Closed consultation

Call for information: Unauthorised access to online accounts and personal data

Updated 20 September 2022

This was published under the 2019 to 2022 Johnson Conservative government

About this call for information

Subject of this call for information

Computer misuse – malicious or unauthorised access to computer systems and an offence under the Computer Misuse Act 1990 – is one of the most prolific crimes facing UK citizens.

The Office for National Statistics (ONS)[footnote 1] estimated that there were 1.6 million computer misuse offences in the year ending March 2022. This represents an 89% increase compared to the year ending March 2020, driven by a 158% increase in unauthorised access to personal information (including hacking) offences. These offences are often perpetrated to commit further offences such as fraud, as well as cyber stalking and other sexually motivated online crimes.

The UK Government is committed to driving down computer misuse and the offences facilitated by it, as is evident in Government policy on data protection, improving cyber resilience and strengthening the digital economy. In line with the National Cyber Strategy[footnote 2], we aim to reduce cyber crime offences through measures, both existing and new, which reduce the security burden on citizens and place more responsibility on organisations which manage user accounts and process personal data, to protect those personal accounts and data.

Scope of this call for information

While the UK Government and industry have been taking steps to protect citizens online, computer misuse remains a significant threat to citizens. We must collaborate further across government and with industry to explore further ways in which we can make large-volume reductions in the level of unauthorised access to online accounts and personal data, which so often facilitates other offences and leads to harm.

To meet the scale of the task, the Home Office believes we need to consider new proposals to reduce this threat to citizens, and reduce the burden on them for cyber security, recognising that any new measures should complement existing obligations. The working title for these potential measures is the ‘Cyber Duty to Protect’.

To this end, we are seeking respondents’ views on the following areas:

  • The risks associated with unauthorised access to UK citizens’ online accounts and personal data

  • Actions that are currently taken to address the problem

  • Actions that should be taken to address the problem and where responsibilities for taking that action should lie.

Who should read this

The Government welcomes engagement from any individual, organisation or business with views on potential government intervention to reduce the burden of cyber security from the citizen and encourage organisations to further protect users’ accounts and personal data.

Duration

This call for information will run for eight weeks, starting 1 September 2022 and ending on 27 October 2022.

Lead official

This call for information is led by the Home Office.

How to respond to or enquire about this call for information

The easiest way to participate in this call for information is by completing the Smart Survey which you can also access via the link on the main consultation page.

Written submissions can also be submitted in Word or PDF format and emailed to CDTPengagement@homeoffice.gov.uk.

The address to post written responses is:

CDTP Call for Information
Cyber Policy Unit
2 Marsham Street
London SW1P 4DF

Written responses will be destroyed after they have been scanned to create a digital copy.

If you have any problems using this survey, send your queries to CDTPengagement@homeoffice.gov.uk. Please do not send any personal information to this email address.

Respondents may choose to respond to some or all of the questions in this document. The Home Office welcomes partial responses, focused on the aspects that are most relevant to the respondent.

When responding to questions in the call for information, please do not include any information that could identify you or somebody else. For example, do not include anyone’s name, age, job title, phone number or email address where it is not asked for.

Do not identify anyone else in your answers to any questions during this call for evidence.

Please note the following before you respond to the survey:

Responding to some of these questions may stimulate difficult memories for some respondents. We recommend that anyone who has been a victim of a computer misuse offence (cyber crime) and needs support contact support groups such as Victim Support who can help manage the challenges you are facing.

Please do not use this survey to disclose crimes. Law enforcement will not be reviewing or responding to crimes reported via this survey. If you would like to report a cyber crime, please contact Action Fraud via www.actionfraud.police.uk or call 0300 123 2040. If you live in Scotland please report to Police Scotland by calling 101.

Data protection

Please see the privacy note for further information.

After the call for evidence

The Government will publish a summary of responses in due course. Information submitted will be considered as part of the development of policy to improve the protection of UK citizens’ accounts and personal data, and any proposals will be subject to further engagement.

Ministerial foreword

The internet has had a transformative impact on our society, economy and daily lives. It provides a wealth of opportunity and potential in communication, education, entertainment, commerce and more, and is driving economic growth across the UK. However, criminals are increasingly making it a riskier environment. The Office for National Statistics recently estimated that there were 1.6 million computer misuse offences – often referred to as cyber crimes – against adults in England and Wales in the year to March 2022.[footnote 3] Of these, nearly 1.3 million incidents involved unauthorised access to personal information (including hacking). This was a 158% increase in estimates of unauthorised access incidents compared with 2020. Such crimes are frequently committed to facilitate further offences, including fraud, extortion, cyber stalking and domestic abuse.

This level of criminal activity is deeply disturbing, and my Department and the UK Government are committed to tackling it to ensure UK citizens are better protected. UK citizens should be able to use the internet without fear that they will fall victim to cyber crime, and their personal accounts or data be exploited by criminals to commit other offences.

Effective cyber security is a collective duty: it requires individuals, business, government and service providers to each take responsibility to maximise our resilience against cyber threats. This is why the Government has taken action to support secure practices, from cyber security advice for consumers, to legislation which ensures that firms take adequate measures to protect data that they collect. However, there are some areas where the responsibility for organisations to take action is greater, particularly when it comes to the ability to protect others.

As the National Cyber Strategy[footnote 4] notes, businesses and organisations have a responsibility to ensure they are effectively managing their cyber risks, including in relation to the ever-increasing volume of users’ personal data and digital assets with which they have been entrusted and for which they are responsible. Our data protection legislation also places obligations on organisations to ensure that personal data is processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. But owing to breaches of personal information from the systems of organisations in recent years, some of UK citizens’ personal data is available on online marketplaces and exploited for criminal activity. So, failure to protect data and digital assets can cause considerable harm to an organisation’s users and customers, and have significant legal, reputational and financial implications for organisations.

The Government has been clear in the National Cyber Strategy that services offered by managed service providers and platform businesses should not be over-reliant on their customers taking protective actions. It is essential that cyber security be embedded into an organisation’s operations where its customers and users may be placed at harm if that data is potentially at risk. The Government is committed to making the UK safe online and will continue to explore further ways in which we can protect citizens at scale, prevent attacks, and ensure basic protections are in place that benefit all citizens, organisations and business. In particular, we believe measures may be needed in particular to address the large volume of cyber crimes committed by criminals with a relatively low level of technical sophistication.

Accordingly, the Home Office is seeking information to inform the development of proposals to further reduce cyber crime, and the offences facilitated by it. This work will explore measures to reduce the burden on citizens for cyber security, including the application by organisations of secure-by-default principles to protect user accounts and information. It will also examine whether to supplement requirements in data protection legislation to ensure that providers of online services and accounts, as well as processors and holders of UK citizens’ personal data, exercise an appropriate and proportionate degree of responsibility for the protection required of the data and access to it.

The Government is determined to drive down cyber crime, the offences it facilitates, and the harm to people that it causes, while supporting and working with businesses and taking a pro-innovation approach which recognises existing regulatory frameworks. We will not implement further regulation or legislation without a clear case, but we have a responsibility to consider how to better protect citizens from cyber crime and facilitated offences, alongside wider government activity to reduce crime and, as set out in the Government’s Plan for Digital Regulation last year, to make the UK the safest place to be online.

In this first stage of our public consultation on the Cyber Duty to Protect programme, your responses will help build our understanding of the nature and perception of the risk to individuals in relation to cyber crime, and your views on actions to take, including how to reduce the burden for cyber security on citizens. This is critical to ensure any intervention is proportionate to the risks we want to address. Building UK resilience against cyber threats is a collective responsibility and I am grateful for your participation in this work.

Priti Patel, Home Secretary

Background – why we are holding this Call for Information

The problem we want to address

1. The Computer Misuse Act 1990 makes accessing online accounts and computer systems without authorisation a criminal offence – cyber crime. Typical methods of gaining this unauthorised access are through hacking or the use of malware. Offenders often seek to gain access to your online accounts, or systems that hold your personal data, to commit further offences. These further offences are often various forms of online fraud but can also include extortion, cyber stalking and domestic abuse.

2. Unauthorised access to computers and the offences it facilitates not only cause personal and economic harm, but can also impact people’s trust of the internet. This loss of trust in turn impacts UK citizens’ ability to make the most of the huge range of opportunities that the internet can provide for individuals, and damages the economic advantages to businesses.

3. Unauthorised access includes the hacking of individuals’ online accounts, e.g. social media and retail, but also breaches of organisations’ computer systems and databases. Phishing is a prevalent method used by criminals to steal account details and passwords from individuals and assist their hacking attacks. While the phishing email is not a computer misuse offence – it is a form of fraud – accessing the accounts with the collected passwords and usernames is a computer misuse offence, and is often used to facilitate further crimes. In addition, criminals can buy software tools from online marketplaces to assist their hacking activities, so significant technical sophistication is not always required.

4. Unfortunately, owing to breaches of personal information from the systems of organisations in recent years, UK citizens’ personal data is available on online marketplaces. Criminals can buy this personal data to enact scams; or they may buy breached email addressed and passwords, which they replicate across additional accounts to illegally access an account which may have the same password.

5. Organisations providing online accounts have existing duties and legislative requirements to protect systems from unauthorised access. Where the account is used to access financial services, there are regulatory requirements to ensure account authentication is secure using multi factor technologies. Secure authentication controls are also advised for organisations applying the Government’s Cyber Essentials standard. Further, organisations are under legal duties to secure personal data from unauthorised access under the UK’s General Data Protection Regulation and the Data Protection Act 2018.

6. Good password security is essential. The National Cyber Security Centre advises organisations to prevent simple and easily guessable passwords from being used. The Product Security and Telecommunications Infrastructure Bill, currently before Parliament, is also seeking to tighten up password security. The Bill will require manufacturers of connected devices, and apps to control devices, not to use default or easily guessable passwords.

7. Despite this regulation, guidance and advice, account access remains a serious point of potential vulnerability which may lead to unauthorised access and cyber crime. For example, many providers of online accounts, including social media, email and retail, ask users to provide a password to authenticate themselves as the legitimate user of that account. But many people still use a single password across several accounts, so that if one password is subject to a data breach, criminals could use it to access the other accounts. Furthermore, many people continue to use weak passwords to maintain easy access to their accounts. These vulnerabilities exacerbate the problem that computer misuse offences do not always require much technical sophistication by criminal perpetrators. Account vulnerability can also be exploited by perpetrators of cyber stalking and domestic abuse, where there is often a personal relationship with the victim.

In the survey, we invite you to tell us:

  • How concerned you are about unauthorised access;
  • How concerned you are about the possible consequences of unauthorised access.

Understanding the harm stemming from computer misuse offences

8. The harm to UK citizens stemming from these offences can be significant and widespread. This harm includes considerable financial loss and serious psychological harm. In some cases it may lead to direct physical harm where violent perpetrators have accessed the accounts (e.g. social media, email and retail etc) of former partners to find their re-location address and intimidate or continue to abuse them.

9. Victims of computer misuse can become vulnerable and their emotional well-being and mental health can be affected, causing anxiety, stress and depression.[footnote 5]Reports to Action Fraud indicate people suffering from severe mental distress after having their photos stolen from their social media accounts. There is also a risk that pre-existing mental health challenges may also be exacerbated when someone falls victim to computer misuse.

10. However, unauthorised access to personal online accounts is not the only source of harm to UK citizens relating to computer misuse. Many hundreds of thousands of UK customers of major UK and international companies – as well as much smaller companies – have had their personal data lost to cyber criminals. The site weleakinfo.com (which has now been taken down through an international law enforcement effort led by the National Crime Agency) sold personal data from thousands of data breaches and claimed to have more than 10 billion credentials.[footnote 6]

11. In cases where personal data obtained by criminals through such breaches is used in identity fraud, victims could end up with significant bills in their name, and even County Court Judgements against them in relation to debts the criminals have fraudulently built up in the victim’s name. Resolving this can be highly stressful and time-consuming, during which accessing credit can be impossible, potentially compounding any financial challenges the victim may have.

12. Compromised data can remain on criminal marketplaces for many years, meaning the potential threat to individuals lasts well beyond the breach. While UK law enforcement agencies collaborate internationally to take down these marketplaces, the data can often be moved and if servers are located in certain countries, action against the marketplaces may not be possible.

In the survey, we invite your views on the likelihood of harms arising from unauthorised access.

Responsibilities for cyber security

13. Effective cyber security is a collective duty and everyone has a responsibility to take reasonable precautions online. However, there are some areas where there is an opportunity and greater responsibility to protect others. In an era where the average UK citizen has multiple online accounts, the security burden on them has correspondingly increased. Online account login processes for UK citizens should be secure by default and not over-reliant on customers taking protective actions.

14. As the National Cyber Strategy notes, it is essential that cyber security be embedded into an organisation’s operations where its customers and users may be placed at harm if that data is potentially at risk. The Government is committed to making the UK safe online, and will continue to explore further ways in which we can make protect citizens at scale, prevent attacks, and ensure basic protections are in place that benefit all citizens, organisations and business.

In the survey, we invite your views on:

  • Where the responsibility for ensuring better protection of personal data should lie;
  • What actions those respondents from organisations are taking to protect access to accounts and customers’ personal data;
  • The use of enhanced authentication solutions, such as multi-factor / two-factor authentication.

The aims of this government intervention

15. While government and industry have been taking steps to protect citizens online, computer misuse remains a significant threat to citizens. We must collaborate further across government and with industry to explore further ways in which we can make the internet safer, prevent attacks, and ensure basic protections are in place to benefit UK citizens as well as organisations and business. We believe measures are needed in particular to address the large volume of cyber crimes committed by criminals with a relatively low level of technical sophistication.

16. To meet the scale of the task, the Home Offices believes we need to consider new proposals to reduce this threat to citizens, and reduce the burden on them for cyber security, recognising that any new measures should complement existing obligations.

17. The working title for these potential measures is the ‘Cyber Duty to Protect’. Pursuing the aims of the National Cyber Strategy, the Cyber Duty to Protect aims to reduce the burden of cyber security on citizens and reduce harms to citizens from unauthorised access and associated harms.

18. The areas the Home Office is seeking to explore further with stakeholders in the first instance are outlined briefly below.

19. The Home Office believes cyber crime, and the offences facilitated by it, could be substantially reduced via more widespread implementation of secure-by-default principles to protect user accounts and their personal information.

20. The Home Office also intends to explore options to ensure that providers of online services and accounts, as well as processors and holders of UK citizens’ personal data, exercise an appropriate and proportionate degree of responsibility for the protection required of the data, and access to it. This would mean exploring supplementing the current approach to the protection of data, under the Data Protection Act and GDPR, with a greater understanding and consideration of the risk to individuals of the compromise of their data held by organisations.

21. In considering potential new measures, we are keen to ensure that existing and future proposals meet the needs of all users, not just those with good computer literacy. No-one should be inadvertently excluded from a platform by enhanced security measures, nor should new security measures unduly interfere with UK citizens’ access to, ease of use, or enjoyment of the internet.

22. Our intention is that citizens in the UK be able to use the internet with more confidence and less fear or risk of becoming a victim of online crime, contributing to the Government’s goal of making the UK the safest place to be online.

23. This work is part of the broader government policy effort to tackle the various threats posed by the wider problem of online crime – which is broadly any offence that takes place in cyberspace or using a computer – and we will continue to work across and beyond government to complement a coherent regulatory approach, as set out in the Government’s Plan for Digital Regulation.

Our request

24. Through this consultation we would like to hear from citizens and organisations in the UK about their experiences relating to computer misuse to:

1. better understand UK citizens’ and UK organisations’ experiences of unauthorised access; and 2. hear your views on what we should take into consideration within the development of the Cyber Duty to Protect programme

25. We also welcome responses from businesses and industry as to how they could be assisted in better understanding the risks they and their customers face and what they could do further to mitigate them. We also welcome your views on what measures could be introduced to mitigate the threats described and reduce the burden for login security on the part of the user.

26. The easiest way to participate in this call for information is by completing the Smart Survey which you can also access via the link on the main consultation page. Written submissions can also be submitted in Word or PDF format and emailed to CDTPengagement@homeoffice.gov.uk.The address to post written responses is: CDTP Call for Information, Cyber Policy Unit, 2 Marsham Street, London SW1P 4DF. Written responses will be destroyed after they have been scanned to create a digital copy. If you have any problems using this survey, send your queries to CDTPengagement@homeoffice.gov.uk. Please do not send any personal information to this email address.

Next Steps

27. This call for information is the starting point of an extensive dialogue with stakeholders this initiative could impact, including industry and UK citizens.

28. Following this call for information, we will work with key stakeholders (including the tech industry, victim support groups, the cyber security industry, the business sector and service providers) to develop proposals for:

i) appropriate security measures which account providers and organisations processing personal data could implement to ensure users’ accounts and their personal data are better protected against attack; and

ii) compliance with those measures.

29. We will also work with organisations representing consumers and vulnerable groups to ensure the development of proposals takes the needs of all users into consideration.

30. We will also draw on other relevant academic research and evidence from reputable sources such as the Office for National Statistics and Action Fraud, to help inform and develop any proposals.

31. Any proposals will be subject to a Call for Views which will provide interested parties the opportunity to comment on and further shape them, prior to any implementation.

Consultation principles

The principles that government departments and other public bodies should adopt for engaging stakeholders when developing policy and legislation are set out in the consultation principles.

https://www.gov.uk/government/publications/consultation-principles-guidance

Any enquiries regarding this publication should be sent to us at CDTPEngagement@homeoffice.gov.uk.