ICO Issues Reprimand Following Cyber Attack

Bethany Paliga
Bethany Paliga

Published: August 4th, 2023

7 min read

Background

The Information Commissioner (ICO) has recently published details of a reprimand to "My Media World Limited t/a Brand New Tube" (BNT) following an incident where BNT's systems were subject to a cyber-attack.

Case facts

The reprimand states that on the 14th August 2022, an unauthorised third party gained access into BNT's systems and extracted the personal data of 345,000 individuals. The nature of the data accessed contained names, email addresses and passwords of 345,000 of website users. BNT have not been able to identify the specific cause of the incident.

Reprimand

The ICO has provisionally decided to issue BNT with a reprimand in respect of the following breaches of the UK GDPR:

Article 32 (1) UK GDPR - Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk."

Article 32 (1) (d) UK GDPR states that this includes:

"a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing".

Provisional Findings

The reprimand states that the ICO has made the following provisional findings:

  • BNT were unable to provide evidence of regular penetration testing or vulnerability scanning. BNT advised that a third-party provider was responsible for performing this service but was unable to confirm the date of the last scan or the methodology that was used.
  • BNT did not have in place appropriate organisational measures to ensure the confidentiality of their systems. BNT relied on assurances from third parties but there was a lack of contractual evidence or oversight.

Recommendations

The ICO has recommended that BNT should take the appropriate steps to ensure that it adheres to the UK GDPR more specifically Article 32 (1) and 32 (1) (d) of the UK GDPR. The ICO has made the following recommendations:

  • In order for BNT to be compliant with Article 32 (1), BNT should ensure that the appropriate contracts are put into place, with any third-party providers which clearly set out the roles and responsibilities of each parties.
  • BNT should ensure that they are keeping accurate records of their processing activities and security measures which they are implementing.
  • BNT should ensure they are carrying out regular scans and testing of their systems and addressing any issues promptly.

Consequences of a Reprimand

A reprimand is issued by the ICO under Article 58(2) UK GDPR following an investigation where the ICO considers an organisation has not complied with the UK GDPR. They may be issued by the ICO where it has found a breach of the UK GDPR but the breach is not serious enough to attract a fine. They are also commonly issued against public sector organisations in the alternative to issuing a fine which would have to be paid for out of public funds.

From December 2022, the ICO announced it would now publish details of reprimands on its website. Therefore despite avoiding a fine, organisations may now face additional scrutiny and reputational damage as a result of a reprimand being issued. An organisation may also find the reprimand being used as evidence in claims for compensation for a data breach.

Conclusion

This reprimand highlights the importance of data security and demonstrates that the issue of data security is not simply one for the IT team or third party provider alone. In order to demonstrate accountability, organisations must ensure that there are systems in place to ensure that there is sufficient oversight of data security so that the board is not simply relying on assurances provided by one party.

A fully copy of the reprimand is available to view here.

Our Data Protection team can assist organisations with handling personal data, we can assist with producing a Data Protection Impact Assessment (DPIA) which would assist organisations with identifying any data risks and minimising the potential of data protection risks amongst various other services to assist your organisation in ensuring that it is adhering to the UK GDPR.

How can we help?

Complete the form opposite, let us know a few details, and one of our team will get back to you shortly. Or you can call us or request a callback.

0800 689 3206 - Monday - Friday: 09:00 - 17:00

Request a call back

By submitting your enquiry you agree that Forbes can contact you.

© 2024 Forbes Solicitors is the trading name of Forbes Solicitors LLP Offices in Preston, Manchester, Salford, Blackburn, Blackpool, London and Leeds UK Main Office: Rutherford House, 4 Wellington Street (St Johns), Blackburn, Lancashire, BB1 8DD • Vat No: 174 394 344 Forbes Solicitors is authorised and regulated by the Solicitors Regulation Authority (SRA No. 816356). Details of the SRA’s Standards and Regulations can be found here. Authorised and regulated by the Financial Conduct Authority.

This website has implemented reCAPTCHA v3 and your use of reCAPTCHA v3 is subject to the Google Privacy Policy and Terms of Use.