Home Office breaches of GDPR took place 100 times between 30th March and 31st August 2019, a report from the Independent Chief Inspectorate of Borders and Immigration (ICIBI) has found.
The breaches took place in relation to the EU Settlement Scheme, which accepts applications from EU citizens so that they can remain in the UK after Brexit. They included unauthorised disclosure of information, documents being sent to the wrong person, and passports being misplaced.
According to an article from Infosecurity, the breaches also saw “23 documents misplaced by a postal company in July” and an incident in April where “240 email addresses were exposed after a Home Office employee forgot to put them in the BCC field when sending a bulk email”.
The article states the following from the ICIBI report:
“The information provided to inspectors regarding data breaches was concerning, not least the increase in breaches each month between April and July 2019 (with a slight dip in August 2019), albeit most of those to the end of June were due to a postal company rather than EUSS staff or processes,” it concluded.
“Data breaches damage public confidence, and applicants will blame the Home Office, whether or not this is fair. It is therefore important for the Home Office to do everything it can to keep breaches to a minimum.”
The response from the Home Office was that its data protection measures and procedures are improving:
“We are also in discussion with the heads of security, integrity and data protection to ensure our processes are aligned to GDPR compliance,” it replied to the ICIBI. “Bulk email processes have changed so there will be no errors going forward.”
The ICIBI also suggested that the problems it uncovered should be easy enough to fix.
“Most appear to have involved document handling errors and these should be easiest to prevent with clear instructions and good organization,” it said.
You can read the full article from Infosecurity here.
This demonstrates that human error is a big problem when it comes to data protection. As we learned at PrivSecLondon last month, it is responsible for 60% of all breaches.
This can and should be countered with training for all employees, at both the lowest and highest levels. A culture shift is also needed across organisations in order to keep up with evolving legislation.
If you want to make sure your employees are up-to-date and know their obligations under GDPR, check out our Staff Training offers, which are available in both in-person and online formats.
At the PrivSec London conference on the 4th and 5th February, we enjoyed hearing how leading professionals in our field are tackling the many shared challenges of doing business under the changing needs of the 2020s.
Here are some final thoughts from the event’s keynote speaker, Baroness Neville-Rolfe, and from ourselves…
Baroness Neville-Rolfe (Member, European Union Committee, and a former minister under David Cameron, who was heavily involved in negotiating GDPR) said that data is the “oil equivalent” of an extraordinary digital revolution.
This revolution is now affecting almost everything on the planet. The effects are impossible to predict, but like other revolutions, this one started slowly and is now picking up speed.
There were some interesting official statements made by government, EU, or other regulators which indicate:
Overall, PrivSec London 2020 was an extremely informative conference. The key things that we learned are:
What we can do for you about all this – check out our offers to find out how we can help you with your data protection programme:
Our thanks to the following guest speakers at PrivSec London 2020:
At the PrivSec London conference last week, we heard from Sheila Fitzpatrick, a global expert in privacy and compliance. Here’s our pick of what she had to say and her advice about GDPR, the culture shift it has already brought about, and data privacy and security.
Anonymising data doesn’t truly make data safe, because someone in the organisation still has access to the original data. You need to really think about why your company is getting and using data – achieving an ‘improved user experience’ is not a good enough excuse. Companies often think that security is the same thing as privacy, and point enquiries about privacy to security protocols – but this is an ‘instant fail’ in Fitzpatrick’s book.
Companies in many other countries don’t realise they’re still subject to other countries’ Data Protection laws such as GDPR – and many countries are also planning laws that will exceed its requirements. GDPR created an awareness of changing legal focus from data security to the lawful bases for processing data, which in turn became the impetus for new laws across the world – as well as adding new technologies which also created privacy issues.
GDPR became the biggest revenue generator since Y2K – and there are a lot of solutions in the market. Companies often like to believe that they can buy ‘compliance in a box’, which is impossible and shows a lack of understanding of privacy; they often throw technology at the problem and assume that innovation will provide a better user experience.
They think that privacy will become irrelevant as a result of this approach; that it can be addressed through a simple checkbox, or that they have a “legitimate interest” in processing personal data. However, this probably isn’t true if the basis can’t be explained on a page clearly. It also shouldn’t be forgotten that if consent is ambiguous, it’s invalid under GDPR.
Big Data is problematic for GDPR compliance on many fronts, and so are AI and Smart Cities: it’s difficult to meet consumer rights demands for example, and to maintain anonymity where necessary.
Fitzpatrick noted that to access public Wi-Fi from a major telecommunications company recently, she had to wade through 5 pages of Privacy Policy and still couldn’t find out how to turn cookies off – which is not compliant with GDPR requirements.
You need to always be honest about what you’re doing; if you can’t, you’ve got a problem. Be upfront about your use of third parties who receive data from you, and don’t let vendors dictate terms to you as their terms can put you in breach. Privacy improvements give a competitive advantage and failing to comply can damage reputations badly.
Our thanks to Sheila Fitzpatrick for these insights and for giving an engaging and thought-provoking talk.
From what we heard at the PrivSec London conference this week, it was clear that a culture shift is needed in many – maybe most – companies coming into the new decade. Our thanks go to the guest speakers who provided these insights – you can see a full list of those whose talks we attended at the end of this article.
Here are some culture shifts that companies need to be making in order to keep up with changing legislation and guidelines:
CULTURE SHIFT #1: Have a plan for privacy and cybersecurity, with people and budgets allocated to it.
CULTURE SHIFT #2: Don’t assume that privacy = cybersecurity, you’ll fail if you assume it’s a tech matter. Do a dummy run of a data breach at your organisation – it’ll probably throw up some significant issues.
CULTURE SHIFT #3: To get buy-in across the organisation, explain Privacy and Cybersecurity matters in the business terms of each department or stakeholder group’s business goals, such as making money, reputation protection, and so on.
CULTURE SHIFT #4: Getting your data into one place (e.g. the cloud) makes it more controllable in one place with a lot of access but is also where the biggest risk lies. Work out what you’ve got and what you are moving to the cloud – delete as much as you can of your data set defensively, use the infrastructure and systems there to look after every piece of information in one system and apply policies across everything.
CULTURE SHIFT #5: Get tighter on checking, stating and enabling opt-outs for all the cookies working on your website(s), such as trackers: many of these may be coming from your third-party hosting provider rather than your own web developers and plugins! ‘Continued browsing’ or browser settings aren’t adequate to demonstrate consents anymore under the latest government guidances.
CULTURE SHIFT #6: For businesses, ethics ARE sustainability. They’re about only using data for transparent, legitimate reasons that genuinely improve the user experience and give users control over the data held about them and how it is used. They’re about not ruining trust or making customers uneasy about using your business or website or platform.
Our thanks to the following guest speakers at PrivSec London 2020:
A Microsoft data breach left a customer database exposed online last month, with 250 million entries involved. Microsoft revealed that the database, which stored anonymised user analytics, was left without protection between 5th December and 31st December.
The information on the database included email addresses, IP addresses, and details of support cases. While Microsoft stated that the majority these records didn’t contain personal user information, these details could still be used maliciously.
According to a report from ZDNet.com:
The database was spotted and reported to Microsoft by Bob Diachenko, a security researcher with Security Discovery.
The leaky customer support database consisted of a cluster of five Elasticsearch servers, a technology used to simplify search operations, Diachenko told ZDNet today. All five servers stored the same data, appearing to be mirrors of each other.
Diachenko said Microsoft secured the exposed database on the same day he reported the issue to the OS maker, despite being New Year’s Eve.
“I have been in touch with the Microsoft team helping and supporting them to properly investigate it,” Diachenko told ZDNet.
You can read the full article from ZDNet by clicking here.
While this is a worrying security breach, the positive news is that Microsoft have responded it well – and reports that it “found no malicious use” of the data.
The company not only worked immediately to plug the breach on New Year’s Eve, but has also already begun notifying users who had been affected by it. This hopefully means that the impact should be minimal.
Unsure how your organisation ought to respond to a data breach? Our GDPR Consultants can help – get in touch with us today for our professional expertise!
Regus, an office-space provider, has seen the data of 900 employees exposed by accident. This Regus data breach took place following a staff review, and involved staff details being posted publicly online.
According to BBC News, the review involved sales staff showing researchers around an office space, while the researchers pretended to be clients interested in renting the space.
However, subsequent to the review, a spreadsheet of staff data was published on the task-management website Trello. The details published included names, addresses, and job performance data.
Furthermore, the names and addresses of researchers from Applause, a company contracted by Regus parent company IWG, were also published.
According to the report from the BBC:
“Team members are aware they are recorded for training purposes and each recording is shared with the individual team member and their coach to help them become even more successful in their roles,” IWG said.
“We are extremely concerned to learn that an external third-party provider, who implemented the exercise, inadvertently published online the outcomes of an internal training and development exercise.
“As our primary concern we took immediate action and the external provider has now removed the content.”
How this Regus data breach happened is unclear. According to the co-founder of Trello, Michael Pryor:
“Trello boards are set to private by default and must be manually changed to public by the user.
“We strive to make sure public boards are being created intentionally and have built in safeguards to confirm the intention of a user before they make a board publicly visible.”
You can read the full article from BBC News by clicking here.
Given these measures on Trello, it appears that the breach has taken place due to human error. This demonstrates why data protection staff training is so important: any employee can be responsible for a data breach which results in significant fines.
Worryingly it appears that this data breach has not been reported to the Information Commissioner’s Office (ICO). This is despite it being a requirement under GDPR that data breaches are reported within 72 hours if it constitutes a risk to people.
However, it remains to be seen whether it has been reported to a data commissioner in another country; the BBC has made enquiries to Luxembourg’s official body to see if the breach has been reported there instead.
Are you uncertain what to do if you suffer a data breach? Or are you worried about the security of data at your organisation? Get in touch with us today to get expert help from our GDPR Consultants!