In December 2022, The Guardian newspaper was hit by a ransomware attack that involved unauthorised third-party access to parts of their network resulting in staff members’ personal information being accessed. In January 2020, millions of Easyjet customers had their personal data stolen due to a highly sophisticated cyber attack, this was said to be one of the largest data leaks at the time in the UK. 

Many of the biggest companies experience data breaches whether internally or through cyber attacks. Organisations must take specific action if they find that their staff and customers are put at risk as a result of a data leak. 

What Is a Data Breach?

A data breach is where someone gains unauthorised access to another’s personal information. This can be accidental, such as when an employee mistakenly sends an email to the wrong recipient or it could be a deliberate attack by a malicious actor like a criminal. A  breach can happen when personally identifiable information such as names, financial information, passport numbers, or addresses are accessed, unlawfully destroyed, or disclosed to the wrong person. The problem with this is that once personal information is accessed, it can be stolen and used to commit further crimes such as credit card fraud. 

Data breaches can take many forms, but some examples include the following: 

• Hacking

• Insider threats

• Social engineering attacks like phishing scams

• Theft of physical devices that contains sensitive information

• Third-party breaches

What Steps Should a Company Take in Response to a Data Breach?

If an organisation discovers that a data breach has happened, it will need to take certain measures. The Information Commissioner’s Office (ICO) is the body in charge of implementing data protection regulations in the UK. It has the power to issue fines to organisations that fail to comply with the UK General Data Protection Regulation (GDPR) and sets out the following procedures if a data breach occurs. 

1. Contain the Breach

When a company first realises or suspects that a data breach has occurred, it must try to contain the leak to prevent further harm from being done. For instance, it is important for a company to work out what has happened to the personal data, whether it has been stolen or destroyed, and recover the data immediately where possible.

2. Assess the Risks

A data breach can have all kinds of consequences, such as emotional distress, safeguarding issues, identity theft, or financial loss. So the company must evaluate the risks to their employees and customers and work out what harm may be caused to them and what legal processes need to be followed in order to mitigate the risk and report it. In this case, the organisation may do a risk assessment to assess whether the breach is a threat or just an inconvenience to those affected.  

3. Reporting the Breach

If a company suffers a data breach that can potentially put people at risk of danger, they are obliged to report the incident to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach. 

Notification of the breach to the ICO should include details of the breach, the likely consequences of the breach, and steps taken by the company to address the risk. If a company fails to report to the ICO within 72 hours of knowing about a breach, it must be able to justify the delay. In cases where a risk is unlikely, a company does not have to report a data breach to the ICO. However, whether or not a data breach is reported to the ICO, a company must record all incidents and document everything they know about the breach.

Where a data leak is considered to be of “high-risk”, meaning the impact of the breach is serious and the likelihood of any consequences is severe, the company must comply with the requirements of the General Data Protection Regulation (GDPR) by informing those affected without undue delay. 

The ICO can issue fines to companies that fail to comply with the GDPR. For instance, British Airways was fined around £20 million for failing to protect the personal details of its customers. The fine could be a sum based on the severity of the breach or a percentage of the company’s total revenue.