ICO Report Identifies Eight Most Common Causes Of Data Breaches

Steve McCaskill,
backdoor security encryption NSA © Sergey Nivens Shutterstock

ICO says the same mistakes are being made again and again

The Information Commissioner’s Office (ICO) has called on businesses and organisations to familiarise themselves with the best ways of protecting personal data and not fall prey to the most common causes of data breaches.

The watchdog has published a new report highlighting the most common security vulnerabilities of data breaches and says many of the most serious occurrences could have been prevented that the best practices been adopted.

Eight of the most common vulnerabilities discovered during the ICO’s investigations include a failure to keep software security up to date, a lack of protection from SQL injection, the use of unnecessary services and the poor decommissioning of old software and services.

ICO report

Cyber security © David Evison Shutterstock 2012Other common causes include the unsafe storage of passwords, the failure to encrypt online communications, poorly designed networks processing data in inappropriate areas and the continued use of default credentials including passwords.

The ICO says that many of the issues identified in the report should be common knowledge to IT professionals, but the fact that the same mistakes are being made suggests that not everyone responsible for ensuring personal data is secure is as familiar with them as they should be.

“In just the past couple of months we have already seen widespread concern over the expiry of support for Microsoft XP and the uncovering of the security flaw known as Heartbleed,” says Simon Rice, ICO group manager for technology. “While these security issues may seem complex, it is important that organisations of all sizes have a basic understanding of these types of threats and know what action they need to take to make sure their computer systems are keeping customers’ information secure.

“Our experience investigating data breaches on a daily basis shows that whilst some organisations are taking IT security seriously, too many are failing at the basics.”

Earlier this year, the ICO fined the British Pregnancy Advice Service (BPAS), a charity which helps women considering abortion, £200,000 after a data breached revealed the names of 10,000 users to a hacker in 2012. An investigation concluded that the charity failed to realise its own website was storing the names, address, date of birth and telephone number of people who asked for a call back for advice on pregnancy issues.

How well do you know Internet security? Try our quiz!