Monday 22 April 2013

ICO Breach Statistics 2012

In 2012 the ICO (Information Commissioner's Office) in the UK found 5 websites to be in breach of  data protection act.

The ICO lists the actions that it takes against organizations that it deems to be in breach of the Data Protection act. This also serves as a useful source of statistical information which this blog entry briefly explores. There are a number of different actions that the ICO can take.
  • Monetary Penalty Notices, 
  • Undertakings
  • Enforcement Notices
  • Prosecutions

Overall Statistics

For 2012 here are the overall statistics.

Total for Action
Nr for Web
Monetary Penalty Notices 24 1
Undertakings 29 4
Enforcement Notices 03 0
Prosecutions 06 0
Overall Total 62 5

There were 62 incidents of which 5 relate to websites. Given the number of online applications that process personal information, 5 seems to be a remarkably small number.

Here is a high level overview of the web application incidents.

Monetary Penalty:
  • 6th August: Sensitive personal information relating to 1,373 employees was published on the  website.
  • 1st March: Disclosure of personal information in training materials published on its website
  • 17th April: a web design error that created the potential for unauthorised access to individual’s personal data 
  • 18th April:  Two data security incidents which relate to the unauthorised disclosure of personal data on the data controller’s website.
  • 30th November: A private area on the website was accessible to members of the public

The Rest of the Incidents

The rest of the cases are made up of a mixture of the usual suspects:
  • Information being sent to the wrong recipient. 
  • Paper files left in waste bins. 
  • Unencrypted memory sticks. 
  • Hard drives not securely erased at end of life.
  • etc.

It is worth taking a look at the ICO website taking actions page to get a feel for the kind of problems that exist. There is no real pattern. Website issues are only a small proportion of the overall numbers. It shows how difficult it can be for a security manager to put a comprehensive security program in place.

Useful Links

Social: DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

1 comment:

  1. In fact your creative writing abilities have inspired me to start my own blog now. Really blogging is spreading its wings rapidly. Your write up is a fine example of it.Software Application Development Company