If asked how likely it is that an organisation will be breached it may not be unreasonable to reply along the lines of “it’s not so much if but when.”
And that is something the UK’s Information Commissioner’s Office (ICO) can certainly attest to as it becomes clear that it experienced its own breach in the last year.
The ICO, which itself is responsible for ensuring that British organisations and governmental departments keep private data secure, revealed the “non-trivial data security incident” in its 2013-2014 Annual Report:
“There has been one non-trivial data security incident. The incident was treated as a self-reported breach. It was investigated and treated no differently from similar incidents reported to us by others. We also conducted an internal investigation.
It was concluded that the likelihood of damage or distress to any affected data subjects was low and that it did not amount to a serious breach of the Data Protection Act. A full investigation was carried out with recommendations made and adopted. The internal investigation was also concluded.”
The Information Commissioner, Christopher Graham, was less than forthcoming with further details though, leaving a spokesman to say that a freedom of information request would need to be submitted.
Whether such a request would be fruitful is not known but the response to a previous breach in 2011, which was described as “[having] no resulting adverse impact on, or damage to, individuals and the ICO is treating the matter no differently from similar incidents report[ed] by others” gave very little further information away, as information governance manager Charlotte Powell wrote:
“We have decided that the public interest in withholding the information outweighs the public interest in disclosing it.”
Equally unknown is the monetary value of any fines (if any) the ICO may have levied upon itself in respect of the breach. The authority has the ability to issue fines of up to £500,000 for serious breaches of the Data Protection Act and the Electronic Communications Regulations.
The news coincides with a significant increase in workload for the ICO which saw a near 10% rise in the number of complaints made last year (as an aside it is interesting to note that only one percent of those complaints were in regard to the currently hot topic of data retention), which has led Graham to ask not only for more cash but also more powers in conjunction with greater guarantees of independence from the government.