Category Archives: security

August 20, 2023 · 3:38 pm

PSNI data breaches and questions over ICO’s investigations retention policy

I’ve been running this blog for about 15 years now. I’m not a records manager, but I recognise that information has a lifecycle. Maybe I could weed some older posts, but the thing is, I occasionally find some of the old posts useful. For instance when news broke of recent nasty data breaches involving police forces (including the Police Service of Northern Ireland, or “PSNI”) and freedom of Information disclosures, I was able to point to a ten-year-old post on this blog which illustrated that concerns about such disclosures have been around for a long time.

So I was rather surprised to see the Information Commissioner’s Office (ICO) saying – in response to claims from two former anti-terrorist officers that the recent incidents were part of a pattern of serious mistakes, and that their information had previously been compromised (albeit not by PSNI itself) – that

Having checked with relevant teams, we do not appear to have record of an investigation regarding this data controller for the time frame noted. This may be due to our retention policy

The retention policy in question says (at page 28) that information in relation to regulatory investigations will normally be retain for five or six years, but that in civil enforcement cases where no action was taken information will be destroyed after two years.

There is nothing inherently “wrong” about this; unless there is a statutory requirement to retain information it will fall to each public body to determine what is an appropriate retention period. However, the ICO elsewhere emphasises the need to consider patterns in compliance. The regulatory action policy, for instance, says that an organisation’s “prior regulatory history” including the “pattern…of complaints” might be an aggravating factor when it comes to taking enforcement action, and that “as issues or patterns of issues escalate in frequency or severity then we will issue more significant powers in response”. But the retention policy means that, unless formal action has been taken against an organisation, such patterns might only be able to be taken into account when they involve incidents occurring within the previous two years. Is that sufficient or adequate?

I would suggest not. The policy’s version history illustrates that it is regularly reviewed (including an annual review). I would hope that the next review consider whether there is compelling evidence to suggest that retaining investigation information for longer than two years is warranted, especially in light of recent events.

SNP MP private email hack

UPDATE 13.02.23: it’s been drawn to my attention that Mr McDonald says that his private account is “not used for constituency or parliamentary business” END UPDATE

It was reported last week that the email account of Stewart McDonald, an SNP MP, had been compromised in what he described as a “sophisticated and targeted spear phishing hack”. The BBC appeared to agree with him, describing it as a “highly targeted and sophisticated attack”.

Maybe it was, although surely MPs are told to be wary of unexpected email attachments, and not to put enter system passwords when asked to in palpably suspicious circumstances (McDonald had attempted to open a document apparently sent by a member of his staff, with a military update on Ukraine, and clicking on it brought up a login page for the email account he was using).

But what I haven’t seen raised much in the media is the fact that the account which was compromised appears to have been McDonald’s private email account, and that the offending attachment was sent (or was spoofed to make it look like it was sent) from his staffer’s private email account. The reporting has referred to “personal” email account, from which it is reasonable to infer that these are not official accounts (such as McDonald’s one given on his parliamentary page).

Only last year the Information Commissioner presented a report to Parliament on the use of private communications channels in government. Although the report was prompted by concerns about the use of such private channels within the Department for Health and Social Care, it made clear that it had general application in relation to the “adopting [of] new ways of working without sufficient consideration of the risks and issues they may present for information management”. The report stresses throughout the importance of “maintaining the security of personal and official information” and the risks that private channels present to such security.

Did Mr McDonald and his staff read it? If not, this tweet he made only a couple of years ago is ironic, to say the least.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

OMG – OCG attacks HMRC

ICO declines to take action after 1000 HMRC customer records apparently altered in 2020 by Organised Crime Gang and used to make fraudulent claims

Rather hidden away on the Information Commissioner’s Office (ICO) website is information, disclosed under the Freedom of Information Act 2000 (FOIA), in relation to an ICO investigation of a security incident involving HMRC, and an organised crime gang (OCG).

It appears that, in June 2020, an OCG had used 193 genuine National Insurance Numbers (NINOs) which it had managed to “hijack” (it is not clear how) from external sources, and set up bogus Government Gateway (GG) accounts. This subsequently “enabled the OCG to carry out enrolments on the bogus GG accounts of genuine Self-Assessment customer Unique Tax References”, which in turn enabled the submission of fraudulent tax returns with the aim of the OCG being to make fraudulent expenses claims.

It was also discovered that details of 130 of the data subjects whose NINOs had been compromised were also used to “utilise” the DWP universal credit service.

HMRC did not become aware of this incident until 2 December 2020, and it notified the ICO (pursuant to its obligations under Article 33 GDPR) on 14 December 2020.

Details of the incident also appear to be contained in HMRC’s Annual Report for the period in question, where (at page 188) it refers to an incident involving 1023 people where “Personal information [was] used to make changes to customer records on HMRC systems without authorisation”.

There are many redactions in the information that the ICO has now published, but the headline point is that it did not view the incident as a serious enough infringement of HMRC’s obligations under GDPR so as to warrant a monetary penalty. The ICO noted that

…there is no indication that any of the originating personal data used to commit the fraud was obtained from HMRC.

However, it does appear that some people might have lost money, although this has since been repaid to them:

…any repayments due to genuine customers have been (or will be) made good…and therefore all the financial losses will be HMRC’s.

Also redacted are what would probably be details of systems changes that HMRC has taken or agreed to undertake as a result of the incident. These would, says the ICO

increase the protection applied to customer records and data and make stacks of this nature more difficult…

This wording suggests that the ICO felt that the level of protection had not been adequate, in line with HMRC’s security obligations under the GDPR. That being the case, the ICO must have decided that, in this instance, despite the infringement, it wasn’t necessary, or appropriate, to issue a fine or take other enforcement action.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Category Archives: security

PSNI data breaches and questions over ICO’s investigations retention policy

SNP MP private email hack

Blogroll

Recent Posts

Follow Blog via Email

RSS Links

Privacy Notice