauthorized individual in our hosting environment. This affected approximately 28,000 customers. We immediately reset these usernames and passwords, removed an authorized SSH file from our platform, and have no indication the individual used our customers’ credentials or modified any customer hosting accounts. The individual did not have access to customers’ main GoDaddy accounts.”

If you have any experiences with these scams do let me know, by email.

Fightback Ninja Signature

Compensation for a Data Breach

A data breach is where confidential information is copied and either released in public e.g.  on a web site or is stolen by criminals for identity theft, online blackmail or similar.

Many well-known organisations have suffered from data breaches, revealing confidential information such as login and password, payment card details, date of birth etc. of their customers

When this happens, the company has a legal obligation to inform the authorities and all users who may be affected by this.

If your data is lost and it causes you financial damage or distress, you may be able to make a claim for compensation from the organisation that was breached.

The criteria for a compensation claim for a data breach include:

  1. Financial losses.
  2. Loss of privacy.

The GDPR gives you a right to claim compensation from an organisation if you have suffered damage as a result of it breaking data protection law. This includes both financial loss and other types of loss.

The Citizens Advice Bureau provides information on taking legal action in England and Wales, Scotland and Northern Ireland.

To Complain and Claim Compensation

  1. Complain to the company that lost your data

Explain any problems you believe have been caused by the data breach and include any distress you have suffered. It’s also useful to specify what compensation you want

  1. Complain to the Information Commissioner’s Office

You can take your issues with how the organisation dealt with your confidential information to the |Information Commissioner but it’s better for this to be after you have given the company a chance to review your claim first.

  1. Use the Small Claims Court

This is a cheap and simple process if you cannot reach agreement with the company.

If you have any experiences with these scams do let me know, by email.

Fightback Ninja Signature