Scores of data breaches at UK’s merger watchdog

The anti-trust regulator in the UK was hit by 150 personal data breaches in the past two years, five more than in the previous two-year period.

The 2019-2020 total included 81 cases of unauthorised disclosure of information from the Competition and Markets Authority (CMA) and 40 devices lost or stolen, two of which were unencrypted, according to freedom of information documents reported by financial data service Bloomberg.

There were also 11 successful phishing attempts in which fraudsters pose as legitimate counter-parties to access sensitive information, four cases of malicious software and two hacks.

The breaches may have been accidental or deliberate. They could have included data being accessed by people outside the CMA, the loss or unauthorised alteration of personal data, staff accessing information they should not have, sending it to the wrong place or being tricked into releasing data they should not have, according to Bloomberg.

The watchdog handles internal business reports, copies of emails and other internal data. Leaks could potentially allow interested parties to profit from such data or even attempt to influence the outcome of a takeover, although there was no evidence that the authority’s investigations were compromised, Bloomberg reported.

“The CMA takes any data breaches extremely seriously and continually reviews its processes to ensure the strongest possible safeguards are in place,” a CMA spokeswoman said.

“For this reason, we have fostered a no-blame culture for the reporting of security incidents and staff are encouraged to – and do – record even minor incidents, which can lead to a higher level of reports.”

Five of the breaches were referred to the country’s data regulator, the Information Commissioner’s Office (ICO), because they incurred risks to people’s rights and freedoms.

Three of those incidents were considered serious enough to result in individuals being informed and were followed up with procedural or technical changes to address the underlying causes, the CMA said.

An ICO spokeswoman said the five cases came about because data was sent to the wrong people.