The Information Commissioner’s Office (ICO) has disclosed that reported non-cyber incidents outweighed cyber-incidents in Q4 of 2019.
In its report on incident trends, the ICO said there were 2629 incidents reported to it in Q4 2019, of which 337 were due to “data emailed to incorrect recipient,” 265 were due to “data posted or faxed to incorrect recipient” and 213 due to “loss/theft of paperwork or data left in insecure location.” Meanwhile, the main cyber-incidents were 280 as a result of phishing and 175 regarding unauthorized access.
As a result, the ICO issued two fines. The first was £500,000 to DSG Retail Limited in January after a point of sale computer system was compromised as a result of a cyber-attack, affecting at least 14 million people. Also, in March, the ICO fined Cathay Pacific Airways Limited £500,000 for failing to protect the security of its customers’ personal data. Between October 2014 and May 2018 Cathay Pacific’s computer systems lacked appropriate security measures which led to customers’ personal details being exposed.
ZIVVER’s CEO and founder Rick Goud pointed out the number of reported data leaks decreases every quarter in the UK, while other countries like Germany, the Netherlands, Denmark and Sweden have shown more than 50% increases. “Per inhabitant, the UK was already reporting about 10-times less data leaks than the 'top'-countries,” he said. “This is not due to less data leaks, but – instead – due to a decrease in reporting culture, possibly prompted by the lack of action shown by the ICO since GDPR came into force.”
In an email to Infosecurity, BH Consulting CEO Brian Honan said the report reinforces the fact that most security breaches are not due to “sophisticated attackers” but are the result of failings in basic security controls.
He added: “Accidental data leakage is one of the key sources for breaches and these can result from the lack of appropriate training to staff on how to handle and process data, from weak security controls that don’t prevent or alert to breaches, or a combination of both.
“Ensuring staff are properly trained in the handling and processing of personal data, the technologies they use as part of their daily work and have effective security awareness training is crucial to preventing these type of errors.”
Honan also pointed out that the blame cannot be solely put down to human error, and we need to ensure our systems and platforms provide staff with a safety net in the event they make a mistake. “This means security professionals also need to ensure the basics are covered and that systems are properly patched, effective email security to protect against phishing attacks and data leakage are in place, and that data is encrypted at rest and in transit,” he said.
“It is also important to remember that no matter what controls are in place a breach can still happen and that staff and the company need to be prepared on how to deal with it and know when and how to report breaches to the ICO, or any other relevant Data Protection Supervisory Authorities or other regulatory bodies.”