It has been a particularly busy period for CRIBB, with an increase in requests for information regarding our DPO services. This year, as many of you will have noticed, there have been a spate of very high-profile cyber-attacks and data breaches. Read more on those below, plus we include some startling statistics on cyber security incidents for the year to date. We end with a data protection service update from our resident expert, Patrick Carolan.
Cyber-Attacks, Hacking & Data Breaches
What a year 2023 has been, with cyber-attacks, hacking incidents and breaches galore! On a serious note, some of those organisations affected rank amongst the most recognisable brands of the 21st century. The following are just a handful of examples:
On January 5th, the social media giant suffered one of the most significant leaks ever witnessed. Email addresses linked to over 235 million accounts were posted to an online hacking forum. To put that into more context, almost half of Twitter’s user base were affected. As a result, users were warned that due to the hack, they could themselves become the victims of hacking, targeted phishing or more.
NHS
Earlier this summer, Barts Health NHS Trust confirmed that it was investigating a ransomware incident. The United Kingdom’s largest NHS trust, serving more than 2.5 million patients, was reported to have lost 70 terabytes of sensitive data to the ALPHV / BlackCat ransomware gang. The gang claimed it to be the biggest breach of healthcare data in the UK. The data included employee identification documents such as passports and driver’s licenses.
Police Service of Northern Ireland
Earlier this month, every police officer working in Northern Ireland had their data compromised in a huge data breach. The service was responding to a Freedom of Information request when an error occurred, leading to the data being leaked. It was then mistakenly published and included surnames, initials, ranks, work locations and more.
Cyber Security Incidents in 2023
There have been so many incidents this year already that a 10-page article could easily be written on them. We prefer a more succinct approach, so here are some incredible stats instead*:
- Total number of data breaches: 694
- Breached records: 612,368,642 (compared to 408 million in the whole of 2022)
- Biggest data breach (so far): Twitter (220 million breached records)
- The UK’s biggest data breach (so far): JD Sports (10 million breached records)
- Most breached sectors: Healthcare (199), education (119), public (88)
*Data taken from IT Governance’s list of data breaches and cyber-attacks in 2023.
Data Protection Officer (DPO) & DPO as a Service (DPOaaS)
For those readers unaware of these terms, here is a quick reminder:
- DPO: The person responsible for monitoring an organisation’s internal compliance. The DPO advises on all data protection obligations and must also act as a contact for data subjects and governing bodies
- DPOaaS: This is a service whereby a company provides a DPO to another organisation or organisations on a contractual basis (more on CRIBB’s DPOaaS offering below)
You will need to appoint a DPO if your organisation is a public authority or body. It is also necessary for organisations processing sensitive data on a very large scale, including: Racial or ethnic origin, religious or philosophical beliefs, political opinions, genetic data, biometric data, health-related data.
If your organisation does not fall into either of these categories, the ICO nevertheless recommends appointing a DPO. This ensures compliance with data protection regulations such as DPA 2018 and GDPR.
CRIBB DPOaaS & A Data Protection Service Update
Our DPOaaS offering has seen a tremendous uptake in 2023. Here we speak with Patrick Carolan about his findings in recent months. Due to the sensitive nature of the information involved, we cannot be specific. We believe the points made to still be of great value, however.
Q. Patrick, are more clients reaching out to you in the wake of the widespread news on cyber-attacks?
A. Very much so. Some of the data breaches that are taking place are affecting government entities, and that is really making companies sit up and take notice. When the police can be successfully targeted, it just goes to show that no organisation is safe. I’ve had a lot of calls from concerned individuals but none of those have been existing clients, I’m delighted to say. That is due to the fact that I keep our clients regularly updated on the cyber security landscape and where they sit within that.
Top Tip for DPOs: Give regular updates on the cyber security landscape
Q. Is that part of your DPOaaS duties?
A. Yes it is, we have revamped the service this year to be even more proactive. What that means is that I’m compiling more reports and scheduling more update calls. There is a lot more work involved than that of course, but keeping our clients fully aware of their cyber security status is my main objective.
Q. Finally, what would you say to those people who still do not believe in having a DPO?
A. Much like our friends at the ICO, I believe that all organisations should appoint a DPO. Not only does it demonstrate a commitment to security but it is also vital in managing data protection.
This data protection service update is intended to highlight the worth of having measures in place to mitigate data loss risk. If your organisation has a DPO in place, then that is a great position to be in. Is your DPO being as proactive as possible, though? If you do not have one, then perhaps we can help.