You are here

ICO reveals eight of the most common data security breaches

Penalties totalling nearly £1m issued for failure to adopt standard industry practices

12 May 2014

Add comment

By Manju Manglani, Editor (@ManjuManglani)

The UK Information Commissioner's Office (ICO) has today released details of the eight most common data security vulnerabilities uncovered during its investigations.

Many of these incidents led to serious security breaches, resulting in the ICO issuing monetary penalties totalling almost £1 million.

It noted that the breaches could have been avoided if organisations had adopted standard industry practices, such as keeping software security up to date.

"Our experiences investigating data breaches on a daily basis shows that whilst some organisations are taking IT security seriously, too many are failing at the basics," said Simon Rice, the ICO's group manager for technology.

The top eight computer security vulnerabilities highlighted by the ICO are:

  1. failure to keep software security up to date;

  2. lack of protection from SQL injection;

  3. use of unnecessary services;

  4. poor decommissioning of old software and services;

  5. insecure storage of passwords;

  6. failure to encrypt online communications;

  7. poorly designed networks processing data in inappropriate areas; and

  8. continued use of default credentials, including passwords.

"In just the past couple of months we have already seen widespread concern over the expiry of support for Microsoft XP and the uncovering of the security flaw known as Heartbleed," commented Rice.

"While these security issues may seem complex, it is important that organisations of all sizes have a basic understanding of these types of threats and know what action they need to take to make sure their computer systems are keeping customers' information secure."

The ICO has issued monetary penalties totalling up to £1m for organisational breaches of The Data Protection Act 1998.

These include a £200,000 penalty issued to the British Pregnancy Advice Service after details of service users were compromised due to the insecure collection and storage of the information on its website.

A £250,000 fine was also issued to Sony Computer Entertainment Europe after the company failed to keep its software up to date, leading to the details of millions of customers being compromised during a targeted attack.

Further details can be found in the ICO's report Protecting personal data in online services: learning from the mistakes of others.



Categorised in:

Risk & Compliance Technology