Data breach figures may be four times higher than reported

Security experts warn that the number of data breaches and attacks in the Channel Islands could be four times higher than official figures suggest, due to a lack of reporting.

The Information Commissioner’s Office (ICO) revealed that Jersey reported 52 cases of data protection breaches, while Guernsey reported a further 43. However, according to Business Development and Technical Director of IT security firm Logicalis, Tom Bale, these figures may only be a quarter of the real sum as not all companies and organisations report breaches to the authorities.

No obligation to report breaches

Bale explains that current laws mean “there’s no obligation for organisations in the Channel Islands to report data breaches”.

It’s possible that many firms choose not to report data breaches and cyber-attacks as they may be worried about losing customer confidence. With reputations at stake, firms risk losing business and therefore losing money.

Further, a lot of companies reportedly “don’t even realise they have suffered a security breach until months after the incident”, continues Bale. Many companies reportedly neglect their data protection duties by not implementing security measures to detect attacks and breaches, meaning large volumes of data could be, or have been, exposed or stolen for many months without the company having any clue.

It’s not just the “big players” at risk…

Data breaches can happen to anyone. Continual coverage of huge data breaches, like the HBO and Sony hackings, may give the false perception that attackers only target huge companies who hold vast quantities of data. But this isn’t always the case, as smaller businesses can potentially be more susceptible to data breaches as they may lack the resources required to invest in decent cybersecurity.

These kinds of vulnerabilities can be identified and exploited by hackers.

Of course, data breaches are not just from hacks and other malicious attacks from third parties. A lot of data breaches occur due to human error; i.e. employee mistakes. Many a time have we seen poorly trained or careless employees accidentally send confidential information to someone other than the intended recipient. Mistakes like this can be commonplace but still need to be taken seriously. These kinds of preventable data breaches still carry very real consequences and can happen to any organisation in theory.

A cause for concern

The current laws coupled with less than adequate cybersecurity could infer that the real number of data breaches taking place is easily much higher than the figures reported. However, when new EU regulations for data protection come in force next year, firms may no longer get away with staying quiet in the wake of a breach. The EU General Data Protection Regulations are to be enforced starting in May 2018 and will require data attacks to be reported to relevant authorities within 72 hours of discovery.

Notably, both Jersey and Guernsey voted in favour of implementing the new EU laws.

The new GDPR could also provide authorities with wider powers when it comes to sanctioning organisations or individuals who flout their data protection duties. At the moment, the ICO has the power to issue a guilty party a penalty fine of up to £500,000, but the new GDPR is set to extend the ICO’s powers and issue fines of up to £20 million or 4% of the firm’s annual revenue, whichever is the larger.

Staying quiet after a data breach may soon become a thing of the past…

711 million email addresses reportedly compromised by a Spambot called Onliner

Uber reaches settlement over inadequate data protection for customers