High-profile data breaches at the Electoral Commission and the Police Service of Northern Ireland (PSNI) have made the headlines this week and perfectly embody the two biggest cyber risks faced by data controllers: complex cyber attack by experienced threat actor, and basic human error.

As the extent of these high-profile cases emerges, it is rightly causing organisations who handle large amounts of data to take notice and, if they are not already doing so, think about what protections they can put in place to avoid falling victim to incidents like these.

Electoral Commission

The scale and sophistication of this attack is the stuff of nightmares for a data controller, particularly one which fulfils a vital role in regulating certain elements of the UK’s democratic process. From as early as August 2021, hackers gained access to some of the Electoral Commission’s system, which contained full copies of electoral registers, as well as the Commission’s email system. This means that the names and addresses of 40 million voters were capable of being accessed by the hackers, though it is not yet known what data was actually compromised.

Perhaps most concerning is the fact that the hackers remained undetected until October 2022, over a year after gaining access.

The matter is currently being investigated by the UK data regulator, the Information Commissioner’s Office (ICO). During the course of that investigation, we expect the ICO will be particularly interested in understanding how the hackers managed to evade detection for this length of time, and whether “appropriate technical and organisational measures” were in place, as required by the UK GDPR. While it will not always be possible to avoid a cyber attack completely, the UK GDPR requires organisations to implement safeguards which are robust, yet proportionate, taking account of the technology available, the cost of that technology, and the level of risk associated with the personal data.

PSNI

In response to a Freedom of Information Request (FOI) from a member of the public, PSNI accidentally provided a spreadsheet containing the personal data of more than 10,000 officers. This personal data included names, rank, unit details and work location. The spreadsheet was published on a legitimate FOI website for around two hours, during which time it was available to the public, before it was removed.

It has since been reported that PSNI was also affected by a cyber incident in July 2023, in which a police laptop and documents were stolen from the private vehicle of a senior PSNI officer. The stolen material included the names of over 200 officers and staff.

The root cause of these incidents will be all-too-familiar to many organisations. “Non-cyber” breaches (i.e. those not perpetrated by an external threat actor) are the most common of all those reported to the ICO, vastly surpassing those committed by hackers. Most data breaches are caused by human error, such as emailing an attachment to the wrong person, or losing paperwork or devices. These incidents serve as a timely reminder to data controllers to tightly control the way in which personal data is handled within the organisation.

The cost of a breach

The financial consequences of a data breach can be significant for the organisation involved. As well as the business interruption cost, there is the risk of regulatory fine from the ICO. Depending on the severity of the breach and other factors, fines could in theory reach up to £17.5m or 4% or annual global turnover, whichever is higher.

Added to that is the risk that the data subjects mount a civil claim for compensation. Group actions from data subjects affected by cyber breaches are on the rise. There are obvious financial implications of defending, managing, or settling group actions.

Further commentary on data breaches and tips on cyber resilience can be found in our previous blog post here.

We also provide regular commentary on group claims in Scotland. See our latest blog here.

If your organisation is victim to a cyber incident, or you want to take proactive steps to build cyber resilience, our team of experts can assist. Get in touch to find out how we can help.

Related News, Insights & Events