Home Office kept schtum on more than 30 data breaches last year

More non-reported incidents; fewer actual reported incidents. Trebles all round!


The Home Office suffered 33 data breaches during the last financial year – and did not report any of them to the Information Commissioner's Office (ICO)

The department's annual report and accounts 2014-15 (PDF) reveals 33 "Personal Data Related Incidents" that took place in the last financial year, but were not formally reported to the ICO.

Personal data is defined as any data that may be used to identify a living individual. Under the Data Protection Act 1998 there are very strict rules on how "data controllers" may use the data they collect and store.

The list of breaches – which does not include "small, localised incidents" – was recorded centrally within the department. The annual report noted:

  • Two incidents in which "inadequately protected electronic equipment, devices, or paper documents" were lost from within "secured government premises"
  • Six incidents in which "inadequately protected electronic equipment, devices, or paper documents" were lost from outside of "secured government premises"
  • Zero incidents of "insecure disposal of inadequately protected electronic equipment, devices or paper documents"
  • 14 incidents of "unauthorised disclosure"
  • 11 incidents filed under "other"

The decision to report the breaches falls to the data controller, which for the Home Office is its permanent secretary, civil servant Mark Sedwill.

While the ICO recognises (PDF) that there is "no legal obligation on data controllers to report breaches of security", the office does encourage such reporting, and provides guidance on what breaches it considers reportable.

The Register understands that Sedwill evaluated whether breaches at the Home Office should be reported to the ICO in accordance with internal guidance, separately from the ICO's own guidance documents, though we cannot confirm whether they contain contradictory information.

The number of incidents has increased by some magnitude from the previous report (PDF), when only five breaches were recorded that were not passed on to the ICO.

Additionally, three unauthorised disclosures were reported in 2013-14 to the ICO, including one in which the Home Office accidentally published the personal details of 1,598 migrants.

The annual report declared that "information assurance and managing information risk are continuing priorities" for the Home Office, and additionally notes that "cyber issues have been added for the first time this year to the enhanced maturity assessment used by the Department to provide comprehensive assurance to our SIRO [Senior Information Risk Owner] and ultimately, the Home Office Board."

An Information Management Assessment of the Home Office began in June 2015, and is being conducted by the National Archives, in order to provide external validation of the maturity assessment work it has undertaken in the last financial year.

The report states: "Delivering the baseline assurance necessary to build a robust IA culture will be an ongoing process, especially as HMPO have been brought into the Home Office since this programme of work was initiated." ®


Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Millions of people's info stolen from MGM Resorts dumped on Telegram for free
    Meanwhile, Twitter coughs up $150m after using account security contact details for advertising

    Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.

    The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they "assume at least 30 million people had some of their data leaked." MGM Resorts, a hotel and casino chain, did not respond to The Register's request for comment.

    The researchers reckon this information is linked to the theft of millions of guest records, which included the details of Twitter's Jack Dorsey and pop star Justin Bieber, from MGM Resorts in 2019 that was subsequently distributed via underground forums.

    Continue reading
  • India gives local techies 60 days to hit 6-hour deadline for infosec incident reporting
    Customer data collection and retention requirements also increased, including for crypto operators

    India's Computer Emergency Response Team (CERT-In) has given many of the nation's IT shops a big job that needs to be done in a hurry: complying with a new set of rules that require organizations to report 20 different types of infosec incidents within six hours of detection, be they a ransomware attack or mere compromise of a social media account.

    The national infosec agency stated the short deadline is needed as it has identified "certain gaps causing hindrance in incident analysis."

    Organizations can use email, phone, or fax to send incident reports. Just how the analog mediums will improve improve analysis gaps is uncertain.

    Continue reading
  • Coca-Cola probes pro-Kremlin gang's claims of 161GB data theft
    Life tastes not so good right now

    Coca-Cola confirmed it's probing a possible network intrusion after the Stormous cybercrime gang claimed it stole 161GB of data from the beverage giant.

    "We are aware of this matter and are investigating to determine the validity of the claim," Coca-Cola communications global vice president Scott Leith told The Register on Tuesday. "We are coordinating with law enforcement."

    The ransomware gang, which has declared its support for the Russian government's illegal invasion of Ukraine, this week bragged it "hacked some of the company's servers and passed a large amount of data inside them without their knowledge." It's now trying to sell the stolen data for about $64,000, or nearest offer "depending on the amount of data you want," Stormous wrote on its website where it leaks pilfered information.

    Continue reading

Biting the hand that feeds IT © 1998–2022