Given the number of cyber-attacks currently taking place, it’s always interesting to see what triggers a regulator to take action. The ICO’s recent reprimand to My Media World Ltd t/a Brand New Tube (‘BNT’) illustrates that a lack of regular pen testing, and failure to have appropriate organisational measures in place (including contractual protections with its suppliers and records around the processing) can prompt action from the UK’s data regulator, even where the data involved is not particularly high risk.
The breach:
In August 2022 an unauthorised third party gained access to BNT’s systems and exfiltrated the personal data of 345,000 UK Data Subjects. The cause of the breach is slightly unclear, with BNT advising the ICO on separate occasions that a server misconfiguration and a DDoS attack were responsible for the access to their systems. Despite the fact that the impacted data was not particularly sensitive in nature (primarily names, email addresses and passwords), the ICO provisionally decided to reprimand BNT in respect of its alleged infringements of the following UK GDPR principles:
- Art 32(1): the duty to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. BNT failed to evidence how their personal data was stored and protected. They could not provide evidence to show the technical security measures in place at the time of the incident or that they knew what these measures were. Instead they relied on the assurances of third parties and employees, without proof of any contracts or oversight. The ICO’s reprimand discusses its checklist for organisations to consider when implementing their technical security strategy, which includes recommendations that organisations ensure data processors also implement appropriate measures.
- Art 32(1)(d): which requires organisations to have a process for regularly testing, assessing and evaluating the effectiveness of those measures. BNT were unable to provide evidence that they were conducting regular pen testing or vulnerability scanning and, despite saying that a third party was responsible for this service, could not confirm when these tests were last conducted or what methodology was used. The reprimand points to the fact that NCSC guidance recommends monthly scanning, and provides guidance on the types of scans available.
Recommended action:
The ICO's reprimand makes three recommendations to BNT. They should:
- ensure they have appropriate contracts in place with third party providers which set out the roles and responsibilities of each party;
- keep accurate records of their processing activities and the security measures they are implementing; and
- carry out regular scans and testing, record their outcomes and addressing any issues promptly.
Despite there being no large fine to accompany the ICO’s reprimand, our advice would (unsurprisingly) be for organisations to check that they are following these fairly basic recommendations. Ensure your supplier contracts and record keeping are up to scratch, and that you know what security measures you have in place (even where these are provided by a third party). For example, how regularly are your systems tested, what tests are used and what happens to the results of those tests? There is a lot of information available to help ensure you get your security right – the reprimand citing NCSC, as well as ICO, resources. A fourth recommendation would therefore be to familiarise yourself with the guidance available.