FOI requests reveal "thousands" of government data breaches
Government departments reported scores of breaches and made numerous notifications to the ICO between 2019 and 2020
According to annual reports, as well as Freedom of Information (FOI) requests made by USB drive manufacturer Apricorn, 17 government departments experienced thousands of personal breaches between them during the 12-month period and made numerous notifications to the Information Commissioner’s Office (ICO).
Between 1 August 2019 and 31 July 2020, the Office of the data protection officer (DPO) received 1,291 Data Incident Reports in relation to the HM Passport Office (HMPO), of which all but 11 were ruled to be personal data breaches.
NHS Digital experienced 38 personal data breaches during the timeframe, according to its 2019-2020 annual report and account, with 17 relating to employee data and 21 concerning patient data. However, only four of the incidents were deemed significant enough to be reported to the ICO.
The Driver and Vehicle Licensing Agency (DVLA) sumitted a higher number of incidents to ICO, with a total of 181 notifications made in the last year along, according to data from its annual report.
Apricorn's EMEA managing director Jon Fielding said that “it may be that these departments are dealing with thousands, even millions, of records containing personal data or sensitive information”.
“Given this, and the fact these are public bodies, we should certainly be concerned. Whether these are minor breaches that required no further action or not, it is clear that more needs to be done and departments need to be considering the tools necessary to bring this number down in years to come,” he added.
Commenting on the findings, Fielding said that “the large number of data incidents being reported may be in part due to the increased awareness and changes in processes when identifying and managing data breaches”.
“The change in requirements in line with the GDPR will of course see a rise in the numbers now being reported to the ICO. The increase in remote working through Covid will also have introduced more security concerns with an upsurge of information on the move.
2020 cyber security outlook report
Behaviours in the battle between modern attacker and defenderDownload now
“Needless to say, if the data is secure in the first instance, the number of breaches, and the need to report them, would obviously decline. Public sector bodies should follow the same process as any business would when it comes to mitigating risk. At the very least, data should be encrypted in transit and at rest so that, in the event defences are compromised, the data remains inaccessible,” he added.
The study's findings come as Hackney Borough Council battles a "serious" cyber attack. The incident has knocked its online services and IT systems offline, although little has yet been disclosed about the nature of the attack.