This is the first in a series of articles focussing on cyber security and data breaches.
Cyber-attacks, in particular ransomware attacks, seem to be in the news constantly. In fact, the UK government’s Cyber Security Breaches Survey from 2022 found that 39% of UK businesses were subject to cyber-attacks in 2022, with 31% of businesses being subject to an attack at least once a week and over one-third of businesses experiencing at least one “negative impact” from an attack over the course of a year.
The latest high-profile incident is the cyber-attack on Zellis, one of the largest payroll software providers in the UK, which had the knock-on effect of impacting hundreds of organisations in the UK including British Airways, Boots and the BBC. This in turn has potentially exposed the personal data of tens of thousands of employees at these organisations, including ID, bank account details and national insurance information. Zellis has not confirmed how many individuals are affected, however.
The attack was caused by a weakness in the third-party MOVEit file transfer software which is used by Zellis. The vulnerability has been fixed by the supplier of the software but affected organisations are urgently investigating the extent of the potential data breaches. As it is a ransomware attack, the threat actors responsible – cl0p team – have threatened to publish the compromised data of individual organisations if they do not pay a ransom. In an unusual move, they have told organisations to contact them if they think they have been compromised, which suggests either that a significant amount of data has been compromised across multiple organisations or that little data has actually been compromised. Any firm that does not pay will also be named publicly by cl0p team.
Article 5(1)(f) of UK GDPR requires firms to process personal data in a manner that “ensures appropriate security”. Article 32 then requires firms to implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. Healthcare providers hold the health data of their patients, which constitutes special category data. This data carries a higher risk if compromised and therefore requires higher levels of security before it can be processed (as set out in Article 9 UK GDPR).
The Zellis attack only serves to highlight that data security is only as good as the weakest link in the supply chain. Firms that do not consider and assess security risks at all levels could therefore be in breach of their data protection obligations under Article 5 and 32, and face fines from the ICO if a data breach or cyber-attack occurs.
Recently, for example, Interserve was fined £4.4m for failing to put in place appropriate security measures which enabled hackers to access the personal data of up to 113,000 employees.
One positive finding from the UK Government’s survey was that 82% of boards and senior management rate cyber security as a “very high” or “fairly high” priority. This is an increase on the findings from 2021.
However, only half of firms update the board on cyber security matters quarterly, and only just over half (54%) have acted in the last year to try to identify and monitor cyber security risks.
Of greater concern is that only 13% of businesses assessed risks posed by immediate suppliers, with cyber security not appearing to be a principal factor in the procurement process despite the clear risks this presents. The results are skewed slightly as the survey gives equal weight to responses from small businesses, but the need to ensure that there is adequate technical and organisation security in place for health providers, who hold special category data, cannot be overemphasised. Cyber-attacks are only getting more sophisticated, and risks need to be actively managed and continually assessed, particularly where special category data is being processed.
This is not to say that, in the case of Zellis, the MOVEit risk could have been identified, but it does highlight the risks that are posed by all steps of the supply chain. Any preventable failure in this regard could lead to being investigated and fined by the Information Commissioner’s Office.
Almost all the headlines relating to cyber-security relate to cyber-attacks and ransomware, but an organisation’s obligations in the event of a data breach apply whether it was a one-off accidental breach or a sophisticated cyber-attack. Where personal data is compromised a risk analysis must be carried out and, where appropriate, the ICO and affected data subjects should be notified. Where the breach can be rectified, steps should also be taken to do so.
To minimise the risk from cyber-attacks and data breaches, organisations should:
We will address responding to data breaches and cyber-attacks in further detail in our next article.
For advice on cyber security or data protection matters please contact Tom Llewellyn, Tom Phipps or Charlotte Kingman.