Charities have committed a high number of data breach offences, with over 140 cases reported to the Information Commissioner’s Office (ICO) between 2017 and 2018, according to a recent study from corporate investigations firm Kroll.
It has been revealed that a 2016 cyber attack on the British and Foreign Bible Society, due to an unrepaired weakness in the Society’s IT network, allowed for the releasing of data which contained the personal information on 417,000 of its donators. ICO later fined the Society £100,000 in 2018.
Other charities that have been fined for data breaches include Oxfam (£6,000), Great Ormond Street Hospital for Children (£11,000) and the University of Greenwich (£120,000).
The Information Commissioner Elizabeth Denham said: “Millions of people will have been affected by these charities’ contravention of the law.
“No charity wants to alienate their donors…but charities must follow the law.”
The number of data breaches increased in two years by 75% across all sectors but the biggest reports were among education, childcare and general businesses.
Human error breaches were three times higher than the number of cyber attacks executed without human involvement.
Emails sent to incorrect recipients (447 incidents), data left unsecured (164) and loss or theft or paperwork (430) were the highest causes of personal data breaches.
Kroll explained that the increase in reports indicated strongly the need for organisations to be transparent.
“Reporting data breaches wasn’t mandatory for most organisations before the GDPR came into force, so while the data is revealing, it only gives a snapshot into the true picture of breaches suffered by organisations in the UK,” said Andrew Beckett, Managing Director and EMEA Leader for Kroll’s Cyber Risk Practice.
“The recent rise in the number of reports is probably due to organisations’ gearing up for the GDPR as much as an increase in incidents.
“We would also expect to see an increase in the value of penalties issues as the maximum possible fine has risen from £500.000… or 4 per cent of annual turnover, whichever is higher.
“The ultimate impact is that businesses face not only a much greater financial risk around personal data but also a heightened reputational risk.”
Malware (53 incidents), phishing attacks (51) and ransomware (33) were the major attack vectors that led to breaches.
“Effective cyber security is not just about technology,” Beckett stated.
“Often companies buy the latest software to protect themselves from hackers, but fail to instigate the data management processes and education of employees required to mitigate the risks.
“The majority of data breaches and even many cyber attacks could be prevented by human vigilance or the implementation of relatively simple security procedures.”
Sarah Armstrong-Smith, Head Continuity & Resilience at Fujitsu UK & Ireland spoke of a need for automation:
“There also needs to be mechanisms in place to identify and prevent internal data leakages from occurring. Automation is helping organisations to detect and respond to changes and…can help organisations react quicker and respond to a breach should it happen… Security alone cannot stop a breach, it requires a cultural shift to embed data governance throughout an organisation.”
ICO posted five tips for small and medium-sized charities to help maintain a level of transparency.
The tips were to tell the public what the charity is doing with their data, train staff more adequately, use stronger passwords, encrypt devices and only keep information for the period needed.
In the days leading up to the launch of the GDPR, ICO reminded companies of the 72 hour grace period in which to alert the organisation of a data breach so that appropriate action could be taken.