Data Protection as a Service March 2024 Newsletter
From
Cyber Security Partners
Your Trusted Security Partner
Manchester United Wage Slip Breach
Manchester Evening News | John Scheerhout
Manchester United is facing £100,000 damages claim after accidentally emailing staff the wage slips of 167 colleagues. Names, National Insurance numbers, wages, taxes paid, and pension benefits were shared among a group of casual catering staff.
The football club managers ‘regret’ the incident which occurred in 2018, and was reported to the ICO, as well as revealing that processes have changed to ensure the blunder doesn’t repeat.
"As far as I'm concerned, this is a clear and serious breach of data protection laws and
Newsletter Highlights
• Manchester United Wage Slip Breach
• INC Ransom claims responsibility for Leicester City Council incident
• ICO issues new fining guidance
ultimately Manchester United's owners need to accept responsibility for what's happened and resolve it as quickly as possible and pay the claimants the damages they deserve." Said Jonathan Whittle, a senior manager and chartered legal executive at Your Lawyers, who is representing 32 of the workers.
Cyber Security Partners’ DPaaS Information Handling
Training can provide this to your users on either a scheduled or ad-hoc basis.
CSP – DPaaS March 2024
CSP’s advice:
INC Ransom claims responsibility for Leicester City Council incident
The Register | Connor Jones
To prevent this happening to your organisation, here is our advice:
• Develop comprehensive data protection policies that clearly outline procedures for handling and sharing sensitive information. Make sure your employees are aware of these policies and provide regular training to reinforce best practices.
• Regularly review and update data handling processes to minimise the risk of accidental data disclosures. Implement measures such as doublechecking recipient lists and use secure file-sharing platforms.
• Restrict access to sensitive data to only those authorised and who have a genuine need to access it. Implement strong access controls like role-based permissions and two-factor authentication.
A post made to INC Ransom’s leak blog mentioned Leicester City Council as a victim of the ransomware group and mentioned that the attackers claimed to have stolen 3TB of council data, before it was deleted soon after going live. This is known as “flashing”, often used to try and get a response out of leadership teams that have gone silent during the ransom negotiation phase.
The Council’s most recent incident update came on March 28th, but based on how its recovery efforts are going, it’s likely they have not paid a ransom, and the flashing was a last attempt at extorting the council.
Nearly a month after the council’s system shutdown on March 7th, it is said that most systems and service portals are back online: Residents' online services for waste and recycling, schooling, birth registrations, social housing, planning, and parking, council-run recreation centres are now open as usual, and computer and wifi
CSP – DPaaS March 2024
INC Ransom claims responsibility for Leicester City Council incident cont’d
services at public libraries were also brought back online. Council staff have regained access to emails and phone lines too.
The council still refuses to comment on whether any data was compromised during the episode due to ongoing criminal investigations.
CSP’s advice:
Here is some advice to prevent this happening to your organisation:
• Ensure that comprehensive cybersecurity measures are in place such as firewalls, intrusion detection systems and antivirus software, and that regular system updates are rolled out.
• Regularly assess your security posture through penetration testing, vulnerability scanning and risk assessments. Identify and address any vulnerabilities or weaknesses promptly.
• Implement a data backup strategy that includes regular backups of critical systems and data. Make sure they are stored securely and regularly test the restoration process to help verify integrity.
CSP – DPaaS March 2024
ICO issues new fining guidance
The ICO has published new data protection fining guidance setting out how it decides to issue penalties and calculate fines. The guidance provides greater transparency for organisations about how the ICO uses its power to issue fines.
The new guidance replaces the sections about penalty notices in the ICO Regulatory Action Policy published in November 2018. Among other things, the guidance explains:
• the legal framework that gives the ICO the power to impose fines –helping people more easily navigate the complexity of the legislation;
• how the ICO will approach key questions, such as identifying the wider ‘undertaking’ or economic entity of which the controller or processor forms a part; and
• the methodology the ICO will use to calculate the appropriate amount of the fine.
Tim Capel, ICO Director of Legal Service, said:
“We believe the guidance will provide certainty and clarity for organisations.
It shows how we reach one of our most important decisions as a regulator by explaining when, how and why we would issue a fine for a breach of the
UK General Data Protection Regulation or Data Protection Act 2018.”
For help implementing data protection services, contact us via:
info@csp.partners
0113 532 3763
Cyber Security Partners Ltd Yorkshire House, Greek Street, LS1 5SH www.csp.partners
CSP – DPaaS March 2024