Business owners often think about hackers launching full-scale attacks on payment datasets when discussing data protection breaches. But data protection breaches refer to the failure to protect data as well as a potential breach. As a result, data protection failures are more common than you might think.
Here are five examples of data protection breaches you might not realise are breaches at all:
1. Insecure passwords and password storage
Unfortunately, easy-to-guess passwords such as “123456” and “Password” are still all too common. Insecure passwords might appear to be a consumer problem, but the responsibility of secure passwords falls to you, the provider. Your platform should be built with checks to block users from creating simple passwords like these.
As the data controller and processor, you must also encrypt or store password data securely to prevent it from being accessed by anyone. Or, in some cases, only give access to those with authority.
Failing to encourage secure passwords or properly store password data is a data protection breach.
2. Removable hard drives, thumb drives, and laptops
In a cloud-friendly world, we’d question the necessity of your physical data stores in the first place. The Information Commissioner’s Office (ICO) fined Brighton and Sussex hospital £325,000 after someone stole physical hard drives and sold them on eBay. And they aren’t alone, 75% of data breaches are still non-cyber, according to the ICO.
If you have physical data storage assets, you must keep them under multiple defence stores, such as in a locked room with CCTV within a key-card entry only space.
Destroy storage devices as soon as they are no longer needed and start moving to cloud storage to avoid this type of untraceable data breach.
3. Accidental email leaks
An innocent mistake like sending an email with others cc’d to the wrong person can count as a data breach. Even worse if the email includes a file containing data. A Scottish organisation was fined £10,000 for failing to Blind Carbon Copy (BCC) the contacts in an email to and about a vulnerable group of people.
Use software designed to limit mistakes such as missends and train staff on how to use them properly.
Even if there was no malicious intent and only a small volume of data, accidentally revealing personal data to the wrong person is a severe breach.
4. Insecure data storage
Many companies still use spreadsheets as their CRM or to house sensitive data. These spreadsheets are often impossible to track and easy to lose on physical devices. They also make it easier for staff to leak customer data on purpose.
Use a secure system with traceable IDs so you can track suspicious actions such as exports so you can catch and trace suspicious activity.
When it comes to your staff, don’t just look at credentials around data protection. Vet the integrity of your team, who will manage access to sensitive data and lock down permissions. Police arrested a woman at Sage after she wrongfully accessed sensitive data of 200-300 people by using an internal login.
Failing to track the location of and exports made of your data sets will likely result in a data protection breach when someone eventually passes the data on.
5. Not installing anti-malware software
Without anti-malware, viruses and ransomware can infiltrate your system through phishing emails and compromise your data protection.
Work with a security team to ensure your anti-malware software is appropriate for your digital ecosystem and receives regular updates.
As we’ve discussed, failing to protect your data is just as negligent and potentially devastating as the eventual breach. Therefore, failing to keep your defensive software up to date can be a data protection breach.
What can you do to avoid common data protection breaches?
We’ve covered how to avoid specific types of data breaches, but in general, there are three things you should do:
Train your staff on data protection
Teach your staff about the reality of data protection and how common breaches are. A “That will never happen to us” mentality is detrimental to your information security. Teach them about data and security hygiene and how to identify attacks such as phishing emails.
We offer cyber security awareness training at Cyber Crowd, including bespoke programs based on your unique technology stack and organisational structure.
Hire security experts for data breaches
Hire staff with proper training in data protection and in dealing with breaches, or outsource to fully accredited teams. A dedicated security team will ensure security standards won’t slip as your business grows.
Have a proper data breach process
Failing to respond to a breach correctly can do as much, if not more harm, than the breach itself. The Health and Education sectors experience the highest number of breaches, and both deal with vulnerable populations.
For example, a customer may use the same password across multiple services. Even if you force reset their password, they must be aware of the violation so they can change their passwords elsewhere.
Admitting a mistake is much more respectable than hiding it and doing more damage before eventually being traced and outed. Have a robust process to report a breach to the ISO and compromised parties within 72 hours.
Avoid falling into the trap of accidental data breaches with our cyber security awareness training scheme. Learn more and enquire about cyber security services and training here.