Every week it seems as if another data breach is reported in the news. With so much of our personal information held online and by private organisations, it’s important to stay clued up on the causes of data breaches and what you can do to mitigate risks.
Some of the common reasons behind data breaches can include:
- Data being emailed to an incorrect recipient
- Data being posted or emailed to the wrong recipient or address
- Phishing scams and ransomware attacks due to poor cyber security systems
- Loss or theft of paperwork due to poor physical security
Let’s look at this in more detail.
1) Stolen/weak credentials, such as passwords
To avoid cybercriminals gaining access to your personal data, there are some steps you can take. The National Cyber Security Centre (NCSC) supports cybersecurity in the UK. They advise that you use a strong password created using three random words. For example, sunny, work and pie could be combined to create a password.
In addition, you could turn on 2-step verification (2SV). 2SV requires that you provide information beyond your password to prove your identity, such as having a code sent to your phone or another device. This makes it more difficult for cybercriminals to access your account, even if they have your password. You could also use different passwords for different accounts.
2) Application vulnerabilities, back doors
Cybercriminals could gain access to your devices and accounts through exploiting app vulnerabilities. These can be thought of as holes in a fence that can lead to access of your personal data.
Any apps you install should only come from a trusted source. Additionally, you should install the latest security updates when they become available. These often contain patches for vulnerabilities that were discovered between installing the app and the update.
Getting infected with malware compromises cyber systems, and can lead to personal data being accessed without authorisation. Malware is a type of code designed to harm a device, service or network, allowing cybercriminals unauthorised access. For example, ransomware is a type of malware. Ransomware encrypts files on a host computer and cybercriminals ask for a ransom to restore the data.
To avoid this, any apps should come from a trusted source. In addition, you should have the latest anti-virus updates.
4) Social manipulation
This can occur through ‘phishing’. This is when cybercriminals use scam messages and emails to convince someone to hand over personal data. For example, an email you receive may look like it has come from your bank but when you click on a link it brings you to an imposter page. You may enter personal data, such as your banking details on this page.
Staff with access to personal data should be taught how to recognise scam messages as part of their cybersecurity training. If one staff member clicks on a link, it could compromise the entire system by installing malware.
Additionally, cybercriminals can send out vast amounts of phishing messages through access to personal data that is publicly available. Individuals should be aware of what information they are putting online.
Cybercriminals may also purchase personal data, including email addresses and phone numbers that were made available during a data breach. If your personal data was compromised in a previous data breach, you should be aware of the increased risks of falling victim to social manipulation tactics.
5) Too many permissions
To be compliant with data protection legislation, staff should only have access to the personal data that they require to carry out their work duties. Additional vulnerabilities are created with each individual that has personal data access. If an organisation doesn’t know who should have access to personal data, cybercriminals can easily gain access by requesting it. There could also be extra checks to confirm an individual’s identity before granting them access, such as a phone call.
6) Threats from the inside
Malicious intentions could arise from staff with personal data access. Additionally, if a staff member makes a mistake, they may try to conceal it by altering or deleting personal data.
Organisations should be aware of any staff members, former staff members or contractors with access to personal data. For example, a former staff member could hold a grievance against the organisation, which could lead to them copying or altering personal data. As with above, individuals should only be granted access to personal data that they actually require to carry out their work-related duties.
7) Physical attacks
A malicious party could break into an office and steal computers and devices, gaining access to personal data if it is not password protected. Theft of devices could also occur if an employee takes it out of a workplace, such as to work from home.
Physical security precautions should be taken, such as identity checks for anyone entering the building and ensuring that secure areas are only accessible by those that need to be in them.
8) User errors, improper configuration
Human error can also cause data breaches. Any member of staff with personal data access needs training in data protection. If this is not done, breaches through human error could occur. For example:
- Failing to use the blind carbon copy (BCC) feature when sending an email. The BCC conceals the email addresses of recipients from each other.
- Verbal disclosure, such as giving away personal data about a subject over the phone.
- Personal data being sent to the wrong recipient, despite having the correct details.
9) Breaches without technology
Data breaches do not always occur online. They may also involve physical items containing personal data, such as paperwork. For example, personal data may be kept in paper files. These should be treated with the same level of security as cybernetworks, such as keeping paperwork containing personal data in a locked filing cabinet to avoid theft or unauthorised access.
Can I Claim Compensation For A Data Breach?
Central to having a valid claim for data breach compensation is the ability to show the following:
- Data protection legislation is not adhered to by a controller or processor.
- Due to their wrongful conduct, your personal data was compromised in a breach.
- You experienced mental harm, or financial loss, or both, as a result.
The Data Protection Act 2018 (DPA) and UK General Data Protection Regulation (UK GDPR) are the laws that outline the data processing obligations for controllers and processors. The former sets the purpose and means for processing, whilst the latter acts on their behalf. If either the controller or processor failed in their responsibility to adhere to these pieces of data protection legislation, it could result in a breach of your personal data occurring.
A personal data breach can be broadly defined as any security incident that impacts the integrity, confidentiality and availability of personal data. This is any information that can be used to identify you and could include your name, address, email, contact number and date of birth. It could also include more sensitive information such as data concerning your health, such as your medical records, or data revealing your racial or ethnic origin. This is called special category data and requires additional protection.
Get in touch with an advisor to find out whether you could be eligible to claim after your personal data was affected in a breach. They can also provide other examples of common causes of data breaches to help you understand whether you experienced a breach of personal information.
For more information, you can get in touch with an advisor via the following contact details: