How to Identify a Data Breach, and What Needs to Happen Next
Data breaches are a serious problem in the digital age, and can have far-reaching implications for both individuals and businesses. A data breach is one of the most severe forms of security threat and can lead to information theft, financial damage, and reputational damage. Identifying when you’ve suffered a data breach is essential for taking action to protect your assets, reputation, and customers. But how exactly do you know when you’ve suffered from one?
In this article we cover:
- What is a data breach?
- Different types of data breaches
- Problems caused by data breaches
- When does a data breach need to be reported, and who do you need to report it to?
- Examples of some high profile data breaches in 2023
- How to identify when you’ve suffered a data breach
- What needs to happen following a breach
- How long do you have to report a data breach?
- Will you be fined by the ICO for a data breach?
- Who is liable for a data breach?
- Can data subjects request compensation following a breach?
- How to prevent data breaches
When most people think about a data breach, they instantly think of illegal access to systems by hackers. However, the ICO defines a data breach as “the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.”
Therefore, it’s important to realise that data breaches can occur in far more circumstances than by external threats alone, and can in some cases occur accidentally due to the actions of your own staff. Let’s take a look at the different ways in which data breaches can happen.
As touched on above, not all breaches are as a direct result of illegal activities by external sources; some can happen accidentally. However, regardless of how they happen, it’s important to understand the different types of breaches that can occur:
- Main-in-the-Middle (MitM) & Eavesdrop Attacks
- Business Email Compromise (BEC)
- Password guessing
- Keystroke Loggers
- Physical theft or break-ins
- Human error
- Coding/development issues which have resulted in corrupted or cross contaminated user data
- Disgruntled employees or malicious insiders
- Incorrect system or data access permissions
The key thing is to understand that the causes of data breaches are not solely down to malicious actors such as hackers, and don’t just affect high-value or high-profile organisations.
A data breach not only has an immediate impact, it can also leave its mark for years to come.
For organisations (who are often the Data Controller or Data Processor) this impact could include:
- Damage to brand reputation and trust levels
- Operational downtime, and increased operational demands - especially ensuring correct handling of the initial breach
- Financial costs as a result of:
- Compensation claims
- Increased hardware and/or software costs - both in terms of resolving the initial issue, or introducing new safeguards
- Increased labour costs - especially if you need to bring in external support to resolve the initial issue, grow your support team to combat future issues, seek external support via consultants, staff training, and so on
- Loss of sales/reduced income as a result of reduced customer confidence
- Damage to share values
- Increased insurance premiums, or having to purchase dedicated cyber security insurance
- Legal ramifications
- Damaged staff moral
- Queries over integrity of remaining data
However, it’s not just the organisation that suffers. If the goal was to obtain personal data, then the Data Subjects (whether that be an individual, or organisation) can also be significantly impacted such as:
- Identify theft
- Financial loss
- Emotional distress
If you are in the UK, you must report a notifiable data breach to the ICO within 72 hours after becoming aware of it.
So that raises two follow up questions:
- What classes as a “notifiable breach” and
- When is it deemed that you have “become aware”?
What is classed as a notifiable data breach?
Not all data breaches necessarily need to be reported. When it comes to GDPR you only need to report a breach to the ICO if it represents a “likelihood of risk to people’s rights and freedoms.” This typically means if personal information has become compromised in a way which could have a significant detrimental effect on individuals.
If you are able to confidently demonstrate that no risk has occurred, then you do not need to report it.
For example, if you have a new member of staff join your team and they are inadvertently set up with incorrect administrative access to systems which contain personal or sensitive information (such as staff HR records for example) then you will have to investigate if that resulted in a data breach.
However, if having reviewed their system usage (for example, by reviewing server logs, etc.) and can demonstrate that they have never accessed any of the staff HR records (or any other associated data which they should not normally have access to), then you would not need to report the breach.
When is it deemed that you have “become aware”?
Each situation is different and so needs to be evaluated on a case-by-case basis. Section II of Article 29’s Working Party Guidelines provides some more information and insights as to when a Data Controller is classed as having “become aware” which can provide a helpful guide.
In some scenarios, such as a Ransomware attack, it will be clear from the outset that data is most likely to have been compromised. However, if a member of staff left a laptop unlocked on a train or coffee shop whilst they popped to the toilet, and someone took the opportunity to gain access, it may take longer to identify if a breach has occurred and to what extent.
And in the above example, even if it cannot be confirmed that data has been compromised, it may still be necessary to notify the ICO of a breach due to the opportunity that situation provided and therefore the associated potential risks.
The emphasis, however, must be on ensuring prompt action, both in terms of investigations, resolution (if required) and introducing preventative measures to mitigate against future instances of the same type of breach.
There have already been a number of high profile data breaches this year. We could create a dedicated article on these alone, but here’s just a small selection of some of the most recent (at the time of writing):
- March 2023 - A Ransomware group called ALPHV claim they have compromised Amazon’s Ring doorbell systems. At the time of writing, Amazon has denied the claim. However, as Ring has suffered from data breaches in the past, there have also been several other privacy issues raised (including staff abusing access permissions to watch video footage of customers for fun), this adds further damage to the brands reputation
- February 2023 - Activision confirmed they suffered a major data breach with both sensitive and product-related employee information stolen as a result of a phishing attack
- January 2023 -JD Sports announced that the personal and financial information of around 10 million customers was potentially compromised in a cyber-attack. The incident is believed to have taken place between November 2019 and October 2020 which just goes to show hold long compromised data can go undetected for
- January 2023 - Royal Mail blackmailed by Ransomware attackers who threaten to publish stolen data
- January 2023 - T-Mobile has been hacked, and not for the first time. This time, personal data for 37 million customers has been compromised, including names, addresses, emails, phone numbers and dates of births
Prevention is better than cure
Make no mistake; the problems caused by a data breach can be significant. As the saying goes, there’s no point closing the stable door after the horse has bolted.
It’s vitally important that you take steps today to ensure you have suitable protection in place, and that you can demonstrate you have taken reasonable steps to identify, evaluate and mitigate potential risks.
At the end of this article we’ll highlight just a few of the steps you can take to minimise your risks. However, whilst you’re reading this why not pause for a moment and book a free, no obligation consultation. It only takes a second, and will be time extremely well spent!
As touched on above, in some instances this will be quickly and immediately apparent. For example, in a ransomware attack you typically won’t be able to access your systems and the hackers will provide you with information about what needs to be done to regain access to them. However, not all breaches are easy to detect.
Other potential indicators may be:
- Unusual traffic volumes or patterns in server or analytics data
- Suspicious network activity
- Suspicions as to data integrity - for example, perhaps you’ve noticed some data has become mixed up, or the volume of customer records has changed to an unexpected level
- The appearance of suspicious files which you don’t recognise
- Financial transactions or actions (such as logins) which you don’t recognise
- Login notifications for IP locations which you don’t recognise
- Slow PCs could be an indication that a virus or malware is consuming resources
- Repeated system crashes
- Odd user behaviour - such as user logins outside of normal working hours, or multiple logins from the same user account from different locations
- Logins from locations which are not usual for your staff (e.g from another country)
- Configuration changes which are not traceable (if your system supports such tracking)
- Usual data in web service logs
- Problems logging into accounts
- Unexpected changes in webpage layouts - sometimes injected, unauthorised code can break website pages which make the intrusion more visible
- Your website begins to be associated with terms which make no sense for your business - this is often the case for sites hosted on platforms such as Wordpress where some hackers insert code to boost the promotion of “Viagra” and other similar type pages in an attempt to boost their prominence within search engines
- Notifications from users or clients of odd messages or “spam”
- Alerts from dedicate cyber security software (this could range from antivirus software to enterprise level cyber security monitoring suites)
Your next steps will depend mainly on the severity and any potential impact of the breach and the steps below don’t necessarily need to be linear. You may need to assign different tasks to different teams in order to achieve the fastest, most efficient and/or most effective solution.
Hopefully you will already have a disaster recovery plan in place and so will already have a step-by-step sequence of events that need to happen for different scenarios.
However, in case you don’t (contact us if you need help with creating one!), the first step should always be to identify whether the breach is still active (e.g. if you think you may have been hacked, do hackers still have access to your systems?).
As a rough emergency checklist you should:
- Evaluate if the breach is still an active issue or threat. If so, steps must be taken to prevent any further unauthorised access to premises, systems or data before any remedial action can be taken.
- Next you need to evaluate the severity and impact of the breach. If it falls within the scope of a “notifiable breach” as defined above, then you must report this to the ICO as soon as possible and within 72 hours of becoming aware of it. Sometimes evaluating what data has been compromised can be tricky, so you may need to hire external support from expert forensic data investigators who are adept at identifying what data may have been compromised and what remedial action may be required. Has data been corrupted? If so, does it need to be restored from an earlier backup so that further issues don’t arise (e.g. If legitimate data subject records have become corrupted and mixed up, this would result in a secondary data breach issue. That’s because data subjects may be able to view data from a different data subject record in a database)
- In step 1, you will have focused on ceasing an active breach. Now, you’ll need to fully resolve any security weaknesses to minimise or eliminate future risks. In the case of a physical break-in, this might include changing your physical premises' security, installing lockable storage, or perhaps even moving client data from paper records to the cloud. Similarly, if you’ve suffered a cyber attack, you may need to ensure all system patches are up-to-date, that passwords have been changed, that better breach prevention, detection and alerting software is installed, and so on.
- Communication. Assuming it’s been a notifiable breach, you will need to communicate this with your data subjects. You may be able to do this via written communication alone such as email or a letter. However, for larger scale breaches you may also need to liaise with the media. Whichever level of communication, you should endeavour to be honest, clear and transparent with regards to:
- What happened & when - including when you became aware of it and when you reported it to the relevant authorities such as the ICO
- How it happened
- What information, if any, has been compromised
- What the potential consequences are for the data subject
- What steps have been taken to minimise the impact, and prevent it from happening again in future
- What actions the user may wish to take to protect their data further, such as changing passwords, etc.To help minimise the impact on individuals, some organisations opt to offer a free credit monitoring service for a given period of time so that users can check for any potential identity theft issues as a result of the breach.
There’s actually no maximum timeframe. The legislation states that you must report a notifiable breach within 72 hours of becoming aware of it.
Therefore, even if you become aware of a breach 2 or 3 years after the event, if it’s classed as a notifiable breach you must notify the ICO.
The ICO has the power to issue fines of up to £17.5 million, or 4% of global turnover. However, in reality, these are reserved for cases where a breach has occurred due to negligence, inaction, or misuse of data.
Instead of resorting purely to fines, the ICO are proactively publishing reprimanded company names in a public list which could result in damage to an organisations reputation.
The ICO have issued guidance on what businesses can do to minimise the risk of a fine so we would strongly recommend checking it out, and then following up with a chat with ourselves so we can help you ensure you’re compliant and can demonstrate you’ve taken the necessary steps to protect and handle your data appropriately.
The ICO will normally issue fines towards an organisation as opposed to an individual. Therefore, it will often be the organisation as the Data Controller or Data Processor that receives the fine as opposed to an individual such as the Data Protection Officer. However, in very specific circumstances the ICO may opt to issue a fine to an individual. These might include:
- Self employed individuals (Sole traders) where the company is effectively the same legal entity
- Where an investigation has been obstructed
- Where false information has been submitted, or evidence has been intentionally destroyed
- Accessing personal data without permission of the Data Controller
Potentially yes. GDPR provides data subjects with the right to request compensation from organisations if they have suffered “damage” as a result of breaking data protection laws (not just in case of a data breach). This can include “material damage” (e.g. you lost money directly as a result), or “non-material damage” (e.g. you suffered distress).
However, compensation is not awarded by the ICO. Individuals would need to request this from the organisation directly, and if not satisfied, they would need to take the organisation to court.
The onus is also on the data subject to prove where either material or non-material damage has occurred and the value of that. You can learn more about the process for claiming compensation on the ICO website.
As touched on earlier in this article, prevention is always better than cure, so how can you minimise the risks of a data breach in the first place?
A great place to start is by attending one of our “Managing Personal Data Breaches” training courses as we cover how to prepare for a data breach in step one.
There are too many possible scenarios to cover in this article and so the following touches on just a few key areas to help you understand the core concepts, but for more in-depth support please don’t hesitate to contact us.
Auditing and Evaluation
The first step is to evaluate your existing setup.
- Where are there weaknesses?
- Are your premises secure?
- Do old members of staff still have access to systems or door keys?
- Do you have a regular data backup schedule?
- Do you have sufficient cyber security software installed (not just antivirus) for monitoring, prevention and alerting of any potential risks?
- Do you have a regular security and risk management review? (both physical and digital)
- Do you have a disaster recovery plan?
We provide a range of services to help you with auditing and evaluating your data so that you can fully understand what data you have, where, how it’s being utilised and what potential risks may exist. Contact us to learn more about how we can help you.
A process alone doesn’t implement security. Your employees are actually one of the most important aspects of your data security considerations and yet too many companies either fail to provide any training for their employees, or fail to keep training up-to-date with the latest changes in legislation. This means preventable non-compliance or breaches occur when they could be easily avoided.
Thankfully at Databasix we make this aspect easy. We offer around 20 different training courses which can be tailored to your needs ranging from our GRPR Training for Beginners, our GDPR Refresher Training Course, and our Cyber Security Awareness course, through to our more advanced training courses for Data Protection Officers
Include timely reminders at potential risk areas or weak-points
In addition to training, it’s good to include reminders at potential weak-points in your system. For example you’ll probably have seen warning notifications in emails which say “This email contains links from an external party” or similar.
Similarly, for premises with physical security, you may have seen signs such as “Don’t let people tailgate” through access controlled systems such as security gates or security doors.
A sign reminding staff to challenge someone they don’t know is not only a helpful reminder, it can remove or reduce any conflict as the person asking can just refer to the sign which indicates they’re simply following the company rules.
Ensure you have a regular security review process
Most people will be familiar with the concept of ensuring cyber security software such as antivirus is up-to-date, but quite often this may not be automated, and so it’s important to ensure that all systems are checked regularly to make sure nothing has been disabled which could introduce a weak point. The same is true for other potential weaknesses such as patches which need to be applied. This should apply for mobile devices too as these are often subject to operating system or App updates to close potential security vulnerabilities. In fact, due to the increasing use of “Internet of Things” devices (WiFi heating, light controls, staff fridges, bots, automated vacuums, etc.), any potential route into your network should be regularly checked for any weaknesses.
But reviews should also go beyond just software considerations. Have any staff recently left? If so, did they have access to the office or systems? If so, did they hand back any keys, fobs, mobile devices, etc? Has their access been removed from all systems? These things are often overlooked in many small businesses; especially where the employee left on happy terms as there is less concern about any risk their departure may cause.
Are you at risk of a data breach?
There is so much to consider that it would be impossible to cover everything in this article. Therefore, the best solution is to book a free 1-2-1 consultation with a member of our team so that we can identify what you may need help with and the best solution for your organisation.