Wednesday, 27 January 2010

Data breaches - reports to ICO - "disclosed in error"?

Just over 800 data security breaches were reported to the Information Commissioner's Office since November 2007, according to the ICO press release of 26 Jan 2010.

Will the ICO's new powers to fine organisations up to £500,000 for serious data protection breaches ("monetary penalty notices" - see ICO guidance), coming in from 6 April 2010, spur them to report breaches more - or not report, and cross fingers that the ICO doesn't find out?? Hopefully the prospect of higher penalties if they don't report breaches, and get caught out, will incentivise organisations to report breaches, but who knows - at least telecoms companies will be required to report data breaches come May 2011, though again if they don't, who's to know that it happened?

Here is the ICO "breach table" dated as of 26 Jan 2010 (source link - inexplicably the PDF's filename has "jan09" in it rather than "jan10", hopefully a mistake in the filename rather than in the period covered?). Click on it for a larger version.

Thefts and losses (including losses in transit) seem to be the biggest sources of data breaches, but we knew that.

"Disclosed in error" beats even thefts, in terms of private sector data breaches - is that from social engineering, or just carelessness? How do you "mistakenly" disclose private data?

David Lacey pointed out a Financial Times article noting that in the recent attack on Google and other US corporations, the attackers had been pretty systematic - they figured out which employees had access to the proprietary data they wanted, then found out who their friends were and hacked into the social network accounts of the friends (e.g. on Facebook), to try to make it more likely that the targeted employees would click on links that the attackers sent the employees while masquerading "as" those friends. (Although they also could have used backdoors required by the US government.)

And ComputerWeekly recently reported that the UK Ministry of Defence had admitted that military secrets had been leaked on social media sites and forums, including Twitter, 16 times in the last 18 months (text of MoD reply).

Surely these incidents boost the argument made by many, including by Bruce Schneier and by the EU Article 29 Working Party, that the law should require websites' user defaults to be much more protective of privacy than they are now? (which are mostly not private, everything including your friends visible to everyone by default.)

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.