UK Update: Data Breaches: Human Error vs. Hacker

High-profile data breaches at the Electoral Commission and the Police Service of Northern Ireland (PSNI) have made the headlines this week and perfectly embody the two biggest cyber risks faced by data controllers: complex cyber attack by experienced threat actor, and basic human error.

As the extent of these high-profile cases emerges, it is rightly causing organisations who handle large amounts of data to take notice and, if they are not already doing so, think about what protections they can put in place to avoid falling victim to incidents like these.

Electoral Commission

The scale and sophistication of this attack is the stuff of nightmares for a data controller, particularly one which fulfils a vital role in regulating certain elements of the UK’s democratic process. From as early as August 2021, hackers gained access to some of the Electoral Commission’s system, which contained full copies of electoral registers, as well as the Commission’s email system. This means that the names and addresses of 40 million voters were capable of being accessed by the hackers, though it is not yet known what data was actually compromised.

Perhaps most concerning is the fact that the hackers remained undetected until October 2022, over a year after gaining access.

The matter is currently being investigated by the UK data regulator, the Information Commissioner’s Office (ICO). During the course of that investigation, we expect the ICO will be particularly interested in understanding how the hackers managed to evade detection for this length of time, and whether “appropriate technical and organisational measures” were in place, as required by the UK GDPR. While it will not always be possible to avoid a cyber attack completely, the UK GDPR requires organisations to implement safeguards which are robust, yet proportionate, taking account of the technology available, the cost of that technology, and the level of risk associated with the personal data.

PSNI

In response to a Freedom of Information Request (FOI) from a member of the public, PSNI accidentally provided a spreadsheet containing the personal data of more than 10,000 officers. This personal data included names, rank, unit details and work location. The spreadsheet was published on a legitimate FOI website for around two hours, during which time it was available to the public, before it was removed.

It has since been reported that PSNI was also affected by a cyber incident in July 2023, in which a police laptop and documents were stolen from the private vehicle of a senior PSNI officer. The stolen material included the names of over 200 officers and staff.

The root cause of these incidents will be all-too-familiar to many organisations. “Non-cyber” breaches (i.e. those not perpetrated by an external threat actor) are the most common of all those reported to the ICO, vastly surpassing those committed by hackers. Most data breaches are caused by human error, such as emailing an attachment to the wrong person, or losing paperwork or devices. These incidents serve as a timely reminder to data controllers to tightly control the way in which personal data is handled within the organisation.

The cost of a breach

The financial consequences of a data breach can be significant for the organisation involved. As well as the business interruption cost, there is the risk of regulatory fine from the ICO. Depending on the severity of the breach and other factors, fines could in theory reach up to £17.5m or 4% or annual global turnover, whichever is higher.

Added to that is the risk that the data subjects mount a civil claim for compensation. Group actions from data subjects affected by cyber breaches are on the rise. There are obvious financial implications of defending, managing, or settling group actions.

If your organisation is victim to a cyber incident, or you want to take proactive steps to build cyber resilience, our team of experts can assist. Get in touch to find out how we can help.

By Burness Paull LLP, Scotland, a Transatlantic Law International Affiliated Firm.  

For further information or for any assistance please contact ukscotland@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.