Alteration of personal data – when personal data has been unlawfully changed. This could be, for example, data that is incorrectly updated on a system accidentally or deliberately.
Brute force attack – when an attacker tries a large number of possible keyword or password combinations to gain unauthorised access to a system or file.
Cryptographic flaw – a weakness in the security of a system that would allow a hacker to access sensitive information.
Data emailed to incorrect recipient – where an email containing personal data is sent to the wrong email address. This could be data about one person or multiple individuals.
Data of wrong data subject shown in client portal – where personal information about one or more individuals is shown within the Online service area belonging to another person.
Data posted or faxed to incorrect recipient – where a fax or piece of post containing personal data is sent to the wrong fax number or postal address. This could be data about one person or multiple individuals.
Denial of service – when a network or server, such as a website, is maliciously flooded with manufactured traffic (typically using botnets) to either cause it to fail or flood it with so much traffic that legitimate users can't access it.
Failure to redact – when personal data was disclosed without the appropriate redaction, or if the redactions made were inadequate.
Failure to use bcc – when personal data was disclosed due to an organisation not using blind carbon copy (bcc) recipients in an email. Usually bcc is used to ensure personal email addresses are not shared inappropriately with other customers, clients or organisations.
Hardware/software misconfiguration – any hardware or software misconfiguration leading to a disclosure of information. For example, permissions on a folder set incorrectly, or failing to use a robot.txt file.
Incorrect disposal of hardware – computers, laptops or other devices are not fully cleared of personal data or had any personal data it contains otherwise anonymised or encrypted.
Incorrect disposal of paperwork – paperwork containing personal data has been disposed of without it being shredded or otherwise destroyed. Personal information should not be identifiable once paper files have been disposed of.
Loss/theft of device containing personal data – an electronic device (for example laptop, phone or tablet) containing personal information of others has been misplaced or stolen. This may be of particular concern if the data is not sufficiently secure, for example the device has not been encrypted.
Loss/theft of paperwork or data left in insecure location – papers containing personal data are not secured, for example locking the paperwork in a cabinet or similar; or papers are misplaced or stolen.
Malware – a general term used to refer to a variety of forms of hostile or intrusive software including computer viruses, worms, Trojan horses, spyware, adware, scareware, and other malicious programs. Malware is short for ‘malicious software’.
Phishing – an attempt to obtain information by posing as a trustworthy entity, deceiving recipients into sharing sensitive information (such as usernames, passwords, or credit card details) or by encouraging them to visit a fake website.
Ransomware – a type of malware that unlawfully encrypts a user’s files and demands a ransom to unencrypt files, usually in the form of cryptocurrency.
Unauthorised access – an unauthorised individual has gained access to personal data. This can include unauthorised disclosures. This incident type is used both in instances where an individual has unlawfully accessed or disclosed information and where a third party has forcibly accessed a system.
Verbal disclosure of personal data – when personal data is shared or disclosed verbally to an inappropriate party.