Data Protection Breaches Examples

What is a Data Protection Breach?

A data protection breach is a breach of security which has led to the personal data of an individual, or group of people, being unlawfully or accidentally destroyed, lost, altered, disclosed or accessed by an unauthorised party.

Breaches do not have to necessarily involve a hacker or cyber criminal, and can often include simple clerical errors made by office workers or administrators.

How soon should I be contacted about a Data Protection Breach?

You should be contacted within 72 hours of the breach taking place, although the organisation may contact the ICO first if the breach is considered to be ‘low risk’

The Information Commissioner’s Office (ICO) has laid down a guideline regarding the reporting of Data Protection Breaches, including how quickly an organisation should report one. Organisations of all sizes are required to report data breaches to the ICO without delay, but no later than 72 hours after becoming aware of it. If they do not give sufficient reasons for this delay then they could be subjected to a fine.

ICO guidelines state that organisations should inform individuals effected by a data breach as soon as possible. In the case where the breach is considered to be ‘high risk’ (when highly sensitive personal information has been breached), then priority should be given to informing the individuals effected. Informing those affected as soon as possible gives them the best chance to protect themselves from the effects of the breach.

Personal data breaches can cover a wide range of scenarios in both the commercial and private sector – learning what these can encompass and how they might manifest is crucial to preventing future breaches and recovering compensation from situations where you may be due remuneration. Keep reading to find out what a Data Protection Breach is and how they can take on many different forms.

Examples of Data Breaches

Database Hacking

Errors accounted for 21% of all data breaches in a study of over 41,686 security incidents conducted by Verizon, which is good evidence that many data protection breaches are not caused intentionally. However, they also found that 71% of breach were financially motivated, with 52% of all breaches involving hacking in some form. Hackers are becoming increasingly sophisticated in their attempts to crack valuable data stores and any organisation which holds some kind of personal data is now considered to be a target.

Examples: Fashion Nexus breach, TalkTalk breach, Lancaster University breach, Marriott Starwood International breach

Local Authorities & Council Breaches

The Information Commissioner’s office has confirmed that there were 223 data breaches involving local governments in the UK in the final quarter of 2018 alone. The majority of these involved data being posted, faxed or emailed to the wrong incorrect participant, but also included loss or theft of paper work from an insecure location.

Local councils often deal with large amounts of highly sensitive data regarding their constituents, so the scope for damage can be considerable. Figures from the ICO highlight a failure to use BCC in emails as being a particular issue for authorities dealing with education and childcare.

Examples: Kent County Council breach, Gateshead Council breach

Cardskimming & Finance Attacks

Unsurprisingly, the majority of breaches that take place involve the loss of financial data which leads to £190,000 a day being lost to victims from around the UK. Whether by sophisticated scams or intelligent hacking of payment systems, cyber criminals have proven themselves more than capable of compromising some of the world’s biggest brands. In some cases, hackers have been able to surreptitiously access booking systems and then skim personal details from users as they make their payments. In this circumstance, those responsible for the system would be at fault for not providing proper protection for their users.

Examples: British Airways breach, Ticketmaster breach

Clerical Errors

Every industry involves some use of administration, which necessitates the storing of personal data. This data could relate to employees of the company, clients or beneficiaries of the organisation. Regardless of whom the data is connected to, those responsible for processing it can often be the ones responsible for accidentally breaching it. Clerical errors can include simple mistakes such as sending an email containing personal data to the wrong recipient, or a letter sent to the wrong address but can also include verbal disclosure of personal data and incorrect disposal of paperwork

Examples: Well Pharmacy breach

Loss Or Compromise of Mobile Electronic Devices

In a Mobile security report from Verizon, 671 professionals responsible for the management of mobile devices within their organisations admitted to not protecting their assets as well as they would other devices. Whether by theft, loss or malicious attack, mobile electronic devices are vulnerable to more threats than their desktop counterparts and often contain valuable tranches of personal data. The ICO confirmed that there were 112 report of lost or stolen devices containing personal data in Q4 of 2018.

Examples: Glasgow City Council breach, Heathrow USB Stick breach

If you think that you’ve been affected by a data breach like one of the examples above, let us know and we might be able to help you secure compensation for your loss.