Tag: Information Commissioner’s Office

1
ICO issues record £20 million fine to British Airways
2
Cyber Criminals “King of the (Data Breach) Jungle”: 61% of all Data Breaches caused by Malicious or Criminal Attacks, according to OAIC Report
3
OAIC and UK ICO announce joint investigation into Clearview AI
4
You’ve got mail…and lots of it according to the latest OAIC report!
5
Human error accounts for 34% of Notifiable Data Breaches – 3 key take outs from the latest OAIC report
6
PwC’s Enforcement Tracker finds a large increase in fines for privacy breaches in the UK
7
UK telecoms company handed record fine for data breach

ICO issues record £20 million fine to British Airways

By Cameron Abbott and Rebecca Gill

The UK Information Commissioner’s Office (ICO) has fined British Airways £20 million, the ICO’s largest fine to date, for failing to protect the personal and financial details of more than 400,000 of its customers.

In a statement published online on 16 October 2020, the ICO stated that its investigation had found that British Airways was “processing a significant amount of personal data without adequate security measures in place”. This failure is said to have breached data protection laws and, subsequently, the airline was the subject of a cyberattack in 2018, which was not detected for more than two months.

Read More

Cyber Criminals “King of the (Data Breach) Jungle”: 61% of all Data Breaches caused by Malicious or Criminal Attacks, according to OAIC Report

By Cameron Abbott, Keely O’Dowd and Max Evans

The Office of the Australian Information Commissioner (OAIC) has released its report on notifications received under the Notifiable Data Breaches scheme for period January to June 2020.

The OAIC reported 518 breaches were notified to it in the relevant period. The OAIC noted a 3% decrease from the 532 breaches notified in the period July 2019 to December 2019. However, there was a 16% increase on the 447 notifications received during January to June 2019.

Read More

OAIC and UK ICO announce joint investigation into Clearview AI

By Cameron Abbott, Warwick Andersen, Rob Pulham and Keely O’Dowd

On 9 July 2020, the Office of the Australian Information Commissioner (OAIC) and the UK Information Commissioner’s Office (ICO) announced they have opened a joint investigation into the personal information handling practices of Clearview AI Inc.

The OAIC has stated the investigation will focus on ClearView AI’s use of “scraped” data and biometrics of individuals.

Read More

You’ve got mail…and lots of it according to the latest OAIC report!

By Cameron Abbott and Michelle Aggromito

With email being one of the most common forms of communication, it’s not surprising that inboxes these days accumulate thousands of emails that, perhaps, aren’t always electronically filed or deleted (not ours of course).

As the Office of the Australian Information Commissioner (OAIC) has indicated in its most recent report on notifications received under the Notifiable Data Breach (NBD) scheme, email accounts are frequently being used for storage, and this raises inherent risk. Yes it’s convenient, but using email to send personal information, such as copies of passports, bank account details and credit card information, can very quickly lose its appeal. If the email account is accessed by a malicious actor through a phishing attack or a rogue employee, the end result can be exploitation of that information for criminal gain.

Read More

Human error accounts for 34% of Notifiable Data Breaches – 3 key take outs from the latest OAIC report

By Cameron Abbott and Karla Hodgson

The Office of the Australian Information Commissioner has released its Q2 statistics on notifications received under the Notifiable Data Breach (NDB) scheme. The 245 breach notifications in Q2 are on par with each other quarter since the scheme was introduced in July 2018 and while the majority of NDBs (62%) are attributed to malicious or criminal attacks, we noted with interest that a staggering 34% are due to human error – that is, mostly avoidable errors made by staff. A consistent theme of our blogs is reinforcing the message that employees are the front line of defence for organisations.

There are 3 key statistics we took away from these human error NDBs.

Read More

PwC’s Enforcement Tracker finds a large increase in fines for privacy breaches in the UK

By Cameron Abbott and Rebecca Gill

PwC’s UK Privacy & Security Enforcement Tracker has found that fines in the UK over data protection law violations totalled £6.5 million in 2018, a £2 million increase from 2017.

The Tracker analysed data protection enforcement actions by the UK Information Commissioner’s Office (ICO), including monetary fines, prosecutions and undertakings. The Tracker shows that the total sum of fines increased from 2017, but the number of ICO enforcements fell to 67 in 2018 from 91 in 2017.

Read More

UK telecoms company handed record fine for data breach

By Cameron Abbott and Rebecca Murray

Major UK telecoms company, TalkTalk has been fined £400,000 for failing to adequately safeguard personal data when they were hacked in October 2015. The Information Commissioner’s Office’s (ICO) investigation revealed that hackers obtained the details of 156,959 customers, including names, addresses, birthdates, phone numbers and email addresses. In over 15,000 cases, hackers even gained access to bank account details and sort codes. The cyber-attack triggered the launch of a committee inquiry into protection of personal data online. You can read the inquiry report here.

After in depth investigation, the ICO found that TalkTalk’s failure to implement even the most basic cyber security measures allowed hackers to easily penetrate its systems causing substantial damage and distress to its customers. See how the investigation unfolded here and read the ICO’s penalty notice here. The ICO identified TalkTalk’s principal errors as failing to actively monitor its own activities and allowing vulnerabilities to go unnoticed, failing to update its database to protect from bugs, failing to respond to two previous attacks on the same webpages and failing to fix a bug in the software for which a fix was readily available.

It would seem regulators are losing patience with organizations that don’t take their security obligations seriously.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.