[BreachExchange] BBC lost phone numbers and bank account details in 169 data breaches over the past decade

Inga Goddijn inga at riskbasedsecurity.com
Wed Oct 26 19:19:08 EDT 2016


http://uk.businessinsider.com/bbc-data-breaches-2016-10?r=US&IR=T

Nearly 10,000 people have been hit by data breaches at the hands of the BBC
over the past nine years, according to data seen by Business Insider.

As part of the British broadcaster’s television licence collection
activities, it has lost audience information including partial bank account
details, mobile phone numbers, addresses, and signatures.

Collection of the £145.50 television licence fee is overseen by the BBC's
TV Licensing arm. The majority of its work is contracted out to services
firm Capita Business Services.

In total, 9,763 people have been affected by 169 data breaches since 2007,
according to a Freedom of Information Act (FOI) request.
<https://www.whatdotheyknow.com/request/350308/response/885168/attach/3/RFI20161480%20Response.pdf>

The BBC explained in the FOI response that it handles 25 million licence
fee accounts in the UK and takes data security "very seriously." It added:
"We have a comprehensive set of controls in place to protect it."

The breach that affected the highest number of people came in 2011 when one
incident involved 3,291 individuals. There was also a big breach last year,
when the details of 494 people were lost. The vast majority of these 494
people worked for Capita, which is responsible for licence fee collection
on behalf of the BBC’s TV Licensing arm.

Eleven cases were considered serious enough to report to the Information
Commissioner’s Office (ICO). One took place for last year, when the first
line of a licence payer’s address was lost, while nine incidents pre-dated
2013.

There has also been a sharp increase in data breaches over the past three
years. Between 2007 and 2012 there were 12 breaches a year or less, but
this figure jumped to 22 in 2013 and 53 in 2014. There were 40 cases last
year, while there have been 21 cases from January to the start of August
this year.

In the FOI disclosure, the BBC said: "We do not believe the figures in the
disclosure log reflect a growing number of data breaches but rather
demonstrate the increasing vigilance of staff in identifying and reporting
data incidents."

The BBC added:

"TV Licensing has a comprehensive database of around 30 million domestic,
business and other addresses across the UK, with over 25 million TV
Licences in force. We ensure that staff access to the database and other
associated systems is only permitted if their job requires it.

"The different levels of access are monitored rigorously and staff members
receive mandatory data protection training, as well as regular briefings on
the importance of protecting personal data. Whilst we attempt to minimise
the number of data losses or breaches, with an operation of this scale,
data incidents do occur sometimes.

"Accordingly, we have a robust and well established process in place to
address such incidents, as and when they may arise. All incidents are
recorded and investigated, and appropriate action taken."

A spokeswoman for TV Licensing underlined the fact that only one data
breach has been reported to the ICO in the past three years. She added that
the "vast majority" of breaches "involve no sensitive personal data" and
were the fault of a "third party," such as the Royal Mail or the courts.

The ICO does not classify bank account details, mobile phone numbers,
addresses, and signatures as "personal data." Information it does classify
as personal includes:

   - Racial or ethnic origin
   - Political opinions
   - Religious beliefs
   - Trade union membership
   - Physical or mental wellbeing
   - Sexual preferences

The TV Licensing spokeswoman said: "We take our responsibilities under the
Data Protection Act very seriously and have robust processes in place to
take all necessary action when these incidents do occur."

She added: "The majority of breaches referred to in this FOI happened five
years ago or more. In the past three years, the majority of data incidents
(84%) have only involved one or two individuals. TV Licensing hashes out
all but the last four numbers of bank accounts so they cannot be
identified."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161026/f90f6309/attachment.html>


More information about the BreachExchange mailing list