The UK Information Commissioner’s Office (“ICO”), the UK’s data protection regulator, has issued a reprimand following infringements of the UK General Data Protection Regulation (“GDPR”) to recruitment company Gap Personnel Holdings Limited (“Gap”). This followed threat actors gaining access to personal data on two separate occasions within a 12 month period.
The reprimand provides further guidance as to the ICO’s expectations on data controllers in the context of cyber incidents.
Background
The same threat actor accessed Gap’s IT systems in two separate incidents in March and August 2022.
Both incidents resulted in personal data - including names, addresses, email addresses, telephone numbers, dates of birth, bank account numbers and right to work information - being taken from a database within Gap’s IT system. At the time of the March incident, the affected database contained personal data for nearly 14,000 UK Data Subjects.
Gap were unable to determine the specific cause of either incident. They did, however, suggest that the threat actor likely performed an SQL injection attack, allowing the threat actor to view or modify a database, in both incidents. Gap also believe the threat actors leveraged an unsecure web-scripting file in at least the March attack.
Following the March incident, Gap kept the affected system live. They asserted that the vulnerability used by the threat actors to access the system was patched and tested on 26 April 2022.
ICO Findings
The ICO determined that Gap had weak IT security and a lack of appropriate logging and monitoring systems. This limited Gap’s ability to effectively detect and quickly respond to the security incidents.
Specifically, the ICO considered that Gap:
- Were not ensuring the ongoing confidentiality, integrity and resilience of their systems as per UK GDPR Article 32(1)(b); and
- Did not have the correct organisational measures in place to ensure a level of security appropriate to the risk as per Article 32(1). Nor did they conduct security testing as per Article 32(1)(d).
The following vulnerabilities, which are common across many organisations and were known to Gap prior to both incidents, were identified:
Whilst Gap did have an IT logging system in place at the time of both incidents, the ICO determined this was insufficient and analysis of the attack was therefore limited.
Gap had a limited ability to validate data inputted into their IT system. The ICO expect that a system capturing personal data should be able to validate input data, both to prevent attacks and to ensure the integrity of the data entered.
- Unsupported MySQL and PHP
At the time of both incidents, Gap were knowingly using out of date versions of MySQL (database management system) and PHP (web-scripting language). The latter was last updated in October 2019. The ICO considered this showed a lack of good practice around patch management and failing to secure personal data.
Following this, the ICO specifically identified that Gap were not conducting security testing and did not have any patching policy in place at the time of the incident.
Comment
The ICO have issued the reprimand following the identification of common IT weaknesses.
This is, therefore, a clear indication that the ICO expects organisations to be proactive about ensuring their IT systems and security are regularly reviewed and updated. This is not only to ensure compliance with the UK GDPR, but also to reduce the risk of a cyber security incident and associated data breach.
Following this, the National Cyber Security Centre (“NCSC”) advise that organisations should:
Details of the reprimand can be found on the ICO’s website: 20231018-redacted-reprimand.pdf (ico.org.uk)
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.