UK ICO Enforces Data Protection: Reprimands and New Privacy Tech with Meta
London Borough of Hackney Reprimanded Following Cyber-Attack
On July 17, 2024, the UK Information Commissioner’s Office (ICO) issued a reprimand to the London Borough of Hackney (LBoH) following a 2020 cyber-attack that resulted in hackers gaining access to and encrypting 440,000 files. The attack affected at least 280,000 residents and staff, exposing highly sensitive personal data, including racial and ethnic origin, religious beliefs, sexual orientation, health information, and criminal records.
Hackers also exfiltrated 9,605 records and deleted 10% of the council’s backup data before intervention. The attack disrupted LBoH systems for many months, with some services not fully restored until 2022. During the investigation, the ICO found inadequate security measures, such as unpatched systems and dormant accounts with weak passwords, which contributed to the breach.
Stephen Bonner, Deputy Commissioner at the ICO, criticized the council’s failures, highlighting the need for robust security measures to protect personal data. While the council took swift action post-attack and implemented a ‘zero trust’ model, the ICO stressed that such breaches could have been prevented with proper security practices.
ICO Reprimands the Electoral Commission After Major Cyber-Attack
On July 30, 2024, the ICO reprimanded the Electoral Commission following a cyber-attack in August 2021 that compromised the personal data of approximately 40 million people. Hackers exploited vulnerabilities in the Microsoft Exchange Server and gained access to the Electoral Register, including names and addresses, until October 2022.
The investigation revealed that the Electoral Commission failed to apply security updates released months before the attack and did not enforce adequate password policies. The ICO noted that basic security measures could have prevented the breach, which caused significant public concern.
Stephen Bonner emphasized the importance of proactive security measures, urging organizations to ensure their systems are up-to-date with the latest security patches to protect personal data.
Meta Collaborates with ICO on Privacy Enhancing Technologies
In a positive development, Meta Platforms Inc. is working with the ICO through the Regulatory Sandbox program to develop Privacy Enhancing Technologies (PETs). Meta is researching a Secure Multiparty Computation (MPC) system designed to enable accurate ad measurement while ensuring user privacy.
This collaboration aims to provide legal certainty, enhance privacy, and encourage digital adoption by developing technologies in a changing regulatory environment. The ICO’s independent review will help Meta refine its PETs, paving the way for broader industry adoption.
Related Resources:
London Borough of Hackney Reprimanded Following Cyber-Attack On July 17, 2024, the UK Information Commissioner’s Office (ICO) issued a reprimand to the London Borough of Hackney (LBoH) following a 2020 cyber-attack that resulted in hackers gaining access to and encrypting 440,000 files. The attack affected at least 280,000 residents and staff, exposing highly sensitive personal […]