Data breaches: Barclays and Santander most investigated lenders, ICO figures show

Previously unseen list of data breaches across each industry reveals the worst offenders

Barclays was flagged as a "concern" by the Information Commisioner's Office (ICO) over data breaches more times than any other UK lender last year, files seen by ComputerworldUK reveal.

The bank, which says it takes data protection "extremely seriously", was highlighted as an organisation of concern to the ICO 21 times in 2013, according to files disclosed under the Freedom of Information (FOI) Act. Barclays was deemed to have been unlikely to have complied with the Data Protection Act (DPA) on each instance - forcing the ICO to take remedial action.

The Information Commissioner's Office (ICO) is the UK's independent body set up to uphold information rights. It will intervene where the DPA has been breached, flagging a firm as a "concern" following a complaint from an individual.

Following an investigation into a "concern", the ICO can serve enforcement notices, fines of up to £500,000, and can prosecute firms or individuals for serious data breaches.

Public sector and private companies are obliged to report a data breach although it is voluntarily. Firms that admit a serious breach have been anonymised by the ICO so as not to deter self-reporting in the future.

Other lenders who incurred repeat security breaches in 2013 included Santander - which was found unlikely to have complied with the act 15 times.

The ICO was made aware of 199 separate concerns within the lender sector throughout the year. Lloyds TSB, which then split into Lloyds Banking, featured on the offender's "concern" list, as well as NatWest, Royal Bank of Scotland, HBOS, Aviva, Nationwide Building Society and Yorkshire Building Society.

Additionally, some 36 further financial services firms self-reported serious data breaches and were issued enforcement orders from the ICO, but were granted anonymity.


A Barclays spokesperson said: "Barclays takes our responsibility to protect our customers extremely seriously. We take every practical measure to prioritise the safety and security of our personal and financial data."

When asked for more details on the breaches within Santander, the bank responded: "Without knowing what breaches you are referring to, we can't comment on specifics, but we know from the cases that have been reported to the ICO, in almost all, the issue was as a result of human error, and for each we have taken the necessary steps to address the problem and any complaints raised."

Government culprits

Central government departments were also listed as "concerns". The Department for Work and Pensions (DWP), for example, was deemed "unlikely" to have complied with data protection law on 20 separate occasions.

Further, the ICO found HMRC was also likely to have breached the act on 15 occasions, the Home Office five times, the Ministry of Defence (MoD) three times and the Ministry of Justice (MoJ) six times.

Government departments were served 37 enforcement notices in total during the year.

The HMRC said that it would not comment on specific cases where it suffered a breach, but said "we take data protection and security issues - including compliance with the requirements of the DPA - very seriously. We are constantly working to improve our performance in this area and work closely with the ICO on any recommendations it makes."

However, local government appears to be the worst offender on the ICO's list - with a total of 297 investigations undertaken during last year. Five local councils were served enforcements, including Aberdeen City council and Glasgow City council when an unencrypted laptop was stolen from a council office.

Some 314 cases amongst local and central government were "resolved informally" and seven further councils were required by court to take action, including Mansfield, Luton Borough Council - on two occasions - and Royal Borough of Windsor and Maidenhead.

There were 12 local government cases were either a court order or enforcement was served. In Central government a court order was served once and 37 enforcements were "informally resolved".

Police departments were tagged as concerns on 33 separate occasions. Potential criminal breaches were discovered on three occasions and enforcement notices served 61 times throughout the year.

Retail and internet firms

Nominet UK suffered a cyber-attack, or "hack" along with Electronic Arts (EA) Games and 11 other companies that were not named. Social network Last.FM and voucher website LivingSocial were also investigated for "unauthorised access" of customer data.

HR Blacklist - a website that detailed employees who were trade union members - was also served an enforcement notice by the watchdog.

Almost 20 internet companies were subject to enforcements or possible criminal investigation following serious breaches.

There were 24 serious breaches in the retail sector, including UK grocery store Asda after it published personal data online and an employee lost a USB with confidential information.

Insurance and utility providers

Almost 40 insurance providers were listed as a concern by the ICO and a further 24 were served enforcements. In five cases this included a potential criminal breach.

Meanwhile, there were seven instances where utility companies were investigated for potential criminal breaches, all of which were informally resolved. One instance included hacking of a database and another included an error in a mail-merge which revealed personal data of its customers.

Data breach files

The files seen by ComputerworldUK include reports of data breaches during 2013 in each industry sector.

While the ICO publishes the names of companies that have been served enforcements on its website, this list, acquired under the FOI Act, reveals the number of anonymised self-reported incidents by sector as well as the number of data breaches that were investigated - information that is not usually in the public domain.

Image: iStock Jimmy Anderson

Join the CSO newsletter!

Error: Please check your email address.

Tags retailsecuritycomputerworldManufacturingfinancepublic sectorindustry verticalsFinancial ServicesInformation Commissioner's Office

More about FreedomICONominetRoyal Bank of Scotland

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Margi Murphy

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts