Rising cyber threats but data breaches aren’t always obvious

The UK Government and National Cyber Security Centre have issued warnings about significant and growing cyber threats, with the expectation of increased ransomware attacks, state-sponsored cyber activity and sophisticated cybercrime. Do take heed: the retail sector has already seen a number of damaging attacks.

Sometimes, it’s obvious a data breach has taken place. However, this isn’t always the case, especially when cyber criminals take steps to cover their tracks. A recent example illustrates the consequences for organisations who fail to fully appreciate the significance of a malicious attack.

The ICO has issued a £60k fine to law firm DPP, following a 2022 cyber-attack. The attack led to highly sensitive and confidential personal information being published on the dark web. The ICO investigation discovered lapses in IT security practices, leaving information vulnerable to unauthorised access. Hackers were able to exploit a user account which did not have Multi-Factor Authentication (MFA), enabling them to move laterally across the firm’s systems.

Let’s be clear; MFA is now a must have on all relevant data systems.

Announcing the fine, the ICO said; “DPP only became aware of when the National Crime Agency contacted the firm to advise information relating to their clients had been posted on the dark web. DPP did not consider that the loss of access to personal information constituted a personal data breach, so did not report the incident to us until 43 days after they became aware of it.”

A personal data breach is defined as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.’ That’s a broad scope.

The ICO enforcement notice accepts actions taken by the attackers made DPP’s response to the incident difficult. Unfortunately, DPP’s initial assessment indicated no personal data had been exfiltrated and didn’t consider loss of access to personal data to be a breach – therefore the firm didn’t report it.

You can check out the full enforcement notice, but bear in mind it’s reported DPP disputes some of the ICO’s conclusions and may appeal.

Any organisation suffering a cyber-attack has my sympathy. Attacks are becoming more frequent, sophisticated and harder to track. They can severely disrupt day-to-day operations. Ascertaining the cause and consequences of an attack can be difficult. Indeed, in some cases the consequences might never be clearly established. And when it becomes public knowledge the organisation needs to work decisively, not just to get operations back up and running and mitigate any harms to those affected, but also manage PR.

As I write, we’re witnessing M&S battle a significant ransomware attack, which has left store shelves empty. Cyber criminals have also reportedly told the BBC their attack on the Co-op is more serious than the company had previously admitted.

Organisations are legally required to report personal data breaches to the ICO (or another relevant Data Protection Authority) within 72-hours of becoming aware, unless there is unlikely to be a risk to individuals. When it comes to ransomware attacks, it may be best to assume that (more likely than not) personal information is affected. The ICO states in a research paper; ‘If you become a victim of ransomware, you should assume the information has been exfiltrated (extracted).’

In other words, it would be wise to submit an initial data breach report. It’s understood you won’t know all the facts immediately and you may need to bring in digital forensics expertise. In this situation, you can submit an initial report and update the Regulator when more facts become known. The risk can subsequently be upgraded or downgraded as you continue your investigations. We’ve written more about how to assess the risks posed by a data breach here.

It’s important, even for small-to-medium sized businesses, to have sufficient knowledge about what constitutes a personal data breach, and the threats we all face. Here’s a refresher of some common ways a personal data breach can occur.

Cyber security incidents

We often hear about ransomware attacks where hackers gain unauthorised access to databases, exfiltrating or altering personal information, and making a demand for payment. There are also other forms of malicious attack, such as;

Brute force – this is where hackers use algorithms to ‘guess’ username and password credentials, testing multiple combinations to try to gain access to user accounts. It’s understood this is how hackers initially got into DPP Law’s systems. Clearly, these attacks are more successful when passwords are easy to guess and when MFA is not in place.

■ Denial of Service (DOS) – this works by overloading a computer network or website and can result in a degrading of performance, or render the system completely inaccessible. DoS attacks may result in full or partial loss of access (availability) to personal data records. And as we said above, that’s classed as a data breach.

■ Supply chain attacks – these attacks target vulnerabilities in third-party services your organisation is using. In 2023 the BBC, British Airways and Boots were among many organisations impacted by the well-publicised MOVEit supply chain breach. More recently the ICO issued a £3 million fine to an IT software company which provided services to many UK organisations including the NHS.

Phishing – this is when criminals use scam emails to trick people into clicking on a malicious link. Phishing attacks can trick people into sharing sensitive information, such as payment card details or login credentials. As well as email, phishing can be spread via text messages or over the phone.

I’d urge you to read the ICO’s Learning from the Mistakes; which provides detailed information on the types of cyber-attacks organisations can suffer and ways to mitigate the risk.

Loss or theft of devices or hard copy documents

This is pretty self-explanatory; a smartphone, laptop or other device containing personal data is lost or stolen. When devices are not encrypted this can lead to the exposure of potentially sensitive personal information. Alternatively, a data breach can occur when physical documents are lost or stolen.

Disclosure of personal information

This type of incident can occur in a number of different ways, for example;

An email sent to the wrong recipient(s).

Accidentally using the CC field in emails for multiple recipients, thereby revealing their email address to all recipients. In some cases this can just be embarrassing, but in others like the Central YMCA breach much more serious.

Information is posted to the wrong person, such as a hospital sending medical records by post to wrong recipient.

Publishing confidential information on a public website.

Sharing personal data with unauthorised third parties.

Unauthorised Disclosure

This type of incident may occur due to a malicious attack such as ransomware, or it may be an insider breach, as illustrated by these cases;

In 2023 two former Tesla employees leaked confidential and personal information relating to employees and customers.

Back in 2014 a Morrison’s employee leaked his colleagues’ payroll details in what was seen as an act of revenge after being given a verbal warning. A case which resulted in years of legal wrangling over whether Morrison’s was liable for the actions of a rogue employee.

This type of incident also includes ‘employee snooping.’ For example, a member of staff with access to a customer database browses the personal data of others without a legitimate business purpose. Or a police officer or council official looks up and discloses information without authority.

Improper disposal of records

Insecure disposal of electronic or paper records might lead to a data breach. For example, if a company disposes of old paper files containing customer details without shredding them, and a third party finds them.

The above is by no means an exhaustive list, but provides those less experienced in data breaches with a steer on what risks to be aware of.

Not all security incidents will be personal data breaches; they could involve commercially sensitive information, but no personal data. While these don’t need to be reported if they meet a certain threshold, they still have the potential to cause considerable fallout.

Privacy violations

In other circumstances there may be a violation of data protection law, which is not a data breach. As an example, I’ve been asked before whether it’s necessary to report an email marketing campaign accidentally sent to customers who’ve unsubscribed as a breach. While a clear violation of the right to object to direct marketing, this doesn’t represent a breach of security: there’s been no destruction, loss, alteration, unauthorised disclosure of, or access to personal data. The individuals’ personal data remains secure. Efforts therefore need to focus on trying to minimise the risk of complaints escalating, and making sure this never happens again.

To conclude, the DPP Law case is instructive; it’s not a big company, employing less than 250 people, but handles highly sensitive information relating to their clients. The attack suffered sends a clear message; any business can fall victim to a cyber-attack or personal data breach. The more sensitive the data your organisation handles, the more damaging a breach could be. Not only must cyber security be treated as a priority, but so are robust data breach procedures to guide your team through any potential attack.