U.K. Merger Watchdog Suffers 150 Data Breaches in Two Years

The U.K. government’s antitrust regulator was hit by 150 personal data breaches in the last two years, as hackers targeted its trove of sensitive business information.

The Competition and Markets Authority found 81 cases of unauthorized disclosure of information and 40 devices were lost or stolen -- two of them unencrypted -- according to freedom of information documents.

The watchdog handles internal business reports, copies of emails and other internal data. Leaks could potentially allow interested parties to profit from such data or even attempt to influence the outcome of a takeover, although there was no evidence that the CMA’s investigations were compromised.

The CMA declined to give further details, including whether any deals were affected.

The number of breaches was higher than the 145 recorded in the previous two-year period from 2017 to 2018. They also included two hacks and four cases of malicious software. There were 11 successful phishing attempts, in which fraudsters pose as legitimate counter-parties to access sensitive information.

Five of the CMA breaches were reported to the U.K. data regulator, the Information Commissioner’s Office, as they incurred risks to people’s rights and freedoms. Three of those were considered risky enough to result in individuals being informed, and were followed up with procedural or technical changes to address the underlying causes, the CMA said.

An ICO spokeswoman said the five cases came about because data was sent to the wrong people. She said the data watchdog didn’t believe the incidents described involved leaks of deal information, but such an incident “may not involve personal data in any case, and would therefore not be reported to us or fall within our remit.”

Since Brexit, the CMA is in charge of regulating U.K. mergers and acquisitions. The body employs about 840 people, according to its most recent annual report.

The breaches may have been accidental or deliberate. They could have included data being accessed by people outside the CMA, the loss or unauthorized alteration of personal data, staff accessing information they shouldn’t have or sending it to the wrong place, or being tricked into releasing data they shouldn’t.

“The CMA takes any data breaches extremely seriously and continually reviews its processes to ensure the strongest possible safeguards are in place,” the watchdog’s spokeswoman said by email. “For this reason, we have fostered a no-blame culture for the reporting of security incidents and staff are encouraged to — and do — record even minor incidents, which can lead to a higher level of reports.”