This week, the Norfolk and Suffolk police leaked personal data, blaming a technical issue that followed a Freedom of Information request. Earlier this month, two serious breaches were reported with radically different public disclosure strategies.
The PSNI disclosed their breach to the public almost immediately, while the Electoral Commission Breach took 10 months. It’s not a requirement for organisations to go public when they experience a data breach, but there are benefits and drawbacks of both approaches.
Electoral Commission Data Breach
The Electoral Commission (EC) has revealed that a hostile cyber-attack gained access to the data of 40 million voters and went unnoticed for a year. Despite the discovery of the attack in October 2022, it was not made public until August 2023.
There have been hints that much of the data is already in the public domain, which tends to minimise the attack’s full scope. The information did, however, leave “hostile actors” access to the names and addresses of all 40 million voters who were registered between 2014 and 2022 as far back as August 2021. During the hack, access was also possible to the commission’s email system.
An attacker has not yet claimed credit for the attack. The attack’s indicators closely resemble those of Russian threat actors like FANCYBEAR, who work to undermine, stifle, and weaken western democracies. When they discovered the breach, the EC notified the Information Commissioner’s Office (ICO) and the National Crime Agency within 72 hours, adhering to their legal and regulatory requirements.
FancyBear aka APT28’s profile closely resembles the strategic interests of the Russian government with indications of affiliation with the Main Intelligence Department or GRU.
PSNI Data Leak
Every serving PSNI officer and member of the police staff have had their identities leaked. The data revealed ranks, place of employment and the unit they work in – including sensitive areas such as intelligence. The information was unintentionally posted on the public What Do They Know FoI directory for almost three hours before its removal. The FOI request asked for information about the overall number of officers and employees across the entire organisation, and the response mistakenly included the source data that supported that inquiry.
The PSNI discovered a second breach from July of this year after making the first public. It was alleged that documents, a radio, and a laptop computer issued to the police were stolen from a private car in the Newtownabbey region of County Antrim.
The PSNI had previously stated that they have created an emergency threat assessment group. It is treating the publication in the initial breach as a major incident.
Considerations on Public Disclosure
In the same way that notifying authorities or the impacted parties is mandated by law, notifying the general public of a data breach is not necessarily required. However, there are a few aspects and things that businesses should think about before deciding whether to disclose a data breach to the public or not. Some considerations include:
- Severity of the Breach: Is there a threat to individuals’ rights and freedoms? Breaches involving sensitive personal information, financial data, or large amounts of data are more likely to warrant public disclosure.
- Legal Requirements: For example, GDPR or DPA.
- Reputational Impact: Maintaining trust and transparency – showing a commitment to protecting customer and stakeholder interests.
- Notification Fatigue: Particularly relevant if the organisation experiences multiple breaches within a short period.
- Industry Standards: Should consider what peers in the industry are doing and whether not disclosing a breach might stand out negatively.
The attack on the Electoral Commission has damaged the organisation’s reputation as well as the public’s confidence in the democratic process. This attack could have been mitigated or even avoided if the Electoral Commission had disclosed the breach earlier. Although, if it were a hostile state actor attack on the democratic process, this may have served the attackers’ original objectives.
In contrast, the PSNI made their data leak public considerably earlier, allowing the police to take any necessary precautions. The PSNI breach poses a greater immediate threat. However, the underlying values of openness and transparency maintains more trust than if they had concealed the breach and it was discovered later.
Should your organisation go public with a data breach?
The decision of whether to disclose a data breach to the public is complicated. It is based on the situation, the organisation’s principles, its legal requirements, and the potential effects on the organisation and its stakeholders. There may not be a single solution that works for everyone. Transparency and a dedication to protecting personal information should always be top priorities. By working with cybersecurity experts and legal advisors, it is easier to navigate the complex aftermath of a breach while taking steps to prevent future incidents.