ICO Issues Reprimand Following Cyber Attack

Together we are Forbes

Article

04 August, 2023

Bethany_Paliga
Bethany Paliga
Senior Associate

Background

The Information Commissioner (ICO) has recently published details of a reprimand to "My Media World Limited t/a Brand New Tube" (BNT) following an incident where BNT's systems were subject to a cyber-attack.

Case facts

The reprimand states that on the 14th August 2022, an unauthorised third party gained access into BNT's systems and extracted the personal data of 345,000 individuals. The nature of the data accessed contained names, email addresses and passwords of 345,000 of website users. BNT have not been able to identify the specific cause of the incident.

Reprimand

The ICO has provisionally decided to issue BNT with a reprimand in respect of the following breaches of the UK GDPR:

Article 32 (1) UK GDPR - Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk."

Article 32 (1) (d) UK GDPR states that this includes:

"a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing".

Provisional Findings

The reprimand states that the ICO has made the following provisional findings:

  • BNT were unable to provide evidence of regular penetration testing or vulnerability scanning. BNT advised that a third-party provider was responsible for performing this service but was unable to confirm the date of the last scan or the methodology that was used.
  • BNT did not have in place appropriate organisational measures to ensure the confidentiality of their systems. BNT relied on assurances from third parties but there was a lack of contractual evidence or oversight.

Recommendations

The ICO has recommended that BNT should take the appropriate steps to ensure that it adheres to the UK GDPR more specifically Article 32 (1) and 32 (1) (d) of the UK GDPR. The ICO has made the following recommendations:

  • In order for BNT to be compliant with Article 32 (1), BNT should ensure that the appropriate contracts are put into place, with any third-party providers which clearly set out the roles and responsibilities of each parties.
  • BNT should ensure that they are keeping accurate records of their processing activities and security measures which they are implementing.
  • BNT should ensure they are carrying out regular scans and testing of their systems and addressing any issues promptly.

Consequences of a Reprimand

A reprimand is issued by the ICO under Article 58(2) UK GDPR following an investigation where the ICO considers an organisation has not complied with the UK GDPR. They may be issued by the ICO where it has found a breach of the UK GDPR but the breach is not serious enough to attract a fine. They are also commonly issued against public sector organisations in the alternative to issuing a fine which would have to be paid for out of public funds.

From December 2022, the ICO announced it would now publish details of reprimands on its website. Therefore despite avoiding a fine, organisations may now face additional scrutiny and reputational damage as a result of a reprimand being issued. An organisation may also find the reprimand being used as evidence in claims for compensation for a data breach.

Conclusion

This reprimand highlights the importance of data security and demonstrates that the issue of data security is not simply one for the IT team or third party provider alone. In order to demonstrate accountability, organisations must ensure that there are systems in place to ensure that there is sufficient oversight of data security so that the board is not simply relying on assurances provided by one party.

A fully copy of the reprimand is available to view here.

Our Data Protection team can assist organisations with handling personal data, we can assist with producing a Data Protection Impact Assessment (DPIA) which would assist organisations with identifying any data risks and minimising the potential of data protection risks amongst various other services to assist your organisation in ensuring that it is adhering to the UK GDPR.

For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.

Learn more about our Governance, Procurement & Information department here

The challenges that sustainability brings to the manufacturing…

ICO Issues Reprimand for Use of WhatsApp by NHS Trust

Contact Us

Get in touch to see how our experts could help you.

Call0800 689 3206

CallRequest a call back

EmailSend us an email

Make an Enquiry

Contacting Us

Monday to Friday:
09:00 to 17:00

Saturday and Sunday:
Closed