Common IT security weaknesses lead ICO to reprimand recruitment firm

ICO provides further guidance on what it expects from data controllers in the context of cyber incidents.

The UK Information Commissioner’s Office (ICO), the UK’s data protection regulator, has issued a reprimand following infringements of the UK General Data Protection Regulation (GDPR) to recruitment company Gap Personnel Holdings Limited (Gap). This followed threat actors gaining access to personal data on two separate occasions within a 12-month period.

The reprimand provides further indication of what the ICO expects from data controllers when cyber incidents occur.

Background

The same threat actor accessed Gap’s IT systems in two separate incidents in March and August 2022.

Both incidents resulted in personal data – including names, addresses, email addresses, telephone numbers, dates of birth, bank account numbers and right to work information – being taken from a database within Gap’s IT system. At the time of the March incident, the affected database contained personal data for nearly 14,000 UK data subjects.  

Gap was unable to determine the specific cause of either incident. It did, however, suggest that the threat actor likely performed an SQL injection attack, allowing access to view or modify a database, in both incidents. Gap also believes the threat actors leveraged an unsecure web-scripting file in at least the March attack.

Following the March incident, Gap kept the affected system live. The company said that the vulnerability used by the threat actors to access the system was patched and tested on April 26, 2022.

ICO findings

The ICO determined that Gap had weak IT security and a lack of appropriate logging and monitoring systems. This limited its ability to effectively detect and quickly respond to the security incidents.

Specifically, the ICO considered that Gap:

  1. was not ensuring the ongoing confidentiality, integrity and resilience of its systems in line with UK GDPR Article 32(1)(b); and
  2. did not have the correct organisational measures in place to ensure a level of security appropriate to the risk in line with Article 32(1). Nor did it conduct security testing in line with Article 32(1)(d).

The following vulnerabilities, which are common across many organisations and were known to Gap prior to both incidents, were identified:

  • Insufficient logging. Whilst Gap did have an IT logging system in place at the time of both incidents, the ICO determined this was insufficient and analysis of the attack was therefore limited.
  • Poorly written PHP code. Gap had a limited ability to validate data inputted into their IT system. The ICO expects that a system capturing personal data should be able to validate input data, both to prevent attacks and to ensure the integrity of the data entered.
  • Unsupported MySQL and PHP. At the time of both incidents, Gap was knowingly using out-of-date versions of MySQL (database management system) and PHP (web-scripting language). The latter was last updated in October 2019. The ICO considered this showed a lack of good practice around patch management and failing to secure personal data.

Following this, the ICO specifically identified that Gap was not conducting security testing and did not have any patching policy in place at the time of the incident.

What it means

The ICO has issued the reprimand following the identification of common IT weaknesses.

This is, therefore, a clear indication that the ICO expects organizations to be proactive about ensuring their IT systems and security are regularly reviewed and updated. This is not only to ensure compliance with the UK GDPR, but also to reduce the risk of a cyber security incident and associated data breach.

Following this, the National Cyber Security Centre (NCSC) advises that organizations should:

  • scan for systems’ vulnerability at least once every month. Guidance on this can be found here: Vulnerability scanning tools and services – NCSC.GOV.UK;
  • have an active patching policy in place to update software and ensure security systems are up to date;
  • implement IT logging and monitoring to record events on a system in order to help in the analysis of an attack – see NCSC Guidance

Details of the reprimand can be found on the ICO’s website.

Tristan Hall, is a partner and a member of CMS’ cybersecurity team and liaises with other CMS offices and member firms of CMS’s international cyber security network on CMS’s global 24/7/365 cybersecurity incident response service. Amit Tyagi is a partner and solicitor advocate in the London Insurance & Reinsurance Group and a member of the firm’s cybersecurity team. Christopher Gliddon is a senior associate in London. CMS