UK data protection regulator says ‘no excuse’ for breaches

ICO warns firms it investigates entirely avoidable cyberattacks

The UK’s data protection regulator has warned it will take enforcement action against organisations that fail to protect personal data, urging firms to “do more” to mitigate the growing threat of cyberattacks.

The Information Commissioner’s Office (ICO) said an increase in the number and scale of cyberattacks is “no excuse” for exposing personal data to hackers.

Stephen Bonner, deputy commissioner, regulatory supervision, at the ICO, called on organisations to increase cybersecurity measures to protect personal data: “While cyberattacks are growing more sophisticated, we find that many organisations are not responding accordingly and are still neglecting the very foundations of cybersecurity.”

He added: “While there is no single solution to prevent cyberattacks, there is absolutely no excuse for not having the foundational controls in place.”

The ICO said it investigates cyber-related data breaches, which are “often entirely avoidable”.

Bonner warned that it will issue fines against organisations that do not adhere to its warning.

“More organisations than ever are experiencing cybersecurity breaches that put people’s personal information at risk,” the ICO said, recording more than 3,000 cyber breaches in 2023, with the most incidents for organisations in finance (22%), retail (18%) and education (11%).

Analysing data breach reports, the ICO identified several common security failures from recent incidents, including malware installed on 5,000 payment terminals operated by a retailer that gave cyberattackers access to customer card details, and a phishing email to a construction company that compromised the personal data of more than 100,000 individuals.

It said sufficient guidance is already in place for ransomware, which remains the main type of cyberattack, concentrating its new report on phishing, brute force attacks, denial of service, errors and supply chain attacks.

The ICO said 56% of businesses and 62% of charities that reported data breaches in the past 12 months said phishing was the most disruptive type of attack, with such attacks on the rise and affecting 79% of businesses across the past year.

It urged firms to put in place multiple layers of protection to mitigate damage from phishing attacks and train staff to identify and report phishing emails and other types of attack. It also advised firms to put in place clear contracts and service level agreements, with IT providers setting out expected security measures.

Cyber gangs are increasingly using large language models, such as ChatGPT, that will create larger-scale cyberattacks at a faster pace and also make it increasingly difficult to identify, the ICO said.

“The use of AI makes it less likely phishing emails will have poor grammar, bad spelling or requests that don’t make sense. This makes it virtually impossible for people to distinguish between malicious social engineering attempts and legitimate messages,” it said.

The ICO said vulnerabilities in supply chains are an attractive target for cybercriminals, urging firms to ensure cybersecurity controls in place across its vendors and conduct risk assessments throughout their supply chain.

Detecting supply chain attacks is increasingly difficult, the ICO recognised, and companies are exposed through website or software suppliers, development and testing platforms, and information storage solutions. But it said that to reduce risks, organisations should have a robust supply chain risk management programme in place to monitor, manage, and review systems and processes throughout the supply chain. Organisations should also document, mitigate and review risks in the supply chain, conduct due diligence before undertaking a contract, and carry out tests on systems developed by third parties.

“You should demonstrate you understand all your third-party connections and, with the use of appropriate tools, be able to detect unexpected actions, discover malicious code, and deny access to possible threats,” it said.

Back to top button