Data security incidents (breaches of the seventh data protection principle and personal data breaches reported under the Privacy and Electronic Communications Regulations) are a major concern for those affected and a key area of action for the ICO. We have published this information to help organisations understand what we’re seeing, and take appropriate action.
In Q1 2016/17 (April to June 2016) we:
- Issued four monetary penalties, to:
- Chief Constable of Kent Police for £80,000;
- Blackpool Teaching Hospitals NHS Foundation Trust for £185,000;
- Chelsea and Westminster Hospital NHS Foundation Trust (56 Dean Street clinic) for £180,000; and
- Chief Constable of Dyfed Powys Police for £150,000.
- Issued two undertakings to
- Health and Social Care Information Centre (HSCIC); and
- Wolverhampton City Council.
- Followed up on undertakings signed by:
- Flybe Limited;
- Brunel University Limited;
- Croydon Health Services NHS Trust;
- Doncaster Metropolitan Borough Council;
- Martin & Company;
- Sirona Care and Health; and
- Leeds Community Healthcare NHS Trust,
to check those organisations had appropriately addressed the actions agreed; and
- Received 545 new cases – approximately a 22% increase on the number of cases received in the previous quarter (448). We are continually working to analyse the reasons behind any fluctuations we observe.
Other data security activity
- In April we hosted a half-day data protection conference for Small and Medium Enterprise (SME) representatives at Birmingham’s NEC. The event featured an address by the Federation of Small Businesses as well as a choice of workshops including records management, information security and subject access requests.
- In June we welcomed 100 delegates to the Scottish data protection practitioner’s conference in Inverness. The theme focused on the General Data Protection Regulation (GDPR) and highlighted key aspects relating to individuals’ rights, transparency, enforcement and compliance.
- The ICO’s Annual Report was published in June, including figures showing that health, local government and education accounted for 64% of self-reported incidents for the 2015/16 financial year, and were the sectors reporting the most incidents.
Data security incident statistics and trends
The graphs below show statistics and trends about the data security incidents under consideration. The data is for Q1 of 2016/17 unless otherwise stated. Information about security incidents comes to us from a variety of sources, including self-reports from data controllers, media reports, whistle-blowers and reports from data subjects.
Data security incidents by sector
Health sector data security incidents over time
Data security incidents by sector over time
The health sector continued to account for the most data security incidents. This is due to the combination of the NHS making it mandatory to report incidents, the size of the health sector, and the sensitivity of the data processed.
There was a 26% increase in the number of data security incidents in the health sector compared to the previous quarter (from 184 in Q4 2015/16 to 232 in Q1 2016/17). However, because there was an increase in incidents overall (i.e. in all sectors), the proportion of all data security incidents represented by the sector only increased slightly, from 41% during January-March to 43% during April-June.
The health sector handles some of the most sensitive personal data. Data security incidents can lead to extensive detriment and high levels of distress for the data subjects affected.
Two of the civil monetary penalties issued between April and June 2016 related to NHS Trusts. One incident involved the personal information of staff (including National Insurance number, date of birth, religious belief and sexual orientation) being published online (Blackpool Teaching Hospitals NHS Foundation Trust) in error. The Trust is required to publish equality and diversity metrics annually on its external website and the error occurred during this process. Once the metrics had been uploaded, the personal data in question could be accessed via a pivot table. It is important that care is taken when providing data in the form of pivot tables – despite the fact that the underlying data is not immediately visible on the screen it could still be accessed. A double-click on the pivot table can signal to the software to automatically extract the data used to calculate the clicked data and display this in a new worksheet.
The other incident involved a newsletter being sent to patients of a HIV clinic, however the sender failed to use the ‘bcc’ function, therefore disclosing the identities and inferring the HIV status of recipients (Chelsea and Westminster Hospital NHS Foundation Trust). The Trust had experienced a similar incident in 2010, yet failed to replace the email account it was using with an account that could send a separate email to each service user on the distribution list. They also failed to implement specific training to remind staff to double check that group email addresses were entered into the correct field.
Since 1 February 2015, the ICO has been able to subject public healthcare organisations to compulsory audits to review their compliance with the Data Protection Act. Our Good Practice department has a number of NHS audits planned for the coming months.
Our civil investigation team will also be speaking at an NHS conference in November on the subject of how to deal with data breaches in the NHS.
Similarly to the previous quarter, the second most prevalent sector for data security incidents in Q1 2016/17 was local government. The number of data security incidents in this sector increased by 44% compared to the previous quarter (from 43 in Q4 to 62 in Q1). This is the second successive increase in incidents for this sector, following a sharp decline in incidents in Q3 2015/16. However, coupled with the overall increase in data security incidents during Q4, this means the percentage of total incidents represented by the local government sector has increased only slightly, from 10% in Q4 2015/16 to 11% in Q1 2016/17.
Local governments handle a large volume of information, much of which is sensitive; if the security of this data is compromised, this could potentially be distressing for any affected individuals. For example, in Q1 2016/17, 31% of local government incidents (19 incidents) affected health or clinical data.
In 2015/16, we ran a number of workshops within the local government sector, aimed primarily at improving compliance within adult and children services departments. The workshops were attended by delegates from 171 different local authorities. We continue to work closely with this sector and our Good Practice department has a number of planned audits for local authorities in the coming months. We are also in the process of analysing reports and complaints in this sector to look for trends and opportunities to improve compliance. In particular, we have seen a rise in the number of incidents reported concerning adoption and we are working to understand the reasons for this, with the aim of preventing further incidents.
The number of incidents in the general business sector increased by 47% since the previous quarter (from 36 in Q4 2015/16 to 53 in Q1 2016/17), and now represent 10% of all incidents (up slightly from 8% in Q4 2015/16). An upswing in cyber-attacks may account for the overall increase in incidents for this sector throughout the past four quarters.
In April 2016, the ICO hosted a conference specifically targeted at SMEs. The conference covered various key aspects of compliance, including security and subject access rights. Delegates were invited to take part in a desk-top exercise designed to simulate how a company might respond to a cyber incident. Attendees were encouraged to share experiences and to develop strategies for the identification, containment and recovery from such incidents. The conference provided an opportunity for attendees to learn more about the ICO’s work in this area and to assess how they could reduce the impact of a cyber-attack by preparing a breach management plan in advance.
Finance, insurance and credit saw incidents increase by 36% since the previous quarter (from 25 in Q4 2015/16 to 34 in Q1 2016/17); however it is still at a lower level than Q2 2015/16. The proportion of incidents represented by this sector remained at 6%. Data security incidents within this sector could lead to loss of customers’ financial details, which in some cases could potentially lead to fraudulent activity and financial detriment. Between April and June 2016, almost half (16 incidents) affected more than 100 data subjects. We continue to liaise closely with the Financial Conduct Authority, to discuss trends, specific incidents and ways to address the issues we are observing.
During Q1, our Performance Improvement Department met with stakeholders in the lenders sector to discuss their compliance with the Act and continue to provide lenders with quarterly reports to assist them in monitoring their own performance.
The number of incidents in the education sector fell slightly, from 36 incidents between January and March to 34 incidents between April and June. This is the second consecutive quarterly decrease in this sector and incident volumes are at their lowest level since Q1 2015/16, when there were 19 incidents. Incidents within the education sector accounted for 6% of all data security incidents brought to the ICO’s attention during Q1 2016/17 (down from 8% in Q4 2015/16).
Data security incidents in the education sector can affect the personal data of young children, which can be particularly distressing for the parents/guardians of affected pupils. Given the type of data often handled by nurseries/schools/colleges/universities, incidents can also involve sensitive data, for example medical information about pupils/students, disciplinary records, as well as financial information.
The charitable and voluntary sector was the sixth most prevalent sector for data security incidents between April and June 2016, and saw 29 incidents during this period; an increase from the 24 incidents reported between January and March 2016. The proportion of total incidents represented by the sector has decreased from 6% in Q4 2015/16 to 4% in Q1 2016/17. The ICO is currently undertaking a large amount of work in relation to charities, particularly in relation to direct marketing. In April, we ran a webinar offering non-profit organisations and charities advice about direct marketing.
Data security incidents by type
'Other principle 7 failures' are security incidents that cannot be categorised as one of the other types. Examples include failure to password protect emails containing personal information and processing personal data relating to work on a non-business computer.
Cyber incidents by type
Data security incidents by type over time
The most prevalent incident type between April and June (excluding the “other principle 7 failure” category) was data being posted or faxed to an incorrect recipient, with 97 incidents falling into this category in Q1 2016/17. This equates to 18% of all data security incidents in this period (up from 16% in Q4 2015/16). The number of incidents in this category increased by 31% since the previous quarter, and this is the highest volume of such incidents since Q2 2015/16.
The second most prevalent incident type was loss or theft of paperwork, which had 81 incidents during Q1 2016/17. The number of incidents in this category increased by 9% since the previous quarter (from 74 in Q4 2015/16 to 81 in Q1 2016/17), however due to the overall increase in total incidents, as a proportion of incidents, those in this category fell from 17% in Q4 2015/16 to 15% in Q1 2016/17.
Incidents involving data being sent by email to an incorrect recipient increased by 60% between Q4 2015/16 and Q1 2016/17 (from 42 incidents to 67 incidents). The proportion of all incidents in this category was 12% (up from 9% in Q4 2015/16). A particular risk factor for incidents within this category is the use of “autocomplete” rather than typing in an individual’s full name into the “to” field. Often, the sender of the email will not realise their error until alerted to it by the recipient. Disabling “autocomplete” may reduce the likelihood of such an error occurring.
The number of incidents involving failure to redact data continued to steadily rise, increasing by 64% since the previous quarter (from 28 in Q4 2015/16 to 46 in Q1 2016/17.
It is important that when providing information to customers, organisations ensure that they do not include personal information about other individuals. In some cases this could cause both emotional and financial detriment.
There was a 20% increase in incidents involving loss or theft of unencrypted devices since the previous quarter (from 20 in Q4 2015/16 to 24 in Q1 2016/17).
Laptops, USBs and CDs/DVDs have the potential to carry large volumes of (potentially sensitive) personal information, which if lost, could result in substantial detriment. For example, The Nursing and Midwifery Council were issued with a £150,000 civil monetary penalty after the council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. The ICO investigation found the information was not encrypted.
Data controllers should have a policy governing the use of encryption, including guidelines that enable staff to understand when they should and should not use it.
We have recently changed the way in which we categorize cyber incidents, to provide a more detailed and useful summary of the different types of issue we are seeing. Overall, there were 50 cyber incidents between April and June 2016. The most common incident type involved cyber security misconfiguration. This issue arises when people who do not have authorisation to access particular personal information are able to view it or even extract it, due to incorrect/inadequate security settings.
The second most common cyber incident between April and June involved exfiltration; this accounted for 26% of cyber incidents. Exfiltration involves the unauthorised transfer of data from a data controller’s systems to another location, controlled by the hacker.
The third most common cyber incident seen by the ICO between April and June involved phishing, which accounted for 18% of cyber incidents. Phishing is a method of tricking people into revealing valuable personal details, such as usernames and passwords. It can involve sending malicious attachments or website links in an effort to infect computers or mobile devices. Criminals send messages (via email or other services) which often appear to be authentic communications from legitimate organisations. Embedded links within the message can direct you to a hoax website where your login or personal details may be requested. You may also run the risk of your computer or smartphone being infected by viruses. In their recently published annual report, the UK National Computer Emergency Response Team (CERT-UK) report that phishing emails were the number one root cause of cyber incidents during 2015/16. In their predictions for the 2016/17 financial year, they warn about the potential for phishing campaigns to affect corporate networks.
In one case we investigated, an attacker utilised a Cross-Site Scripting (XSS) vulnerability in the code of the organisation’s website in order to ultimately obtain login credentials which allowed them access to members’ details.
Organisations writing their own code, as this organisation chose to, need to take responsibility for its security as problems and fixes are much less likely to be identified for them. However, in this case, appropriate measures were not taken to check for vulnerabilities in the code, even as the code grew older and the organisation grew larger. And even after fixing a vulnerability that led to one successful attack on its website, very little was done to ensure that it was adequately protected against other attacks. The result was that the website was subject to another successful attack, this time via an XSS flaw which had remained unfixed.
As no single measure is likely to provide sufficient protection, our advice is that the best form of defence is to employ various measures, such as writing code using industry standard secure coding practices (e.g. OWASP guidance), code reviews, security testing (e.g. vulnerability scanning and / or penetration testing), and appropriate maintenance and updating / patching processes. Only after the second successful attack did the organisation take such measures.
Thankfully in this case the personal data accessed and the detriment to those affected was relatively minor and we decided that regulatory action was not appropriate. However, organisations can benefit from learning from the mistakes of others, as the consequences of a successful attack for organisations, and the people whose personal data they hold, could be much more serious.
Five incidents between April and June 2016 involved distributed denial of service (DDoS) attacks. DDoS attacks are a method of stopping a website or service from running and involve overloading the site so that the host cannot handle the volume of traffic. DDoS is increasingly being used as an extortion technique and can also be used as a distraction tactic in order to execute other attacks. CERT-UK advise that DDoS attacks are a particular problem for the financial sector, and predicts that 2016/17 will see the biggest DDoS attack ever.
Three incidents between April and June 2016 involved cryptographic flaws, and these accounted for 6% of cyber incidents during this period. Incidents falling within this category include failing to use HTTPS secure encryption on websites which involve the collection and transfer of personal data.
We are in the process of recruiting technical specialists to better understand the causes of breaches of the DPA that relate to technology (e.g. attacks on data controller’s websites).
Health sector data security incident types
Health sector cyber incident types
Breakdown of data security incident types by sector
Key data security issues for each sector in Q1 2016/17
The main data security issues within the health sector were:
- Data being posted or faxed to an incorrect recipient – 19% of incidents.
- Loss or theft of paperwork – 19% of incidents.
The main issues for local government were:
- Data being posted or faxed to an incorrect recipient – 27% of incidents.
- Failure to redact data – 26% of incidents.
The main issues in education were:
- Data being sent by email to an incorrect recipient – 18% of incidents.
- Cyber incidents – 18% of incidents.
- Loss or theft of unencrypted devices – 18% of incidents.
- Data being posted or faxed to an incorrect recipient – 12% of incidents.
The main issues in general business were:
- Data being posted or faxed to an incorrect recipient – 15% of incidents.
- Data being sent by email to an incorrect recipient – 13% of incidents.
- Cyber incidents – 13% of incidents.
The main issues for finance, insurance and credit were:
- Data being posted or faxed to an incorrect recipient – 38% of incidents.
- Cyber incidents – 15% of incidents.
The main issues for the charitable and voluntary sector were:
- Cyber incidents – 31% of incidents.
- Loss or theft of paperwork – 21% of incidents.
Privacy and Electronic Communication Regulations (PECR) – mandatory breach reporting
Under the Privacy and Electronic Communications Regulations, communications service providers have a specific obligation to notify the Information Commissioner – and in some cases their own customers – about a ‘personal data breach’.
Between April and June 2016, service providers notified the ICO of 235 separate breaches. The number of incidents reported to the ICO has increased steadily throughout the past four financial quarters. This is likely due to the ICO continually reminding service providers of their obligations to report information security issues to the ICO within a 24 hour timeframe.
The most commonly reported incident types in Q1 2016/17 involved:
- Unauthorised disclosure of customer data (e.g. customer A having access to customer B’s account, or being sent incorrect billing information through the post).
- Fraudulent activity on customer accounts (e.g. call diverts being put in place without staff following the correct security procedures).