The data breach blame game

The cyber threat to UK business is significant and growing. Since February, when the National Cyber Security Centre was opened, the UK has been hit by 188 high-level attacks which were serious enough to warrant NCSC involvement, and countless lower level attacks.

The fact of the matter is, that in the past year, the world has been inundated with cyber attacks on a scale and boldness which has not been seen before.

Understandably, politicians, businesses and the general public are asking questions. Just who is responsible for these data breaches? Your first thought is probably about the perpetrator – was it a criminal hacker, state sponsored, an automated botnet or perhaps even a malicious insider at an organisation. Its human nature to want answers.

>See also: 7 key lessons from TalkTalk’s data breach

And whilst attribution is certainly important, especially when we consider the criminal and judicial implications, a compromised organisation also has a responsibility to accept and acknowledge facts surrounding the incident, particularly when there are external customers or clients involved.

Deny, deny, deny

When a data breach is first reported on the news, organisations often look to distance themselves from the blame, or take responsibility for failing to protect sensitive data or systems.

Excuses are regularly thrown around that include: “The breach really wasn’t that serious;” “The data taken isn’t that sensitive;” and the even more popular “Our security is comparable to others in the industry.”

After inadvertently turning over sensitive financial records of at least 50,000 clients to an opposing lawyer, the legal counsel at a global corporation even blamed their counterpart for the exposure!

With GDPR looming in less than a year, and recent enforcements by the Information Commissioners Office (ICO), it’s obvious the UK isn’t going to be pulling any punches when it comes to data responsibility.

>See also: Bupa insider data breach affects 500,000

The ICO has placed strict fines on private companies, local councils, police forces and charities for failings around data protection. Anyone looking to distance themselves or their organisation from a data breach has nowhere to hide.

Take responsibility

The issue of corporate responsibility is not new, nor is it necessarily limited to the world of information technology. After the 2010 Deepwater Horizon oil spill, British Petroleum were quick to begin the blame game and point the accusatory finger at drilling company Transocean ltd.

In the wake of a deadly disaster and arguably the largest oil spill in petroleum history, distancing themselves from responsibility seemed in poor taste. Alternatively, corporate responsibility can be handled more appropriately. Mothercare, the British retailer for baby goods, recently ordered a product recall of a baby bouncer following reports a baby injured itself using the product.

Avoiding responsibility can lead to substantial legal costs and but also perhaps more damagingly, significant harm to brand reputation.

Be a team player

About seven or eight years ago, after companies like Google and Adobe suffered data compromise as part of the Operation Aurora cyber attacks, Google’s security team were surprisingly open about the attacks.

>See also: Wonga data breach affects 245,000 customers

Even going as far to detail how the attacks took place, how they uncovered the attack, and how they eventually took steps to thwart it. In doing so, they helped untold numbers of companies and agencies from suffering the same fate.

Nobody likes to admit that they have had a security failure, but when an organisation is responsible for the security of sensitive information, it has an obligation to be fully forthcoming to its clients or customers – that’s the nature of business.

What’s more, when a victim organisation is open about what happened, it can have benefits to the wider security community, and therefore help with current and future efforts to protect customer data. Playing the blame game does nothing to help anyone, except perhaps the criminals who took the data.


Sourced by David Smith, CISO, Nuix


The UK’s largest conference for tech leadershipTechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

Cyber Attack
Data Breach