Reports about data breaches often focus on the financial impact on businesses. But recent data breaches involving three UK police services and the UK Electoral Commission have highlighted how inadequate data protection can threaten people’s safety—and even their lives.
Responding to a freedom of information request on 8 August, the Police Service of Northern Ireland (PSNI) accidentally released the surname, initial, rank or grade, location, and departments of all current officers and civilian staff.
Providing an update one week after the incident, PSNI Chief Constable Simon Byrne said that the information had likely been obtained by dissident groups that would use it to “generate fear and uncertainty as well as intimidating or targeting officers and staff”.
On 15 August, a similar incident was reported by Suffolk and Norfolk police. The two police services disclosed that they had inadvertently released personal data about 1,230 victims of crime in response to freedom of information requests between April 2021 and March 2022.
On the same day the PSNI’s data breach came to light, the UK Electoral Commission reported that malicious actors had access to its systems between August 2021 and October 2022.
The incident compromised two electoral registers containing data about millions of UK voters. While one register was publicly accessible (under controlled conditions), the other contained details of voters that had opted out of the public register. The attackers also had access to the Electoral Commission’s email systems throughout the period of the attack.
Recent events also reiterate the importance of good communication and effective mitigation processes following a breach.
Days after the 8 August PSNI breach occurred, the media reported another incident involving a laptop, radio, and some confidential documents being stolen from a PSNI police car on 6 July. But the 200 PSNI employees affected were not notified about the incident for over a month.
And while the Electoral Commission reportedly notified the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of its data breach, many are asking why the organisation did not publicise the breach until around 10 months later.
Mitigating data breaches requires a multi-faceted approach involving strong security measures, employee training, regular audits, incident response plans, and ongoing vigilance.
Large institutions are typically highly complex structures, which can make them particularly vulnerable to data breaches. A team of data protection and security experts is a core component in any such organisation.
Let’s look at some of the ways that large organisations leave themselves open to data breaches and how they can minimise exposure to these threats.
Complex infrastructure enables sophisticated attacks
Large institutions are attractive targets for cyber-criminals due to the potential for valuable data and financial gain.
Attackers often use sophisticated techniques to breach security defences by exploiting vulnerabilities typical of complex IT infrastructures. Novel threats emerge daily, with even well-resourced organisations struggling to defend against the latest threats.
Inadequate employee training, the use of legacy systems, and out-of-date security controls or patches can also worsen an organisation’s vulnerability to attacks.
Perfect storm of high-value data and human error
Even with robust security measures in place, human error remains a significant factor in many data breaches. And, particularly in large institutions processing highly sensitive data, mistakes can be devastating.
Employees might fall victim to phishing scams, misconfigure security settings, or mishandle sensitive information. Each of the data breaches referenced above are being blamed, in part, on human error.
Third-party vendors, suppliers, and partners can create additional points of vulnerability. Supply chain attacks can affect virtually any organisation. In a complex system, even a dedicated cybersecurity team can leave gaps in security oversight and response.
Processes and safeguards can help reduce risk, but they are only effective when implemented by a suitably knowledgeable and well-supported team.
Poor data protection and security creates risks: not only to your organisation’s bottom line, but also, in some cases, people’s lives and safety.
Effective data protection training, robust systems and controls, and rigorous monitoring and reporting processes significantly reduce the likelihood and impact of human error.
As cyber threats continue to evolve, it’s crucial for institutions to stay proactive and adaptive in their cybersecurity efforts.
As a global B Corp Data Protection Officer (DPO), we assist organisations to maintain compliance to global data protection and privacy regulations. We have Subject Matter Experts who can support you with any queries you may have in relation to safeguarding your cyber security and data privacy.