A breach of data protection

Here is the news. Yep, there’ve been more data breaches…

But we can still learn from them.

Sometimes, no news is good news.

Unfortunately, though, no news doesn’t necessarily mean that nothing’s happened – it can also be a result of someone sitting on what’s happened and staying shtum until, eventually, the truth outs.

Like data breaches, for instance. And, sometimes, surfacing weeks or months later when someone decides that it might perhaps be a good idea to inform those affected and issue a mea culpa.

Data breaches are rarely good. But, positive people that we are here at Databasix, there is a silver lining: we can use examples of what’s gone wrong to help you be more aware of the GDPR pitfalls and how to get things right.

Here are some learning lessons from a few recent, high-profile cases…

Ticketmaster

What happened?                                                                                                                      

A major data breach impacting tens of thousands of people, leaving those affected at risk of fraud or identity theft.

How?                                                                                                                                

Via malicious software on a customer support product hosted by an external third-party processor for Ticketmaster.

This resulted in customers’ personal or payment information (i.e. names, addresses, email addresses, phone numbers, payment details and login details) being harvested by an unknown third-party and, in some cases, leading to fraudulent transactions being debited from their accounts.

When?                                                                                                                           

Going back to February 2018.

When reported?                                                                                                            

June 2018 – although there are suggestions that there was a delay in disclosing the breach after it emerged that some UK banks were aware of the incident and had informed Ticketmaster in early April.

What did we learn?                                                                                                   

That it’s worth checking what security measures your third-party processors have and seeking reassurance that there are no obvious vulnerabilities. Oh, and that it’s worth coming clean and doing the right thing as soon as possible.

Carphone Warehouse

What happened?                                                                                                                      

A massive cyberattack on one of its computer systems putting customer and employee data at risk.

How?                                                                                                                               

As a result of the company’s failure to secure the system properly due to ‘multiple inadequacies’ in its approach to data security and not taking adequate steps to protect personal information.

This allowed a hacker unauthorised access to the personal data of over three million customers and 1,000 employees and included names, addresses, phone numbers, dates of birth and marital status; and, for more than 18,000 customers, historical payment card details.

The records for some of their employees, including name, phone numbers, postcode and car registration were also accessed.

When?                                                                                                                           

2015.

What did we learn?                                                                                            

 That it’s worth routinely testing your technical security measures, assessing your data security systems and ensuring that your software is robust and up to date.

Adidas

What happened?                                                                                                                      

A potential data breach after Adidas issued an alert of a ‘security incident’ where cybercriminals attempted to steal customers’ personal details.

How?                                                                                                                               

Through the possible hacking of contact information, usernames and encrypted passwords on the US version of the website, potentially affecting millions of customers.

When?                                                                                                                           

The end of June 2018.

When reported?                                                                                                            

More or less immediately.

What did we learn?                                                                                                   

That taking immediate steps to investigate the issue, determine its severity and scope and alert relevant customers ensures that you’re tackling things head-on and mitigating against further risks.

Morrisons

What happened?                                                                                                                      

A huge data leak after a disgruntled colleague publicly posted payroll data of nearly 100,000 members of staff.

How?                                                                                                                                

A Morrisons employee and former senior auditor at their head office leaked the data online and sent it to newspapers. It included staff names, addresses, bank account details and their salaries.

When?                                                                                                                           

2014.

What did we learn?                                                                                                   

That despite this breach arising from a trusted employee, the company is still responsible for safeguarding personal data. Therefore, as with these other examples, it’s worth checking that you’re taking appropriate steps to protect your data and have a plan in place to deal with such incidents should they occur (such as getting the data taken down quickly and providing protection for those staff affected).

TSB

What happened?                                                                                                                      

A ginormous customer data breach following an upgrade to its online banking system.

How?                                                                                                                               

Whilst migrating customers onto its new banking platform, some users inadvertently ended up being able to access other users’ accounts, with some seeing their accounts being erroneously credited.

When?                                                                                                                           

April 2018.

What did we learn?                                                                                                    

Again, this again comes down to robustly testing your systems before going live and having a roll-back plan in case system upgrades don't go to plan. Oh, and ensuring that the incident management doesn’t make the situation worse by sending out follow-up letters not only to the wrong people – but containing other customers’ sensitive account information!

And financially, it could have been even worse…

Because each of these breaches occurred before the new GDPR guidelines came into effect at the end of May, they were all subject to sanctions under the former Data Protection Act – along with less stringent fines.

However, don’t let this lull you into a false sense of security… Because, from here on, companies responsible for data breaches will be liable under GDPR regulations and much more financially-punitive measures.

Not convinced? Okay, we’re talking fines of up to €20 million or 4% of your turnover (whichever is greater).

Needing reassurance?

If you could do with the peace of mind of involving us and knowing that you’re ready for anything, get in touch.

And finally, some late breaking news – in the style of The Two Ronnies

We’ve just heard that, in Harwell this evening, a mad squirrel has bitten a hardened cybercriminal… After being given injections and treatment for shock, the squirrel has now been safely returned to its tree.

That’s all we’ve got time for this evening – so it’s goodnight from me.

And it’s goodnight from her.