Charlie talks about the recent cyber attacks on the University of the West of Scotland (UWS) and the Police Service of Northern Ireland (PSNI) and discusses the impacts of these attacks.
In this bulletin, I emphasise that, while data breaches impact all those whose data has been compromised, until organisations face financial and reputational consequences, such breaches will persist. Often, organisations manage to escape with minimal consequences, even neglecting to inform those affected by the breach, and continue business as usual.
Two recent events prompted my thoughts on this matter. The first was the hack of the University of the West of Scotland (UWS) and the subsequent release of personal data from the Police Service of Northern Ireland (PSNI), due to a Freedom of Information request.
UWS posted on their website on the 6th of July, acknowledging an ‘ongoing cyber incident’ affecting several digital systems. On the 28th of July, the BBC reported that information was available on the deep web, with the ransomware group Rhysida claiming responsibility for the hack. Rhysida demanded £450,000 not to release the data, which they claimed contained ‘personal data belonging to staff, such as bank details and national insurance numbers, as well as internal university documents’.
Despite my search through the university’s website and social media channels, I found no evidence of a reference to the cyber attack. This, in my view, reflects poor crisis management. A cyber attack involving potential data loss should be transparently addressed, with affected individuals given the means to check if their data was compromised, and recommendations for protective measures. The lack of honesty in this instance suggests arrogance and a disregard for those connected to the university. Is this indicative of a dismissive attitude towards students and their concerns?
Similarly, Arnold Clark’s response to their data breach shows a similar disregard for those affected. Only when the Daily Mail published that their data was available on the dark web did they acknowledge a major breach. During a recent interview with a potential consultant, she mentioned the Arnold Clark breach. She and her husband were informed of the potential data loss six weeks after the initial announcement. One of our office staff received a letter just recently, nine months after the incident, informing her that she might have been affected.
Both organisations seem content to meet only the minimum requirements stipulated by ICO regulations. They provide minimal information and hope the issue fades away. This approach allows UWS to recruit students through clearing and lets Arnold Clark continue selling cars.
After losing data, individuals often lack an understanding of the consequences or feel powerless to act. I, according to Google passwords, have 25 compromised passwords, but have not got around to changing them.
Fortunately, I haven’t fallen victim to fraud resulting from data loss or identity theft. Those who have experienced it claim it’s a significant ordeal, taking months or even years to resolve in terms of time and financial restoration. One issue is that fraudulent activities occur weeks or months after the data breach, making it hard to directly link the fraud to a specific breach. By maintaining a low profile, organisations avoid reminding people of the breach and any subsequent scams.
The recent PSNI data leak, where personal details were publicly disclosed, has dominated headlines. This breach is considered one of the most significant: names, ranks, bases, and units of PSNI employees, including sensitive roles like surveillance and intelligence were exposed. With the relatively small population in Northern Ireland, leaked data could potentially be matched with other sources, posing a threat to the identified individuals. Dissident Republicans could use this information to target police personnel.
This data breach is causing a huge amount of anger amongst PSNI members and their families, and a number of them have spoken on the radio and to journalists about how angry they are about this and the ongoing threat to themselves. This reaction differs significantly from the lack of outcry following other data breaches. While I recognise the PSNI data leak could lead to physical threats, the psychological impact of identity theft is substantial. Hopefully, this incident prompts greater caution in data handling and the prevention of accidental releases.
In conclusion, unless those impacted by data breaches raise their voices and hold organisations accountable, breaches will persist. The quiet, low-profile response tends to be effective, as media interest wanes when there’s no new information to feed the story. Transparency and increased investment in prevention will only occur if victims become more vocal and demand accountability from data-breaching organisations.