ICO issues heavy fine for FTP breach

A lettings agency who used FTP to transfer sensitive personal data, has been fined £80,000 by the ICO after the FTP was breached by hackers. The breach resulted in personal details being stolen, including names, email addresses, postal addresses, dates of birth, income, employer details along with images of passports, bank statements and utility bills.

How did this happen?

The cause of the problem was that the FTP was setup incorrectly, enabling anonymous users to login without a password. FTPs can be complex to set up and a simple error in the set up process could leave data and your organisation at risk.

Furthermore, FTPs are often not administered correctly. In the case of the lettings agency, personal data was exposed for two years where the data was not removed after the initial transfer.

ICO guidance states that organisations should not be using plain FTP for transferring sensitive or personal data.

What about SSH file transfer (SFTP)?

Some organisations may choose SFTP, but this in itself doesn’t guarantee protection as data is not always encrypted at rest and there could still be vulnerabilities. SFTPs can be tricky to setup and manage, especially if you are using multiple SFPTs for different purposes. We call this FTP sprawl. If you have FTP sprawl, it is easy to lose sight of what SFTPs you have, where they are located, who has access and what data resides on them.

Often data is placed on an SFTP and left indefinitely which increases the security risk. In fact, with the aforementioned letting agency, data was left exposed for two years which magnified the data breach. Data being held indefinitely could get you into hot water with GDPR, as if you lose sight of this data it can be very difficult to comply with data subjects' right to erasure or make it difficult to comply with a Subject Access Request.

So if you transfer data files externally, which contain personal information, plain FTP should not be used and there are better alternatives to SFTP.

DataXchange provides a secure, simple to use and affordable way in which to transfer files and manage data movements. Data is encrypted end-to-end and at rest using AES-256 encryption and you have full visibility of all data movements with an audit trail. Talk to us now to find out more about dataXchange or to book an online demo.

Source: ICO - failing to keep tenants data safe.

Telephone 0345 121 2280
Email support@dataxchange.eu
Company Reg 358 9570
VAT Number 7177759 90