Data breaches are still a big problem for businesses. Recent examples show that we should never become complacent when it comes to protecting business data.
The new GDPR rules came into force in May 2018, and with them came the threat of much higher fines for those who breached data protection laws.
Here is a synopsis of some interesting cases and the lessons that we can learn from them:
1. Tesco Clubcard
In March this year, Tesco had to issue new cards to 600,000 Clubcard account holders after unearthing a security issue. The supermarket giant said it believed a database of stolen usernames and passwords from other platforms had been tried out on its websites and may have worked in some cases. No financial data was accessed, and its systems had not been hacked, it added. The supermarket said it had emailed everybody potentially affected, that nobody would lose their points and new vouchers would also be issued.
Lessons learned: A data breach doesn’t just affect the company that the data was stolen from. Cyber criminals can do a lot of damage to other companies with a large breached list simply containing names and emails or other trivial data. While the impact was minimal for Tesco customers, the big risk is that criminals use leaked common password combinations against emails to try to break into other personal accounts, which cause much greater damage.
2. Financial Conduct Authority
Back in February, the Financial Conduct Authority (FCA) admitted to accidentally revealing personal information of about 1,600 people who made a complaint about them, in an embarrassing lapse for the regulator of Britain's banks and investors. The FCA published names, addresses and phone numbers in a document on its website, in response to a request for data under the Freedom of Information Act. The FCA said it had referred itself to the Information Commissioner's Office (ICO), which regulates the use of data, over the breach. The data breach is particularly embarrassing for the FCA, which fined Tesco Bank £16.4m in 2018 for failing to protect customer information.
Lessons learned: No business is immune to data breaches. In every business, there is the risk of human error, a lapse of judgement and so on. It’s about minimising that risk, so making sure that all employees have some level of GDPR awareness training. It’s also important to have an expert in the business who can lead on internal audits to determine risk and mitigate data breaches from occurring.
3. Recruitment companies using AWS
In October last year, two recruitment companies exposed more than 200,000 CVs, subsequently making them publicly accessible. The firms exposed the CVs by setting their "buckets" on their cloud storage services, which was provided by Amazon Web Services (AWS) as public. Therefore, those who applied for jobs using these firms had their CV publicly available for anyone to view and download. Shortly after being notified the buckets were made private. Many of the CVs included names, addresses, career histories and phone numbers, all of which can be exploited. Amazon, who provided the web services said that its AWS buckets were secure by default; therefore, the responsibility lies within the companies utilising its cloud services.
Lessons learned: Check your privacy and security settings. Ultimately, the responsibility lies with you to protect your business data, which means taking access management and other security controls seriously. Beyond the settings on your cloud storage services, you’ll also need to consider role-based access control, appropriate management of access by third-parties and contractors, and encryption and data masking for high-risk data. If you have concerns about the security of your data, you could always seek advice from your IT services provider.
4. British Airways
Take your minds back a couple of years to when British Airways had a breach of its security systems. The penalty imposed on British Airways was the first one to be made public following the new rules, which made it mandatory to report data security breaches to the ICO. This resulted in an eye-watering £183m fine. The breach took place after users of British Airways' website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers. The breach was first disclosed on 6 September 2018 and BA had initially said approximately 380,000 transactions were affected, but the stolen data did not include travel or passport details. At the time, BA said hackers had carried out a "sophisticated, malicious criminal attack" on its website. The ICO said a variety of information was "compromised" by inadequate security arrangements.
Lessons learned: Huge fines are not the only thing you have to worry about. Under GDPR, authority regulators have to take corrective action against non-compliance, which means fines and publicising the breach. This can be severely damaging to an organisation’s reputation, and brand damage can add to that impact on a business’ bottom line.
How to reduce the risks
In summary, there are a few key actions you can take to reduce the risk of data breaches:
- Ensure your board prioritises and takes responsibility for security.
- Roll-out GDPR awareness training to all employees. Everybody should have an understanding of data subjects’ rights and your business’s responsibility as a data processor or controller.
- Appoint an expert in your business who understands the legal and regulatory requirements around data protection.
- Carry out internal audits to determine and mitigate the risks of data breaches.
- Put data protection policies, procedures and best practices in place.
- If you’re concerned about the data security aspect of your IT services, seek advice from your IT services provider.