Data breaches: Barclays and Santander most investigated lenders, ICO figures show

23.12.2014
Barclays was flagged as a "concern" by the Information Commisioner's Office (ICO) over data breaches more times than any other UK lender last year, files seen by ComputerworldUK reveal.

The bank, which says it takes data protection "extremely seriously", was highlighted as an organisation of concern to the ICO 21 times in 2013, according to files disclosed under the Freedom of Information (FOI) Act. Barclays was deemed to have been unlikely to have complied with the Data Protection Act (DPA) on each instance - forcing the ICO to take remedial action.

The Information Commissioner's Office (ICO) is the UK's independent body set up to uphold information rights. It will intervene where the DPA has been breached, flagging a firm as a "concern" following a complaint from an individual.

Following an investigation into a "concern", the ICO can serve enforcement notices, fines of up to £500,000, and can prosecute firms or individuals for serious data breaches.

Public sector and private companies are obliged to report a data breach although it is voluntarily. Firms that admit a serious breach have been anonymised by the ICO so as not to deter self-reporting in the future.

Other lenders who incurred repeat security breaches in 2013 included Santander - which was found unlikely to have complied with the act 15 times.

The ICO was made aware of 199 separate concerns within the lender sector throughout the year. Lloyds TSB, which then split into Lloyds Banking, featured on the offender's "concern" list, as well as NatWest, Royal Bank of Scotland, HBOS, Aviva, Nationwide Building Society and Yorkshire Building Society.

Additionally, some 36 further financial services firms self-reported serious data breaches and were issued enforcement orders from the ICO, but were granted anonymity.

Response

A Barclays spokesperson said: "Barclays takes our responsibility to protect our customers extremely seriously. We take every practical measure to prioritise the safety and security of our personal and financial data."

When asked for more details on the breaches within Santander, the bank responded: "Without knowing what breaches you are referring to, we can't comment on specifics, but we know from the cases that have been reported to the ICO, in almost all, the issue was as a result of human error, and for each we have taken the necessary steps to address the problem and any complaints raised."

Government culprits

Central government departments were also listed as "concerns". The Department for Work and Pensions (DWP), for example, was deemed "unlikely" to have complied with data protection law on 20 separate occasions.

Further, the ICO found HMRC was also likely to have breached the act on 15 occasions, the Home Office five times, the Ministry of Defence (MoD) three times and the Ministry of Justice (MoJ) six times.

Government departments were served 37 enforcement notices in total during the year.

The HMRC said that it would not comment on specific cases where it suffered a breach, but said "we take data protection and security issues - including compliance with the requirements of the DPA - very seriously. We are constantly working to improve our performance in this area and work closely with the ICO on any recommendations it makes."

However, local government appears to be the worst offender on the ICO's list - with a total of 297 investigations undertaken during last year. Five local councils were served enforcements, including Aberdeen City council and Glasgow City council when an unencrypted laptop was stolen from a council office.

Some 314 cases amongst local and central government were "resolved informally" and seven further councils were required by court to take action, including Mansfield, Luton Borough Council - on two occasions - and Royal Borough of Windsor and Maidenhead.

There were 12 local government cases were either a court order or enforcement was served. In Central government a court order was served once and 37 enforcements were "informally resolved".

Police departments were tagged as concerns on 33 separate occasions. Potential criminal breaches were discovered on three occasions and enforcement notices served 61 times throughout the year.

Retail and internet firms

Nominet UK suffered a cyber-attack, or "hack" along with Electronic Arts (EA) Games and 11 other companies that were not named. Social network Last.FM and voucher website LivingSocial were also investigated for "unauthorised access" of customer data.

HR Blacklist - a website that detailed employees who were trade union members - was also served an enforcement notice by the watchdog.

Almost 20 internet companies were subject to enforcements or possible criminal investigation following serious breaches.

There were 24 serious breaches in the retail sector, including UK grocery store Asda after it published personal data online and an employee lost a USB with confidential information.

Insurance and utility providers

Almost 40 insurance providers were listed as a concern by the ICO and a further 24 were served enforcements. In five cases this included a potential criminal breach.

Meanwhile, there were seven instances where utility companies were investigated for potential criminal breaches, all of which were informally resolved. One instance included hacking of a database and another included an error in a mail-merge which revealed personal data of its customers.

Data breach files

The files seen by ComputerworldUK include reports of data breaches during 2013 in each industry sector.

While the ICO publishes the names of companies that have been served enforcements on its website, this list, acquired under the FOI Act, reveals the number of anonymised self-reported incidents by sector as well as the number of data breaches that were investigated - information that is not usually in the public domain.

Image: iStock Jimmy Anderson

(www.computerworlduk.com)

Margi Murphy

Zur Startseite