Home Office breaches of GDPR took place 100 times between 30th March and 31st August 2019, a report from the Independent Chief Inspectorate of Borders and Immigration (ICIBI) has found.
The breaches took place in relation to the EU Settlement Scheme, which accepts applications from EU citizens so that they can remain in the UK after Brexit. They included unauthorised disclosure of information, documents being sent to the wrong person, and passports being misplaced.
According to an article from Infosecurity, the breaches also saw “23 documents misplaced by a postal company in July” and an incident in April where “240 email addresses were exposed after a Home Office employee forgot to put them in the BCC field when sending a bulk email”.
The article states the following from the ICIBI report:
“The information provided to inspectors regarding data breaches was concerning, not least the increase in breaches each month between April and July 2019 (with a slight dip in August 2019), albeit most of those to the end of June were due to a postal company rather than EUSS staff or processes,” it concluded.
“Data breaches damage public confidence, and applicants will blame the Home Office, whether or not this is fair. It is therefore important for the Home Office to do everything it can to keep breaches to a minimum.”
The response from the Home Office was that its data protection measures and procedures are improving:
“We are also in discussion with the heads of security, integrity and data protection to ensure our processes are aligned to GDPR compliance,” it replied to the ICIBI. “Bulk email processes have changed so there will be no errors going forward.”
The ICIBI also suggested that the problems it uncovered should be easy enough to fix.
“Most appear to have involved document handling errors and these should be easiest to prevent with clear instructions and good organization,” it said.
You can read the full article from Infosecurity here.
This demonstrates that human error is a big problem when it comes to data protection. As we learned at PrivSecLondon last month, it is responsible for 60% of all breaches.
This can and should be countered with training for all employees, at both the lowest and highest levels. A culture shift is also needed across organisations in order to keep up with evolving legislation.
If you want to make sure your employees are up-to-date and know their obligations under GDPR, check out our Staff Training offers, which are available in both in-person and online formats.
Foreign exchange company Travelex has suffered a severe hack that has forced it to deactivate all computer systems in an attempt to protect data and contain a virus.
News has broken that 81,000 hacked Facebook accounts have had their private messages stolen. The hackers are now attempting to sell this data on, at the price of 10 cents (8p) per account, and are also claiming that they have obtained details from even more accounts – 120 million – although this has not been verified.
Facebook has already faced huge problems regarding data protection. It was fined £500,000 earlier this year for its role in the Cambridge Analytica scandal, and it now looks like it will be facing further penalties from the Information Commissioner’s Office (ICO). Regardless of the scale of this latest breach, things are looking bad for the social media giant.
Whatever happens next, a new fine will tell us something useful. The Cambridge Analytica scandal took place before GDPR came into effect in May, so the fine against Facebook was brought according to the pre-existing data laws. Specifically, it came under the Data Protection Act 1998. A new fine relating to this latest breach, however, will fall under GDPR.
It’s important to note that Facebook have not been able to hide behind being a US company. And as it turns out, they may have been fortunate that the Cambridge Analytica scandal was exposed before May 25th; it’s impossible to say what the fine would have been under GDPR, but it may well have been considerably greater than £500,000.
No matter what, though, the single biggest issue here is the ongoing risk to users. Facebook is a built around people’s personal data, but has so far been unable to provide adequate protection for that data. If the trend continues, there could be even more trouble ahead for the company.
You can find out more about this latest data breach of hacked Facebook accounts here.
And if you want to ensure that your company is GDPR compliant, make us of our GDPR Gap Analysis to make sure that you avoid heavy fines.
GDPR is going to be a big challenge to implement for organisations, but the consequences of breaches and failing to comply to GDPR can be huge. GDPR fines and penalties could potentially cripple an organisation if it fails to adhere to the new regulations.
If there are any breaches of data, such as a hack, the data controller must notify the Supervisory Authority after no more than 72 hours after the becoming aware of the breach, not the breach itself. There is no room for misinterpretation or excuses here – if the Supervisory Authority is not reached within the 72 hours, the notification of the breach must be accompanied by a suitable reason from the controller for the delay. A suitable reason would be something that is out of the controller’s power – a power outage, for example.
“If there are any breaches of data, such as a hack, the data controller must notify the Supervisory Authority after no more than 72 hours after the becoming aware of the breach, not the breach itself.”
Notifying the data subject (i.e. person whose data is being held) is slightly different, though. The data subject must be notified of any potential breach UNLESS the data is anonymised – if the data is not immediately recognisable as the initial data sent by the subject. Pseudonymised or encrypted data hides what the data actually is via a mask or coding, with only a small number of people able to uncover the true meaning. If one doesn’t have the means to do that, the data is essentially useless.
Data can be thought of as raw facts and figures that appear to make no sense. We must put categories and context with the data for them to become information and knowledge. Hence, if a piece of data is hidden behind a mask or code, those who don’t know how to unlock the data, cannot even know what data they obtain.
The consequences for failing to comply to GDPR can be huge, but while you may see big figures bandied about, those are not necessarily the fine you or your organisation will receive. Each case will be considered against a set of conditions to judge whether a fine will be needed, and how much.
These conditions are:
“A worst-case scenario can see a fine of up to 20,000,000 Euros, or up to a 4% of the total worldwide annual turnover of the preceding financial year, whichever is greater.”
A worst-case scenario can see a fine of up to 20,000,000 Euros, or up to a 4% of the total worldwide annual turnover of the preceding financial year, whichever is greater. This is again dependent on a certain set of circumstances (including lack of compliance with the Supervisory Authority) and these figures can be lower (up to 10,000,000 Euros and 2%) because of that. The important phrasing here though is “up to”. It will be unlikely that any organisation will be fined 10,000,000 Euros unless they severely infringe on the regulations and the data affected is of high risk.
Remediation costs will also significantly affect organisations post-breach. Depending on an organisation’s size, how many employees they have and how many data records are affected by a potential breach impacts any remediation costs for the company. Using the supermarket chain Morrisons as a recent example, they lost 100,00 employee records – with current estimations of remediation costs, the minimum cost Morrisons could potentially be looking at is £75 million. This is a huge cost alone to remedy any breach, and this figure will be huge for any organisation.
These consequences still seriously highlight the need to comply with GDPR thoroughly and securely, and it’s vital to get your business or organisation fully compliant before the regulations come into place in May 2018. Ask us now for a Gap Analysis or GDPR project delivery.
The source for much of this information comes from “Guidelines on Data Protection Officers” a comprehensive guide on all things GDPR and a vital read for any Data Protection Officers.
You can also read our take on Equifax’s breach and lack of compliance with GDPR right here: https://activaconsulting.co.uk/activa-consulting-news/equifax-affected-under-gdpr-laws/