[BreachExchange] ICO data raises doubts over UK firms’ ability to manage breaches

Destry Winant destry at riskbasedsecurity.com
Mon Mar 11 10:26:47 EDT 2019


UK businesses routinely delayed data breach disclosure to the
Information Commissioner’s Office (ICO) in the year ahead of the full
implementation of the EU’s General Data Protection Regulation(GDPR) on
25 May 2018.

This was the main finding of a freedom of information (FoI) request to
the Information Commissioner’s Office about 182 data breach reports
triaged by the ICO in the financial year to April 2018 by threat
detection and response firm Redscan.

Analysis of the data shows that, on average, it took companies 60 days
(two months) to identify they’d been a victim of a data breach, with
one business taking as long as 1,320 days (44 months).

Businesses waited three weeks on average after discovery to report a
breach to the ICO, while the worst offending organisation waited 142
days. The data showed that less than a quarter of businesses would be
compliant with current GDPR requirements, which demand that
organisations report a breach within 72 hours of discovery.

However, the data revealed that financial services and legal firms
were far better at identifying and reporting breaches than general
businesses, which is likely due to increased regulatory awareness and
the highly sensitive nature of data processed in these industries.

On average, financial services firms took 37 days to identify a
breach, legal firms took 25 days, while companies classified as
“general business” took 138 days. Financial services (16 days) and
legal firms (20 days) were also quicker to disclose breaches to the
ICO than general businesses (27 days).

“Data breaches are now an operational reality, but detection and
response continue to pose a massive challenge to businesses,” said
Mark Nicholls, director of cyber security at Redscan. “Most companies
don’t have the skills, technology or procedures in place to detect
breaches when they happen, nor report them in sufficient detail to the
ICO. This was a problem before the GDPR and is an even bigger problem
now reporting requirements are stricter.”

The data showed the 91% of reports to the ICO failed to include
important information such as the impact of the breach, recovery
process and dates. More than nine out of 10 companies (93%) did not
specify the impact of the breach, or did not know the impact at the
time it was reported, while 21% did not report a breach incident date
to the ICO, suggesting they either lacked awareness of or knowingly
withheld this important information. A further 25% also failed to
report a breach discovery date.

“The fact that so many businesses failed to provide critical details
in their initial reports to the ICO says a lot about their ability to
pinpoint when attacks occurred and promptly investigate the impact of
compromises,” said Nicholls.

“Without the appropriate controls and procedures in place, identifying
a breach can be like finding a needle in a haystack. Attacks are
getting more and more sophisticated and, in many cases, companies
don’t even know they’ve been hit.”

“In general, firms operating across the financial and legal sectors
are among those better prepared to manage data breaches. The fact that
even businesses in these high-value sectors were taking two to three
weeks to divulge incidents is a key reason why the reporting rules
have since been tightened.”

Hackers target businesses at the weekend

The FoI data also revealed hackers disproportionately targeted
businesses at the weekend, while many reports (48%) would be issued to
the ICO on a Thursday or Friday. Saturday was the most common day for
businesses to fall victim to a data breach, accounting for more than a
quarter of incidents.

“Detecting and responding to breaches is now a 24/7 effort,” said
Nicholls. “Many organisations lack the technology and expertise they
need, which is compounded by a global cyber security skills shortage.
Resources are stretched even further at weekends, when many IT teams
are off-duty – exactly why hackers chose to target businesses out of

“It’s also interesting to note that nearly half of reports to the ICO
were submitted on a Thursday or a Friday, good days to bury bad news.
This might be overly cynical, but I suspect that in many cases, breach
disclosure on these days may have a deliberate tactic to minimise
negative publicity.”

Commenting on whether the full implementation of the GDPR has had a
positive effect on organisations’ ability to manage data breaches,
Nicholls said it would be optimistic to think that businesses were
better at preventing and detecting data breaches since the
introduction of the GDPR.

“Despite the prospect of a larger penalty, many are still struggling
to understand and implement the solutions they need to achieve
compliance,” he said.

An ICO spokesperson said that since the full implementation of the
GDPR on 25 May 2018, there have been more data breach reports because
the law requires it in high risk cases.

Noting that prior to this date that only telecoms companies were
required by law to report data breaches, the spokesperson said the ICO
has since received more than 11,000 data breach reports.

“This is not just an administrative task.  It speaks to accountability
– a cornerstone of the GDPR.  Only by having strong data governance
will organisations be able to properly report the details of a breach
to us within 72 hours.

“Data breach reporting will encourage companies to invest in better
security and data governance,” the spokesperson said.

More information about the BreachExchange mailing list