Data Protection News Digest: in the headlines this month

Data Protection News Digest: in the headlines this month

With the 2020s being described by some commentators as the ‘decade of data’, it seems strangely appropriate that the year started with a data breach, when 1000 addresses of those included in the New Year Honours list were accidentally published online.

Here, we outline the top data privacy stories that have caught our attention this month, and the key learnings to take from each of them.

1.    Educational data used by betting firms

For us, the biggest story in January was that betting firms had been able to access the Learning Records Service (LRS) - a database of around 28 million children aged 14 and above, including names, addresses and ages.  The story broke in The Sunday Times, which said that the LRS had been accessed by data intelligence firm GB Group – whose clients include gambling companies.  According to the report, one betting firm was able to use the data to increase the number of young people passing data checks by 15 percent.

This happened despite privacy rules stating the database should only be used for educational reasons. 

According to the Department for Education - which immediately suspended access to the LRS when it became aware of the breach and referred it to the ICO - the “education training provider” which “wrongly provided access” to the LRS was a company called Trustopia.

According to FE Week, the DfE said the company had access to the LRS because they registered with a UK Provider Reference Number on the UK Register of Learning Providers as an apprenticeship provider.  The Education and Skills Funding Agency has now launched a full investigation.

Our view

This is an example of data governance going very badly wrong, and – given the sensitive nature of the data in question – requires a strong response from the ICO, as millions of parents will be wondering who else has had access to their children’s details.   The investigation will have to look thoroughly at the criteria the DfE uses to grant access to the data, as well as audit the identities of organisations which already have access.

For other organisations, it raises the issue of making sure they thoroughly vet the third parties that they allow to have access to customer’s data – and ensure these processes are reviewed regularly.

2.    New Year, oh dear!

Following the New Year Honours List breach – where the personal data (mainly correspondence addresses) of high-profile celebrities, senior politicians and police officers – was made available as a downloadable file, we wrote at the time that it highlighted lapses of data protection we see all too commonly, specifically when it comes to handling sensitive data. 

Immediately after the breach hit the headlines, the Cabinet Office stated that the file had been available for an hour.  However, it subsequently admitted that it had actually taken three hours to remove the data from the website.  An investigation was launched, and it remains to be seen whether the Cabinet Office will receive any compensation claims from those affected.

Our view

While it was positive that the Cabinet Office removed the file and reported the incident to the ICO – which are key actions when responding to in any personal data breach – it opened itself up to further scrutiny by miscommunicating the extent of the breach in the first place.  In addition, the cause was attributed to ‘human error’, which again highlights the need for ongoing training and awareness on data protection, whatever the size of organisation.

3.    Travelex hit by major cyber attack

Foreign currency company Travelex experienced a major cyber security incident this month, resulting in its computer system being taken down after hackers reportedly demanded $6m (£4.6m) in return for customer data.  While Travelex was quick to reassure customers that there was no evidence that personal data had been compromised, the incident has had a major operational and reputational impact on the company.

It announced on 28 January that its money transfer service and wire was fully operational again – almost a month after all systems were taken offline.  During this time, staff had to use pen and paper to calculate foreign currency exchanges. The attack was reported around the world, and caused huge disruption to Travelex’s partners including banks and other currency channels, as well as holiday makers and business travellers.  While the true financial impact is not yet known, insurance industry experts said that its losses will be at least partly covered by a cyber insurance policy.

Our view

With an incident of this size - with global reach and multiple stakeholders with which to communicate, from retail bank partners to consumers – having a robust cyber security incident plan is critical.  There were some reports that the level of internal communication had been confusing, with some employees saying there had been criticism of the way it had been handled.  Given the scale of the attack, this was perhaps unsurprising, but it highlights that strong leadership, consistent management and regular communication are crucial.

 

For more information on The Compliance Space, or to book a demo, contact us at https://www.thecompliancespace.com/book-a-demo