Recent reports show that BBC has allegedly breached 10,000 of their customers’ personal data over the period of almost a decade.
Over the 10 year period it was reported that there were 169 data breaches, according to a Freedom of Information Act request. The personal information that seems to have been lost includes partial bank details, mobile numbers, addresses, and signatures through TV licensing fee accounts.
All very worrying…
This kind of data mishandling could be enough for cyber-criminals to sell and profit from breached personal information. A ‘dark web’ exists for the sale of leaked or stolen data, so it’s crucial that personal information is kept safe and secure.
The BBC say that data security is taken “very seriously” by them, and that there is a “comprehensive set of controls in place to protect it”. This may be hard to believe for the 10,000 customers whose data has been mishandled though, especially when it’s over the course of 169 breaches as well.
Contracted services – more risk?
A possible reason for the breaches could be because, as a big broadcasting company, they seem to struggle to manage their workloads, meaning they often have to contract services out to external companies. For example, the collection of the £145.50 TV licence fee is contracted out to Capita Business Services. Just last year, some 494 individuals lost data in a breach reportedly caused by a Capita employee, so you can see how things can get out of hand and difficult to manage. Just because big organisations like the BBC require help from contracted businesses, this should not diminish the responsibility or deplete the quality of maintaining a safe and secure network for holding personal data.
Serious cases
Reports say that 11 cases were reported to have been “serious enough” and were reported to the Information Commissioner’s Office. Of the 11, one took place last year, where a customer’s address was lost.
Data Protection Act
The Data Protection Act provides that organisations are responsible for holding their customers’ personal details securely. There are eight data protection principles in place that organisations must adhere to. The seventh principle stands out the most, where organisations should have technical measures in place to protect data from “unauthorised or unlawful processing…and accidental loss or destruction of, or damage to, personal data”. So, in principle, if organisations do not have enough security to protect against the loss/damage to personal data, they could be held liable.
Statistics over the decade
The BBC notes that there has been a steady increase in data breaches year on year. Between 2007 and 2012 there were around 12 breaches per year. In 2013, there were 22, and in 2014 there were 53.
In reality, there may be more data breaches, but employees may not report them for all sorts of reasons. This can be shown through how many BBC customers there are: i.e. around 30 million domestic and business customers holding a TV licensing account.
An organisation’s responsibility
Although the reported number of breaches and affected customers may seem small, it does not take away the nature of the breach involving personal data. Organisations like the BBC should have robust and systematic procedures in place to minimise the risk of data breaches at all times.