Twitch Data Breach: UK GDPR and the cost of human error

What happened & why is it a data breach?

This week, the live streaming site Twitch, which is owned by Amazon, announced that a “server configuration change” led to approximately 135GB of data being posted online.

The data breach resulted in the unauthorised disclosure of commercially sensitive personal data containing the names of top streamers and their earnings from the site, together with Twitch’s own internal source code.

Early signs suggest that the data breach was caused by human error in the configuration of Twitch’s servers. Worryingly, some of the data leaked dates back three years, giving rise to concern that the Twitch servers may have been accessible for longer than the last few days.

Details about how long the servers were accessible for and whether human error was the cause of the breach have yet to be confirmed by the livestreaming giant. It would also seem that the breach has not yet been reported to the Information Commissioners Office (“ICO”), but it is anticipated that this will happen soon.

This severe data breach by Twitch follows another incident two weeks ago in which the Ministry of Defence (“MOD”) team responsible for the UK's Afghan Relocations and Assistance Policy mistakenly copied more than 250 former Afghan interpreters seeking relocation to the UK into an email. This resulted in the email addresses, names and profile pictures of each recipient being visible for all other recipients to see.

Both the Twitch hacking incident and the erroneous MOD email constitute a data breach under the UK’s version of the General Data Protection Regulation (“UK GDPR”). In this article, we consider why this matters – and what to do if a similar thing happens to your organisation.

Why is this important & how does it link to my business?

Twitch and the Ministry of Defence, like most other organisations, have to comply with the UK GDPR. The UK GDPR contains certain data protection principles which must be followed, including maintaining the integrity and confidentiality of personal data. This includes taking measures to protect against unauthorised or unlawful processing, and also against accidental disclosure of personal data.

In 2019, 90% of cyber data breaches in the UK were caused by human error. One major example involved Virgin Media, where a database containing the personal data of 900,000 people was left unsecured for 10 months. Virgin stated this occurred as the database had been incorrectly configured by a member of staff, who did not follow the correct procedure. Since April, 2,552 data security incidents have been reported to the ICO, whilst it is estimated that there can be up to 65,000 attempts, and 4,500 successful attacks on businesses per day, equivalent to one every 19 seconds.

The cost of a data breach, especially those which lead to the disclosure of sensitive personal information, is not limited to personal and financial loss. It can often cause severe damage to a business' reputation, leading to bad publicity and in some cases, losing customers and staff. In view of this, businesses should make avoiding data breaches a key operational objective.

What to do if your business suffers a data breach

It is a common myth that all data breaches must be reported. Rather, under the UK GDPR, a data breach only needs to be reported to the ICO where there is a risk to the individuals’ whose personal data has been breached. Whether or not there is such a risk will be a matter of fact, but organisations must consider:

• The number of affected individuals;
• The nature and sensitivity of the information in question;
• The volume of personal data breached;
• The identity of the unauthorised recipient of the data.

Where the data breach is reportable to the ICO, organisations must report the data breaches to the ICO without undue delay and not later than 72 hours after becoming aware of the breach.

In certain circumstances, organisations are also required to report the breach to the individuals whose data has been compromised. This is necessary where:

• there is a high risk to the individuals in question; and
• there were not appropriate technical and organisational measures in place at the time of the incident or reporting would trigger disproportionate effect.

Where the data breach is reportable to the affected individuals, the organisation must report to those individuals without “undue delay” (albeit that there is no strict timescale imposed). Of course, organisations would also need to consider whether reporting to the affected individuals – even not required under the UK GDPR – is a matter of good commercial practice.

How to avoid a data breach or, if a data breach occurs, how to mitigate risk

It is a matter of fact that most (if not all) businesses will at some point suffer a data breach. However, an organisation’s best chance to avoid a data breach is to (a) ensure that all personnel using personal information know what constitutes a breach; and (b) clear policies, procedures and mechanisms are in place to catch the breach before it happens.

Firstly, organisations must ensure that staff know what amounts to a data breach. For example, staff may not be aware that sending an email to the wrong person is a data breach under the UK GDPR. The definition – and practical examples – of a data breach should be clearly set out in the organisation’s internal policies. If an organisation’s staff do not know when a data breach has been committed, then they will not be in a position to take the necessary reporting measures.

Secondly, organisations should invest in having the necessary policies, procedures and mechanisms in place to catch a data breach before it happens. For example, this may include technological solutions (i.e. software checking that the email address used is correct).

However, it is almost impossible to entirely eliminate human error within the workforce, so it is important to ensure that staff know what to do in the event of a data breach, in order to mitigate risk.

Organisations in which there is a no-blame culture tend to be better-placed to ensure that staff own-up to their errors as soon as possible, rather than attempting to cover-up for fear of criticism. If the organisation does not know that the data breach is occurred, then it will not be able to comply with its obligations under the UK GDPR. This is especially vital given that failure to report a breach to the ICO, or complying with the other obligations under the UK GDPR, could result in a fine of up to £17.5 million or 4 per cent of the organisation’s global turnover.

It goes without saying that the data breaches committed by Twitch and the MOD were particularly serious, given the nature and scope of the information. However, data breaches will likely be committed by all organisations of different sizes, so it is crucial that you know what to do, and when, to avoid falling foul of the fines and other sanctions under the UK GDPR.

If you and your company need any advice relating to data protection, data breaches, or require any data protection policies, please contact a member of our Data Protection Team by email or by calling 01603 610911.