Peter A Clarke

The raison d’etre of password manager companies is to protect and manage customers’ passwords for the plethora of passwords that they must use for their work, play or just personal use. Those companies must store customer passwords/logins in their data bases. Of course it would be disastrous if those companies suffered a data breach and even more damaging if personal details of their customers were stolen. Which is exactly what happened to LasstPass in the UK. The UK Information Commissioner found that LastPass suffered a data breach which resulted in personal information of 1.6 million individuals being compromised. As the media makes clear, the hacker was very thorough in testing the weaknesses in LastPass’s defences.

They first accessed an employee’s corporate lap top to gain encrypted company credentials then targeted another employee who had access to decryption key by way of a known vulnerability in a third party streaming service.  That gave the hackers access to the LastPass vaults which were only protected by a single master password.  That gave them access to the access key to the Amazon Web Service which, combined with other stolen information enabled hackers to extract personal information on the backup database.

As if it need be said, proper defences should not be focused on a perimeter protection.  Comprehensive protection throughout the organisation is necessary.  That means protection at all levels and any point of contact with the internet.

The media release provides:

• • Service which promises to help people improve their security, has failed them, leaving them vulnerable 
  • Combination of two isolated incidents enabled hacker to steal personal information relating to 1.6m customer 
  • ‘Zero knowledge’ encryption system ensures customer passwords and vaults are not decrypted   

We have fined password manager provider LastPass UK Ltd £1.2 million following a 2022 data breach that compromised the personal information of up to 1.6 million of its UK users. 

We found that LastPass failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database. There is no evidence that hackers were able to unencrypt customer passwords as these are stored locally on customer devices and not by LastPass. 

The incidents occurred in August 2022 when a hacker gained access first to a corporate laptop of an employee based in Europe and then to a US-based employee’s personal laptop on which the hacker implanted malware and then was able to capture the employee’s master password. The combined detail from both incidents enabled the hacker to access LastPass’ backup database and take personal information which included customer names, emails, phone numbers, and stored website URLs. 

John Edwards, UK Information Commissioner, said: 

“Password managers are a safe and effective tool for businesses and the public to manage their numerous login details and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced. 

“LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today. 

“I call on all UK business to take note of the outcome of this investigation and urgently review their own systems and procedures to make sure, as best as possible, that they are not leaving their customers and themselves exposed to similar risks”. 

Details of the two incidents 

Incident one

Incident two

Read the rest of this entry »

Accidental, usually negligent, publication of documents containing the personal information of multiple people is a public service specialty and common enough to be almost passe. But it is almost always serious. And so it was when the communications team of the Post Office published an unredacted version of a legal settlement document which set out the personal information of 502 former postmasters who had sued the Post Office for its egregious use of Horizon IT to make allegations against them.

Having proper protocols for publishing documents on line is vitally important.  Most additions to web sites are non controversial and pose no privacy risks because the information does not identify individuals and is generally about the organisation.  But organisations create or hold documents which do contain personal information and with most documents stored in digital form they can be passed across to a whole range of people in an organisation. Here it was the communications team, who are culturally and technically as far away from dealing with sensitive information as one can get.  They specialise in spinning and putting out press releases.  Not analysing legal documents.  The ICO sets out matters that an organisation should consider in the handling of information.

The media release provides:

The Information Commissioner’s Office (ICO) has issued a reprimand to Post Office Limited following a data breach that resulted in the unauthorised disclosure of personal information belonging to hundreds of postmasters involved in the Horizon IT scandal.  

The breach occurred when the Post Office’s communications team mistakenly published an unredacted version of a legal settlement document on its corporate website. The document contained the names, home addresses and postmaster status of 502 people who were part of a group litigation against the organisation. It remained publicly accessible from 25 April to 19 June 2024, before being removed following notification from an external law firm.

When investigating the circumstances of this data breach, the ICO found that the Post Office failed to implement appropriate technical and organisational measures to protect people’s information. We found there to be a lack of documented policies or quality assurance processes for publishing documents on the corporate website, as well as insufficient staff training, with no specific guidance on information sensitivity or publishing practices. Read the rest of this entry »

The UK Information Commissioner has responded to the growing concern about the development and use of AI and biometrics and its impact on privacy. He has released an AI and biometrics strategy.

The strategy, Read the rest of this entry »

Since the Genomic testing company 23andMe filed for bankruptcy (and even before then) it has been consistently in the news. There was profound concern about genetic data of millions of people being potentially sold to third parties in any liquidation. The initial calls for customers to retrieve their data escalated to litigation against 23andMe. As it turned out the co founder and former CEO has purchased nearly all of the company assets for $305 million through a non profit TTAM Research Institute. The problems with 23andMe predate its financial woes. The UK Information Commissioner’s Office has recently issued a fine of $305 million pounds against the company for filing to implement appropriate security measures following a cyber attack in 2023. The ICO and the Canadian Privacy Commissioner undertook a combined investigation into 23andMe’s systems.  

The media release provides:

We have fined genetic testing company 23andMe £2.31 million for failing to implement appropriate security measures to protect the personal information of UK users, following a large-scale cyber attack in 2023.

The penalty follows a joint investigation conducted by the ICO and the Office of the Privacy Commissioner of Canada.

What happened

Between April and September 2023, a hacker carried out a credential stuffing attack on 23andMe’s platform, exploiting reused login credentials that were stolen from previous unrelated data breaches.

This resulted in the unauthorised access to personal information belonging to 155,592 UK residents, potentially revealing names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees and health reports. The type and amount of personal information accessed varied depending on the information included in a customer’s account.

Our investigation found that 23andMe did not have additional verification steps for users to access and download their raw genetic data.

John Edwards, UK Information Commissioner, said:

“This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK. As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number.

“23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.

“We carried out this investigation in collaboration with our Canadian counterparts, and it highlights the power of international cooperation in holding global companies to account. Data protection doesn’t stop at borders, and neither do we when it comes to protecting the rights of UK residents.”

Philippe Dufresne, Privacy Commissioner of Canada, said:

“Strong data protection must be a priority for organisations, especially those that are holding sensitive personal information. With data breaches growing in severity and complexity, and ransomware and malware attacks rising sharply, any organisation that is not taking steps to prioritise data protection and address these threats is increasingly vulnerable.

“Joint investigations like this one demonstrate how regulatory collaboration can more effectively address issues of global significance. By leveraging our combined powers, resources, and expertise, we are able to maximise our impact and better protect and promote the fundamental right to privacy of individuals across jurisdictions.”

Summary of the contraventions

The joint investigation into 23andMe revealed serious security failings at the time of the 2023 data breach. The company breached UK data protection law by failing to implement appropriate authentication and verification measures, such as mandatory multi-factor authentication, secure password protocols, or unpredictable usernames. It also failed to implement appropriate controls over access to raw genetic data and did not have effective systems in place to monitor, detect, or respond to cyber threats targeting its customers’ sensitive information.

23andMe’s response to the unfolding incident was inadequate. The hacker began their credential stuffing attack in April 2023, before carrying out their first period of intense credential stuffing activity in May 2023. In August 2023, a claim of data theft affecting over 10 million users was dismissed as a hoax, despite 23andMe having conducted isolated investigations into unauthorised activity on its platform in July 2023. Another wave of credential stuffing followed in September 2023, but the company did not start a full investigation until October 2023, when a 23andMe employee discovered that the stolen data had been advertised for sale on Reddit. Only then did 23andMe confirm that a breach had occurred.

By the end of 2024, the security improvements made by 23andMe were sufficient to bring an end to the breaches identified in our provisional decision.

You can read the full details of the incident in our monetary penalty notice.

Impact on consumers

The combination of personal information that could be found in 23andMe accounts, such as post codes, race, ethnic origin, familial connections, and health data could potentially be exploited by malicious actors for financial gain, surveillance or discrimination. The ICO received 12 complaints from consumers. Some of the people affected by the breach told us the following:

“I expected rigorous privacy controls to be in place due to the nature of the information collected. Unlike usernames, passwords and e-mail addresses, you can’t change your genetic makeup when a data breach occurs.”

“Disgusted that my DNA data could be out there in the wild and been exposed to bad actors. Extremely anxious about what this could mean to my personal, financial and family safety in the future. Anxious about my 23andme connections, who may have been impacted and what this may mean further down the line for me.”

Legal requirements and our guidance

The law requires organisations to take proactive steps to protect themselves against cyber attacks. Our guidance recommends using two-factor or multi-factor authentication wherever possible, particularly when sensitive personal information is being collected or processed. In addition, organisations should regularly scan for vulnerabilities and instal the latest security patches without delay.

We have detailed guidance to help organisations understand their security obligations. Last year we published a cyber report, Learning from the mistakes of others, providing insights for people responsible for compliance with data protection legislation and cyber security at their organisation.

Advice for the public

The responsibility to keep people’s information secure lies first and foremost with companies that collect and use personal information, and they have a legal duty to take this responsibility seriously.

But there are also steps people can take to protect their personal information, for example: use strong, unique passwords for each account; enable multi-factor authentication wherever possible; and remain vigilant against phishing emails or messages that reference personal or genetic information.

The regulatory structure applying in the United Kingdom differs from Australia, sometimes quite significantly.  That said, both have similar approaches when it comes to reviewing and, where appropriate, penalising breaches of security.  It is therefore relevant to consider Penalty Notices issued by the ICO.  The ICO has had longer and more comprehensive history in issuing Penalty Notices and a developed methodology. The number of Enforceable Undertakings in Australia has been relatively modest and are not nearly as comprehensive as the United Kingdom and the United States of America. That is likely to change over time with the increased powers and size of penalties under the Privacy Act 1988. 

The Penalty Notice is 153 pages long.  It is one of the most detailed written assessment of the failures but also, very helpfully, what is best practice.  It is a very useful resource.  The relevant takeaways Read the rest of this entry »

Encryption is a critical part of privacy (to prevent misuse of information) and data security. It is also something that is very poorly understand and even more badly implemented. Properly implemented encryption provides real protection of personal information. It is not the only answer but encrypting personal information goes a long way towards showing there has been a real attempt made to comply with APP 11 of the Privacy Act 1988. The key issue when assessing a data breach is whether personal information has been accessed and misused.  If personal information has been encrypted then an organisation has a good story to tell the regulator, notwithstanding the breach, if there is an investigation.

The UK Information Commissioner has released a guidance on the use of encryption. While it refers to UK legislation the principles are equally applicable to the APPs in the Privacy Act.

Some of relevant points Read the rest of this entry »

The London Borough of Hammersmith and Fulham has been reprimanded by the UK Information Commissioner’s Office for leaving personal information of 6,528 people, including 2,342 children (worse, of whom 96 were unaccompanied asylum seekers), on its publicly viewable site for almost 2 years. The breach was almost certainly caused by an action by an employee responding to an FOI request made by WhatDoTheyKnow.com in October 2021. In responding to the FOI request the council provided an Excel spreadsheet which contained 35 hidden workbooks. That material was posted on both the Council site as well as the WDTK site. It was WDTK that noticed the data breach when, in November 2023, while doing a review of information on its site it found the personal information and advised the Council. The information was immediately removed from both sites.

This type of mistake is quite common with government agencies.  It is human error.  Often a combination of a lack fo attention to detail and poor privacy training.

The ICO media release provides:

We have reprimanded the London Borough of Hammersmith and Fulham (the council) after it left exposed the personal information of 6,528 people for almost two years.  

The personal data breach occurred when the council responded to a freedom of information (FOI) request made via the WhatDoTheyKnow.com (WDTK) website in October 2021. The response, published on the council’s website and WDTK, contained 10 workbooks which included personal information.   Read the rest of this entry »

Law firms are a prime target for data breaches. They hold significant personal information and sensitive information of corporations and government agencies. The UK Information Commissioner’s Office has imposed a very hefty fine of 60,000 pounds on the Merseyside-based DPP Law Ltd following a cyber attack in June 2022 which resulted in the loss of 32GB of data. The firm only became aware of this loss when it was contacted by the National Crime Agency which advised it that the data had been posted on the dark web. DPP Ltd had poor cyber security with a brute force attack being sufficient to gain access to an administrator’s account and then having the ability to move laterally across its network.  That bespeaks a very rudimentary system.  Then after being notified of the breach it regarded the loss of personal information as not constituing a personal data breach.  It waited 43 days before notifying the ICO.  It is a case study of what not to do.  Which in fact the ICO has done in publicising the litany of errors committed.

The ICO media release provides:

Cyber attack details

In June 2022, DPP suffered a cyber attack which affected access to the firm’s IT systems for over a week. A third-party consulting firm established that a brute force attempt gained access to an administrator account that was used to access a legacy case management system. This enabled cyber attackers to move laterally across DPP’s network and take over 32GB of data, a fact DPP only became aware of when the National Crime Agency contacted the firm to advise information relating to their clients had been posted on the dark web. DPP did not consider that the loss of access to personal information constituted a personal data breach, so did not report the incident to us until 43 days after they became aware of it.

You can read the full details of the incident in our monetary penalty notice.

Legal requirements and our guidance

The law requires organisations to take continual and proactive steps to protect themselves against cyber attack. This includes ensuring all IT systems have MFA or equivalent protection, regularly scanning for vulnerabilities and installing the latest security patches without delay.

We have detailed guidance to help organisations understand their security obligations, including the duty for all organisations to report personal data breaches.

Last year we published a cyber report, Learning from the mistakes of others, providing insights for people responsible for compliance with data protection legislation and cyber security at their organisation.

Australian firms have been hit with significant and damaging data breaches recently. The HWL Ebsworth data breach via a cyber attack in April 2023. resulted in approximately 2.2 million documents being affected. The Information Commissioner opened an investigation in February 2024, 14 months ago. There has been no public resolution of that investigation. It is the subject of a class action, with the National Justice Project is now representing 12 National Disability Insurance Scheme (NDIS) participants in a class action against HWL Ebsworth. In March cyberdaily reports in Brydens Lawyers suffers alleged 600GB data breach following ransomware attack that the firm had suffered a significant data breach in February 2025. Also in February 2025 Slater and Gordon suffered a humiliating data breach by Read the rest of this entry »

The Information Commissioner’s Office (“ICO”) has published a review into the gathering of children’s data from services supplying them with current accounts, savings accounts, trust accounts, ISAs and prepaid cards. Given the greater concern about children’s privacy, long overdue, it is prudent to look at the review and consider what is being done in Australia.  What is clear is that failure to maintain proper standards with organisations will, if there is some data breach or other issue, result in acute embarrassment for organisations if the regulator reviews its processes and procedures.  Given the Privacy Commissioner now has powers to issue infringement notices/ compliance notices rather than going to the delay and expense of long and drawn out investigations and civil penalty proceedings this is a factor organisations should consider carefully.

Some of the findings from the review are:

• 69% of participants had policies and procedures in place to control the use of children’s data;
• only 67% of those organisations proactively monitored compliance with their policies and procedures.
• 45% of participants had limited assurance that staff are processing children’s information in line with internal or even legislative requirements.
• only 14% of participants had assigned responsibility for children’s data in policy or relevant job descriptions
• while 97% of participants provided staff with general data protection training however, only 18% of participants included content about the use of children’s personal information
• while 49% of participants say they provided children with age appropriate privacy information ess than a quarter of all participants have carried out any testing to check how easily children would understand their privacy information
• only 36% of children’s savings account products which are opened by parents but transferred to the child at 16 provided the child with privacy information during the transfer process
• When opening a child owned savings account, 83% of participants provided children with privacy information
• 5% of participants also required children to acknowledge that they have read the privacy information, usually recorded by signing the application form
• only 11% of these participants actually carried out any assessment as to whether children are competent enough to understand their notice
• 66% of participants indicated it would be the parent’s (where they are present) responsibility to ensure the child understood privacy information and no attempt would be made to confirm the child understood the privacy information
• 66% of participants reviewed the categories of information they collect on a regular basis to make sure it is limited to what is necessary
• 40% of participants collected special category data, limited to health data and will only be processed having obtained explicit consent.
• 24% of participants relied on consent obtained from the child to process their information for specific purposes. However, 42% of those participants relied on acknowledgement of information provided within privacy information or key facts documents to obtain the consent. This did not meet the requirements of the UK GDPR
• 88% of participants had no process in place to assess a child’s understanding of their data protection rights. For 34% of these participants this was because they had preset age limits which determined whether a child was able to exercise their rights or not.  n most cases this age limit was set at 13 years old although some participants had set this age as high as 16 years old.
• 20% of participants who offer products which process children’s information, but are controlled by parents, did not allow children to access their information or exercise this right at any age
• 96% of participants had an embedded process for verifying the age of children when an account is opened
• 63% of participants had a policy in place to govern communications provided to children, including marketing material. For 83% of participants the policy prohibited the provision of marketing material to children.
• 75% of participants provided communications which included general information about the service provider and also administrative account information. 29% of participants provided communications containing general organisational administrative information. 8% of participants provided marketing communications to children
• 33% of participants had a process in place to regularly update the contact information they hold
• Only 8% of participants required children to have access to their own email and/or phone to enable them to open an account, however if children did have these, then this information was recorded in the majority of cases where the child has some control over the account (current or savings accounts). 76% of participants used parents contact information such as email or phone to provide communications.
• Of the participants who do allow marketing to children, 75% of them included opt in and opt out options on the account application form.  The remaining 25% of participants sought consent from the parent only.

The Executive Summary Read the rest of this entry »

23andMe is, or more accurately was, a personal genomics company. It collected genetic information. That is very sensitive. It suffered a data breach in October 2023 when hackers exploited an old password resutling in them gaining access to 6.9 million people. It became the subject of litigation and in June 2024 investigation by the Canadian Privacy Commissioner and the UK Information Commissioner. Early in March the ICO released a notice of intent to fine 23andMe with a 4.59 million fine. 23andMe has just filed for Chapter 11 bankruptcy protection. At minimum that means a restructure. It may continue operating after the restructure. That has raised serious security concerns about the genetic data it holds. The New York Attorney General has urged customers to contact the company to delete their data. In What users need to know about privacy and data after 23andMe’s bankruptcy filing the Conversation sets out the privacy and data management issues from this . That does not alter 23andME’s obligations to protection personal information.

The Conversation’s piece Read the rest of this entry »

The UK Information Commissioners Office (“ICO”) has fined Advanced Computer Software Group Ltd (“Advanced”) some £3.07 million for inadequate security which resulted in a a ransomware attack in August 2022 which  disrupted the operation of NHS services and impacted 79,404 people. The ICO found the Advanced’s security measures fell seriously short of what that  expect from an organisation processing  a large volume of sensitive information. 

While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk. Hackers were able to access Advanced’s systems via a customer account. Access to that account was not protected by multi-factor authentication. Once in the systems, the hackers were able to exfiltrate data belonging to 79,404 people.  That included, with respect to 890 people receiving home care, details of how to gain entry to their property. 

Last year, the ICO signalled its intention to fine Advanced £6.09m. After considering Advanced’s submissions it reduced the fine to  £3.07m. One but not the only reason for the reduction was Advanced’s “proactive engagement with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA) and the NHS in the wake of the attack and other steps taken to mitigate the risk to those impacted”.  Other factors were Advanced’s notification to customers within 24 hours of discovery irrespective of whether they were affected, providing a team of 18 people to restore  infrastructure and engaging external experts to undertake a forensic investigation and analysis of the data impacted.  Advanced also undertook a comprehensive review of potentially impacted data.  There are lessons in the Australian context.  It is important for an organisation to react quickly, decisively and engage with all relevant authorities. That means having a plan.

The statement provides:

The Information Commissioner’s Office (ICO) has fined Advanced Computer Software Group Ltd (Advanced) £3.07m for security failings that put the personal information of 79,404 people at risk.?  Read the rest of this entry »