FOI requests reveal "thousands" of government data breaches

Government departments reported scores of breaches and made numerous notifications to the ICO between 2019 and 2020

UK government departments experienced "thousands" of data breaches between 2019 and 2020, raising concerns about the quality of security implemented by the institutions.

According to annual reports, as well as Freedom of Information (FOI) requests made by USB drive manufacturer Apricorn, 17 government departments experienced thousands of personal breaches between them during the 12-month period and made numerous notifications to the Information Commissioner’s Office (ICO)

Between 1 August 2019 and 31 July 2020, the Office of the data protection officer (DPO) received 1,291 Data Incident Reports in relation to the HM Passport Office (HMPO), of which all but 11 were ruled to be personal data breaches.  

NHS Digital experienced 38 personal data breaches during the timeframe, according to its 2019-2020 annual report and account, with 17 relating to employee data and 21 concerning patient data. However, only four of the incidents were deemed significant enough to be reported to the ICO.

The Driver and Vehicle Licensing Agency (DVLA) sumitted a higher number of incidents to ICO, with a total of 181 notifications made in the last year along, according to data from its annual report.

Apricorn's EMEA managing director Jon Fielding said that “it may be that these departments are dealing with thousands, even millions, of records containing personal data or sensitive information”.

“Given this, and the fact these are public bodies, we should certainly be concerned. Whether these are minor breaches that required no further action or not, it is clear that more needs to be done and departments need to be considering the tools necessary to bring this number down in years to come,” he added.

Commenting on the findings, Fielding said that “the large number of data incidents being reported may be in part due to the increased awareness and changes in processes when identifying and managing data breaches”. 

“The change in requirements in line with the GDPR will of course see a rise in the numbers now being reported to the ICO. The increase in remote working through Covid will also have introduced more security concerns with an upsurge of information on the move. 

Related Resource

2020 cyber security outlook report

Behaviours in the battle between modern attacker and defender

Download now

“Needless to say, if the data is secure in the first instance, the number of breaches, and the need to report them, would obviously decline. Public sector bodies should follow the same process as any business would when it comes to mitigating risk. At the very least, data should be encrypted in transit and at rest so that, in the event defences are compromised, the data remains inaccessible,” he added. 

The study's findings come as Hackney Borough Council battles a "serious" cyber attack. The incident has knocked its online services and IT systems offline, although little has yet been disclosed about the nature of the attack. 

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Acer Taiwan falls victim to cyber attack
hacking

Acer Taiwan falls victim to cyber attack

18 Oct 2021
Marsh McLennan reveals its cyber risk analytics center
risk management

Marsh McLennan reveals its cyber risk analytics center

15 Oct 2021
£100 contactless payment limit could place shoppers at risk, warn industry experts
Policy & legislation

£100 contactless payment limit could place shoppers at risk, warn industry experts

15 Oct 2021
Hackers used MSHTML exploit a week before patches were ready
zero-day exploit

Hackers used MSHTML exploit a week before patches were ready

14 Oct 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021
What is cyber warfare?
Security

What is cyber warfare?

15 Oct 2021