By Sofia Carroll, Information Governance Manager
The Electoral Commission announces that cyber attackers accessed the personal details of people registered to vote between 2014 and 2022. We look at what such a breach may mean for your organisation and what you can do to avoid and manage it.
This week we learned that cyber attackers accessed copies of the electoral registers the Electoral Commission holds. The incident took place in August 2021 and the organisation became aware of it in October 2022.[1]
What is a data breach?
This incident is a personal data breach because a third party had unauthorised access to personal data an organisation has. [2]
The hackers accessed the file sharing and email systems of the Commission, seeing names, addresses, emails, as well as copies of the electoral registers. These include the details of anyone in the UK and overseas who registered to vote between 2014 and 2022. This means that the people affected by the breach are likely to be in the millions.
What does my organisation need to do if we discover a breach?
- Ensure your staff can recognise a data breach and know how to start the reporting process.
- Create a process for managing, reporting and mitigating the risks of an incident.
- Document what has happened and keep making enquiries until you understand the full extent of the breach.
- If you are subject to the regulation of a few regulatory bodies, keep in mind you may need to make a few breach reports.
- Work with your Data Protection Officer; they are there to advise you and make situations like these manageable.
- Learn what the threshold for reporting to the Information Commissioner’s Office (ICO) and individuals is.
When does your organisation have to report a breach to the ICO?
The Electoral Commission has said they have not reported the breach to the ICO because their risk assessment has shown there is a low risk of threat to individuals.[3] Not all breaches are reportable, and it is up to the organisation to assess the risks and decide if they warrant a report.
There are different considerations when making this analysis. The risk to hard people’s fundamental rights and of fraud or identity theft are indicators that a report is likely to be required.
Naomi Korn Associates can help you complete this risk analysis so you meet your GDPR obligations.
How you manage the breach internally and how you communicate with the people affected, if you do, will also play a role in how the public perceives your response to it.
What does a breach mean for my organisation?
A personal data breach can be a setback in different ways.
- Loss of public trust in your organisation
- Brand or reputation damage
- Loss of business and competitive or commercial advantage
- Regulatory attention or investigation
- Negative press and media coverage
How can I decrease the risk of a breach?
Mistakes happen and no organisation is immune to a breach. The law does require you, as the organisation using personal data, to have a certain framework in place:[4]
- Appropriate security and organisational measures to protect the integrity and availability of the information you hold. Their exact shape and form depend on what the information is, your industry and what you use the data for.
- Limit access control, so only certain people can access certain information, based on their role.
- Secure your systems. This can include using state-of-the-art methods, with organisations often relying on encryption. This helps limit any data exposure hackers might have because they won’t be able to read the data they happen to access.
- Train your staff. This includes data protection but also investing in hiring suitably qualified professionals who can help you build a strong protection system for the data you hold.
What can you do as an affected individual?
- Keep an eye on your credit report for any unusual activity.
- Register with Cifas, the UK’s fraud prevention community.
- Consider tightening your social media privacy settings.
At Naomi Korn Associates we can help with managing data protection risks. We offer a range of data protection services to help organisations with their responsibilities so that they are managed legally, safely and strategically. We also provide downloadable resources, operational tools and templates, jargon-free advice, practical training and mentoring to ensure organisations comply with data protection on a day-to-day basis. For more information contact info@naomikorn.com.
[1] Public notification of cyber-attack on Electoral Commission systems | Electoral Commission accessed 9 August 2023
[2] GDPR
[3] Information about the cyber-attack | Electoral Commission accessed 9 August 2023
[4] UK GDPR, Article 32