There have been several recent ICO reprimands issued in relation to security failings which had some similar themes.
In the case of GRS (Roadstone) Limited (GRS), a threat actor exfiltrated a large amount of personal data, some of which was special category and other sensitive data. Systems were accessed via a remote desktop service operated by a GRS subsidiary with weaker security measures. Once inside the network, the threat actor was able to deploy ransomware and stage exfiltration of data.
At the time of the incident, some areas of the organisation utilised a virtual private network and multi factor authentication (MFA). The remote desktop solution which led to the incident did not have MFA implemented. ICO ransomware and data protection compliance guidance specifically states “You should not use single factor authentication on internet facing services, such as remote access, if it can lead to access to personal data. Use MFA, or other comparably secure access controls”. Additionally, GRS did not conduct security tests and so they were unaware of the vulnerability, which had existed for some time and was reportedly easy to fix.
In the case of Finham Park Multi Academy Trust (Finham Park) an unauthorised third party utilised compromised credentials to access and encrypt Finham Park’s systems.
The ICO found that Finham Park did not have an adequate account lockout policy in place. It also had reversible password encryption enabled. The ICO considered that had these issues been addressed, it could have significantly reduced the likelihood of a successful attack. The ICO also stated that Finham Park did not have MFA in place and did not ensure that its employees had sufficient knowledge and understanding around the re-use of passwords.
In the case of Optionis Group Limited, the ICO also referenced the lack of MFA and appropriate account lockout as well as not having a Bring Your Own Device policy.
A cyber-attack can have devastating consequences for an organisation and so ensuring the security measures you have in place are appropriate is essential in terms of reducing the chances of an incident occurring and the likelihood of a fine/reprimand from a regulator.
Links to the reprimands can be found here.