back to article Who's the leakiest of them all? It's the UK's public sector, breach fine analysis reveals

Despite the Information Commissioner's Office (ICO) recently slapping record megafines on British Airways and Marriott for data leakage, it's actually the UK's public sector that racked up the biggest volume of breaches in the last eight years. Since 2010, the ICO has handed out 216 fines totalling £23.5m (excluding the BA and …

  1. Adrian 4

    "Some of those incidents include a £185,000 penalty against Northern Ireland's Department of Justice for auctioning off a filing cabinet that contained personal information about victims of a terrorist attack in 2014. "

    And the effect of fining government departments or hospitals is what, exactly ?

    I guess the managers have to take a pay cut ?

    The people involved lose their holiday pay ?

    Expansion plans are shelved ?

    Or perhaps they just stop cleaning the publicly-accessible toilets and take on less cases.

    1. BrownishMonstr

      Perhaps the department loses some of its budget and it should feel the squeeze.

      Hypothetically speaking, of course.

    2. Oengus

      The managers get promoted. A witch hunt fails to identify any individuals responsible.

      The department's budget takes a hit but they just go over budget by the amount of the fine (assuming they were on budget before the fine). The next year they increase the budget to cover potential fines. The increase comes from "consolidated revenue" (or what ever bucket the government uses for their public service funding). Department uses fine as an excuse to reduce services to the public.

      The department responsible for handing out the fines gets an income boost from the fine revenue collected so comes in under budget and gets their budget reduced the next year.

      The government gets a nett zero impact - fine paid by over budget department comes out of "consolidated revenue", income received by fine issuing department goes into "consolidated revenue". GDP increases.

      Government celebrates the effectiveness of the data privacy legislation and uses the success to screw the public even more.

    3. MrReynolds2U

      Fine = total budget reduced = IT budget reduced = less money / time spent on security = more data security problems in future

  2. Terry 6 Silver badge


    When I worked in public service I was terrified about data security. As a low level professional I knew that I'd be out of a job if anything went pear shaped and the authority got hit with a fine.

    But I had no doubt that the higher ups who allocated resources for everything, which included data storage, would walk away smelling of roses.

    And that's where the vulnerability sits.

  3. Anonymous Coward
    Anonymous Coward

    That's because the public sector is the only sector that voluntarily reports its breaches, and even there the overwhelming majority go either unreported or (worse) unnoticed. Pre-GDPR there was effectively no reason to self-police, so no one did outside of government, where the risk of the Daily Mail Front Page from _not_ reporting a breach far outweighed the financial penalty of doing so.

  4. Anonymous Coward
    Anonymous Coward

    Trust the fucking (what we laughingly refer to as) the government

    Quote from article (Despite the fine, the ICO's July review (PDF) showed the British public continue to be significantly more likely to have high trust and confidence (rating 4.5 out of 5) in the NHS, police and national governmental bodies and agencies than in private companies).unquote.

    Recently my health fell off a cliff and I had to apply for universal credit. It seems that everything has to be done via a government website.

    I suppose that if you have an internet connection that is borderline acceptable.

    But when you go onto this website, where you are going to have to enter very sensitive details about your self and your family, you will find at least 5 trackers. 3 from government agencies and 2 others, namely Google analytics and Google tag manager.

    I now use a sacrificial computer and after every use, do a clean install from a clean backup. Just to be a bastard.

    But how many thousands of people are aware that by using the site their info may be passed onto an ad agency, not to mention what various government departments have access to and use the data.

    As someone who has paid into the system since 1970, if anyone from the government reads this, FUCK YOU.

    And don't get me started on private companies who always seem to have our security as their biggest priority. You fucking liar bastards.

    Trust has to be earned and you cunts have killed it.

    Cheers… Ishy

    1. deive

      Re: Trust the fucking (what we laughingly refer to as) the government

      "I now use a sacrificial computer and after every use, do a clean install from a clean backup" - You could try Tails Linux...

  5. Anonymous Coward
    Anonymous Coward

    With reference to "the old lost disk scenario...".

    I once worked for the outsourced IT support organisation that supported the large Government department involved in that scenario.

    There was an extensive witch-hunt and massive additional costs for both the Government department and my then-employer.

    Eventually the lowly clerk who had "sent the CD off" to the outsourced IT support organisation confessed that they'd bunked off work early that Friday and hadn't bothered sending the disk at all.

    It was never lost because it was never sent.

    (and don't get me started about the idea of posting CDs in the 21st Century).

    1. Oengus

      I remember when I wanted to send a file (containing some very sensitive and confidential information for 40000 employees) using an external company's "secure delivery" on-line system. The file was to be encrypted and sent over an SFTP connection. My manager decided that wasn't secure enough. I had to burn the file (in clear text) onto a CD and have it couriered to the external company (and yes this was in the 21st century but not by much...).

    2. Anonymous Coward
      Anonymous Coward

      "It was never lost because it was never sent."

      I don't think you're talking about the same scenario.

      The canonical version of this scandal occurred in HMRC in 2007. It was definitely sent, because it was sent by internal mail, and was sent on a Thursday. At the time this was perfectly acceptable, standard practice and required no additional sign off. This is why the department developed a "Data Movement Request" process where the relevant "Data Guardian" must sign off said DMR, which must include which of the pre-approved data movement mechanisms it is going to use. CD-via-Post remained on the list for many years.

      The most Kafkaesque element of that incident was that the Public Sector's security theatre/paranoia led to the internal data handling regulations being marked OFFICIAL-SENSITIVE and SECRET, which means the junior civil servants responsible for handling the data were largely prevented from reading the rules about how they should handle that data.

  6. Efer Brick

    Doing bird...

    for the top level management, is the only way to get them to tighten up security

  7. EnviableOne

    Lies, Damn Lies and Statistics

    This is not really a fair study. The only industry that were required to report breaches to the ICO untill 25th of May 2018 was the public sector.

    if you look at the figures since then, when everone is required, then the stats look a lot different.

    1. Cynical Pie

      Re: Lies, Damn Lies and Statistics

      And in my experience private sectors companies actively tried to avoid notifying the ICO (and despite the reporting requirements for GDPR that's probably still true)

  8. Venerable and Fragrant Wind of Change


    Despite ..., the ... review showed the British public ... more likely to ... trust ... [public sector]

    Methinks that trust might be slightly misleading. It may be confusing the issues of intentions and competence. With the private sector, we suspect their intentions may be dodgy.

    A question on trust could be either of

    * How much do you trust [foo] not to abuse your information, for example by putting you on a spam list?

    * How much do you trust [foo] to have the competence to keep your information safe?

    Or of course it could be undefined, in which case subjects would have to interpret it from the context and manner of its asking.

    I'd intuitively expect the public sector to win the first question, but not the second.

    1. veti Silver badge

      Re: Trust

      When your private information falls into the hands of scammers and criminals, what difference does it make whether it got there by malice or incompetence?

      With apologies to ACC, I suspect sufficiently advanced incompetence is indistinguishable from malice. (And I'm damn' sure that malice is sometimes disguised as incompetence. See Donald Trump's CV, for instance.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like