On 8 August 2023, both the UK Electoral Commission and the Police Service of Northern Ireland (PSNI), announced serious data breaches. For the Electoral Commission this appears to have been the result of a serious hack of their systems. For PSNI, the breach has been reported as the result of human error. We have also seen a report from 15 August 2023 that a similar data breach was committed by Norfolk and Suffolk police forces, where personal data was included in a Freedom of Information response. A key aspect here was that the data was hidden from anyone opening the files but should not have been included.
As processors of significant amounts of personal data, including highly sensitive or ‘special category’ personal data, both of these breaches represent a serious concern for the organisations, and the persons to whom the data belongs. In both cases the incidents have been reported to the ICO and are being investigated.
Below we will look at what happened to cause the breaches, and what lessons employers can learn from this about processing data and how to protect the information.
The Hack
The Electoral Commission reported that they had been the subject of a “complex cyber-hack” which resulted in reference copies of electoral registers being accessed by the hackers, containing the name and address of anyone in the UK registered to vote between 2014 and 2022.
The Commission was unable to confirm if the data had been downloaded, and could not state conclusively which data had been accessed.
At time of publication, it has not yet been confirmed who was responsible for this hack, however leading experts including David Omand, a former director of GCHQ, has said that Russia is “first on his list of suspects”. This has not yet been verified.
This breach exposed the data of more than 40 million voters.
Human Error
In the PSNI case however, the breach has been reported to have been due to human error. A spreadsheet containing the surname, initial, rank, location and the department of all current PSNI officers and civilian staff members was published online. This did not include private addresses of employees.
PSNI have confirmed that the data was posted in error in response to a freedom of information request, and was publicly accessible for three hours before the error was noted and rectified.
The potential impact of this breach is particularly significant due to the historic safety concerns that employees of the PSNI have had since the Troubles. It is reported that many police officers choose to keep their occupation secret, even from friends and relatives out of safety concerns for themselves and their families.
PSNI Assistant Chief Constable Chris Todd has confirmed that the information leaked was limited to surname and initial, with no other identifiable personal information within the published leak.
What lessons can employers learn?
These examples are severe cases of data breaches, with an increase in the number of data breaches committed, and represent the multifaceted approach that employers need to take to ensure that data is protected.
The learning point from the Electoral Commission case is to ensure that you have extensive security on systems, and that employees are trained on hacking avoidance methods and device security. This includes for example phishing tests, document protection, and physical device security. Without ensuring that adequate training is in place, this leads to organisations be exposed to data breaches.
For PSNI, the learning point has to come down to employee training, and protocols. Foremostly, employees should be trained to password protect sensitive documents, especially those containing a database of personal data. This is a relatively simple layer of protection that can quickly become routine, which can protect this information should it mistakenly fall into the wrong hands.
In addition to this, employers should make sure their employees have sufficient training on how to store and share data, and the importance of compliance with data protection laws. In particular, having regard to the data minimisation principle, which is to ensure that only the most essential data is shared to limited numbers of recipients, rather than the ‘oversharing’ of personal data or sharing this personal data with recipients who do not require access to it.
In both cases, it is clearly important for employers to have detailed policies in place which explain to employees what to do in case of a breach, and protocols to minimise the impact of that breach should it occur.
The biggest learning point from these cases is that unfortunately it is not enough to just train internally, or to just equip extensive security measures against hacking, both methods and more must be used by employers to be able to satisfy themselves that they have fulfilled their obligations and to ultimately reduce the number of data breaches.
If you would like assistance with data protection policies, or training from our data protection team, please do get in touch.