View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

“A Good Day to Bury Bad News”: FOI Shows Data Breaches Typically Get Reported on a Friday

Law firms reported fastest...

By CBR Staff Writer

Nearly half of all data breach reports submitted to the Information Commissioner’s Office were made on Thurday or Friday in what looks like a “deliberate tactic” to bury bad news, a Freedom of Information Request (FoI) reveals.

That’s according to the a new report by London-based cybersecurity company Redscan, which requested figures from the ICO on average data breach response times, finding that pre-GDPR it typically took firms 21 days to report.

Since GDPR came into force in May 2018, over 59,000 data breaches have been reported to European regulators, according to a survey by law firm DLA Piper. And the regulation requires them to be made within 72 hours.

(The Netherlands, Germany and the UK topped the table in the report with approximately 15,400, 12,600, and 10,600 reported breaches respectively.)

Mark Nicholls, Redscan Director of Cybersecurity commented: “Firms operating across the financial and legal sectors are among those better prepared to manage data breaches. The fact that even businesses in these high-value sectors were taking two to three weeks to divulge incidents is a key reason why the reporting rules have since been tightened.”

He added: “[But] it’s incredibly optimistic to think that businesses are better at preventing and detecting data breaches since the introduction of the GDPR… Despite the prospect of a larger penalty, many are still struggling to understand and implement the solutions they need to achieve compliance.”

Redscan analysis of the FOI data also revealed that more than nine out of 10 companies did not, when reporting a breach to the ICO, specify the impact of the breach or did not know the impact at the time it was reported. The company also found that the longest time taken to report a breach to British data regulators was 142 days.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Law firms were the quickest to report, taking on average 16 days. Financial firms were not far behind as they reported within 20 days. Redscan found that breach detection on average was achieved within 60 days, however they noted that one company that suffered a breach was unaware of it for more than three years.

Reporting Breaches: A Job for Thursdays and Fridays… 

reporting Breaches

€50 million is the largest fine to date and that was handed by the French data authority CNIL to Google in relation to how their processed their users personal data.

In their research Redscan identified a trend of threat actors targeting organisations security systems during the weekends; over a quarter of the breaches reported had occurred on a Saturday.

Nicholls added: “Detecting and responding to breaches is now a 24/7 effort. Many organisations lack the technology and expertise they need, which is compounded by a global cybersecurity skills shortage. Resources are stretched even further at weekends, when many IT teams are off-duty – exactly why hackers chose to target businesses out of hours.”

This is a tactic that makes sense for hackers as companies will not have a full cyber security team in place at the weekend and their ability to respond to incidents will be greatly diminished.

He concluded: “It’s also interesting to note that nearly half of reports to the ICO were submitted on a Thursday or a Friday, good days to bury bad news. This might be overly cynical but I suspect that in many cases, breach disclosure on these days may have a deliberate tactic to minimise negative publicity.”

According to Ross McKean, a partner at DLA Piper specializing in cyber and data protection: “The GDPR completely changes the compliance risk for organizations which suffer a personal data breach due to revenue based fines and the potential for US style group litigation claims for compensation.”

See also: Google’s €50M Fine for GDPR Breach: “A Cold Shower” for Businesses

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.