It's hard not to notice a bcc blunder. It can be less clear if you've been the victim of a hacker / cyber break-in, especially if the miscreant is trying to cover their tracks.
I wonder how many such intrusions simply go undetected?
Data breaches at organisations that 'fess up to the UK's data protection watchdog are about seven times more likely to be caused by human error than hackers. According to data released under the Freedom of Information Act, 2,124 incidents reported by organisations in 2017-18 could be pinned on mistakes or incompetence. Only …
“I wonder how many such intrusions simply go undetected”
This!
I worked as IT director at a PLC cloud SAAS provider. The COO one day instructed me to cease all intrusion monitoring because it wasn’t in the shareholders best interests. I assume that the reason for this is that we can’t report an intrusion we aren’t looking for. I resigned that day after handing in a 5 page resignation letter delivered by a 3rd party solicitor who kept a copy, and refused to work a notice period on the basis that they were asking me to pre-emptively ensure that there was little-to-no evidence of future illegal action. They still paid me 3 months notice anyway, but I think this was just to make me go away quietly.
There is legislation and then there’s the corporate reality of ignoring legislation unless you get caught, at which point you plead ignorance or successfully blame a junior.
"a copy of his resignation with apparently the damning evidence is in the hands of a solicitor. "
Which means that not only the ICO would have fun, but the company will find that its liability insurers can (and WILL) wash their hands of the whole damned mess and the main insurer may cite fraudulent misrepresentation as a reason for dropping them as a customer.
You don't need to get regulators involved to fuck up companies (and executives) that put their necks on the block like this. A quiet word to the insurers can be far more effective,
"There is legislation and then there’s the corporate reality of ignoring legislation unless you get caught, at which point you plead ignorance or successfully blame a junior."
You don't say how long ago this was but if it was recent the COO should have been aware that the legislators who put together GDPR are wise to such tricks. That's why there there's a higher tier of fines for for this sort of thing. A plea of ignorance wouldn't help and they'd have to pay a junior a hell of a lot to take the blame for that. Realistically a proper investigation by a regulator is going to show that they did monitor and then stopped. There'll probably be a paper trail for costs of monitoring S/W.
We looked at a year's worth of outbound emails for the number of recipients. For business-related emails the max number of recipients was 7 so we set a limit of 10 maximum recipients per email. Others to church memberships, soccer leagues, baseball leagues and the like had dozens to hundreds. Those can't get sent using company email systems any more. All advertising, customer communications, etc. must go through a third-party mass-spammer and those are triple-inspected for format and content so there will be multiple, documented people to blame.
That some government agency would churn out garbage data is par for the course. That El Reg would recycle it as if it were somehow meaningful is dereliction.
This data is like saying paper cuts are more likely than stabbings. Okay, but the loss of blood in one case averages (at most) one drop, while the other is often life-threatening.
I've worked at a health care company. A data breach happens anytime anyone gets access to data that they do not have an operational need to have. Okay, but the mean number of individuals affected is single digit. A single cyber intrusion will change that number, as typically, they manage all the records of some class or another.
If the point of this data is "don't forget the manual failure path", sure. But the tone suggests that this path is a greater threat in practice than cyber intrusions. It is most certainly not.
To be fair, that's not worse than useless. It's clearly a story that's thrown together very quickly on the basis of a pretty unexciting press release - but those press releases, and stories, are often the necessary building blocks of serious analysis.
"Cyber break-ins were smaller than all of these"
Smaller, or less frequent? Leaving a folder full of patient notes on the bus exposes a small amount of information to a small number of people. IT screw-ups, on the other hand, routinely expose billions of records to the entire world.