Lost devices containing sensitive data not being reported to ICO

Comparison of ICO and police figures suggests discrepancy, argues ViaSat UK

Share

Data breach figures published by the Information Commissioner's Office (ICO) underestimate the true scale of data loss in the UK, security firm ViaSat has reasoned after getting hold of the 2014 police figures that record the number of lost devices.

ViaSat’s research using a Freedom of Information (FoI) request to 18 UK police forces (i.e. fewer than half) uncovered 67,677 thefts were reported by businesses in the year to the end of February 2015 of which 13,079 were recorded as devices holding sensitive data.

Despite being an incomplete picture, this is still a far larger number than the 1,089 data breaches actually reported to the ICO over the same period, although some of those breaches would have been more serious than simply losing single devices.

ViaSat infers from this that the scale of breaches possibly breaking the Data Protection Act (DPA) is many times the picture being presented to and by the ICO.

“We must remember that 13,000 thefts is the bare minimum: considering that not all police forces could share this information, the real figure is likely to be many times greater. As a result, thousands of individuals’ private data could well be on borrowed time,” said ViaSat UK CEO, Chris McIntosh.

ICO-reported breaches were dominated by the healthcare sector (431), local government (129), education (86), followed by miscellaneous business (72) and solicitors (55).

This strongly implies that public sector bodies are reporting more often and reliably than private sector ones.

What the UK needs is a reformed ICO with bigger teeth and the ability to enforce encryption, argued McIntosh.

“It’s clear that this discrepancy isn’t due to the ICO but the framework it has to operate in,” he said.

“As it stands, the ICO simply doesn’t have the tools and powers it needs to ensure that either all threats are reported, or that risk is minimised.

“For instance, encrypting sensitive data is now a trivial matter in terms of both cost and complexity. If encryption of personal data was made mandatory, and enforced with spot checks and suitable punishments, then the public and the ICO could have much greater confidence that none of the 13,000-plus stolen devices represent a threat,” he said.

In fairness to the ICO, encryption is already the recommended minimum for data both at rest and in transit but the sheer scale of the security problem far exceeds its ability to police wrongdoing.

Previous FoI research by ViaSat in 2014 found that four out of ten devices reported lost or stolen in the UK in 2013 were in London.