2018 data hacks. Lessons businesses must learn

Over the last 12 months, cyber-attacks and data breaches have rarely been out of the headlines. And this is understandably causing concern for business owners, IT heads and security managers. Not least because, with the introduction of the GDPR and the Data Protection Act 2018, UK business now face a major expansion of liability claims.

Here are some of the most significant data leaks we have all been talking about this year. With some advice on any lessons to be learned.

Ticketmaster

In June 2018, Ticketmaster UK identified malicious software on a customer support product hosted by an external third-party supplier. Following the breach, Ticketmaster admitted that thousands of UK customer data had been accessed. This included a number of customers’ personal and financial details.

In this case, the situation was made worse for Ticketmaster after it was revealed that challenger bank Monzo warned the company about a potential hack some two months previously. However, Ticketmaster dismissed the warnings and failed to act. This failure to address Monzo’s apprehensions demonstrate how cyber security must become an executive level issue and be treated accordingly. Likewise, the Ticketmaster case highlights the importance of choosing the vendors you work with carefully. You simply must make security controls a key part of any service level agreement.

Equifax

The Equifax data breach might have started in 2017, but it continued to feature in the headlines throughout 2018. An ICO investigation, carried out in parallel with the Financial Conduct Authority, revealed multiple failures at the credit reference agency. And, as a result, Equifax has now been fined £500,000.

Equifax failed to properly update and patch its computer systems and, because of this, was unable to detect any vulnerability. Likewise, even when Equifax did discover the weakness in late June, access was not cut off until the very end of July.

So, following the data breach investigation, there are some vital lessons businesses across the UK need to learn to ensure they don’t meet a similar fate.  Not least the need for comprehensive internal policies, regular penetration testing, prompt attention to updates and patches, on-going maintenance of cyber security systems, and swift response protocols.

British Airways

Initially, it was revealed that almost 400,000 British Airways customers had had their personal and bank/credit card details stolen in what was reported to be one of the most severe cyber-attacks in UK history. Worryingly, it took over two weeks before the data breach was detected by the airline. In response, questions were asked as to whether poor systems made this cyber-attack worse.

When investigating this case, a second data breach was also uncovered. In this instance, 77,000 people had their names, addresses, email addresses and detailed payment information taken. This included card numbers, expiry dates, and card verification value (CVV) numbers. And, a further 108,000 people had their personal details stolen.

One of the key takeaways from this data breach case is the need to keep your web platforms up-to-date. When the latest version is not in use, hackers can manipulate weak spots in the code to carry out malicious activities. Likewise, it’s vital to increase monitoring across websites and apps to defend against these types of attacks.

Facebook

Earlier this year, a whistle-blower revealed how Facebook data was illegally harvested and used to influence the US Presidential election. The violation occurred after Cambridge Analytica targeted users with political messaging after obtaining data from the social media platform. Questions were raised over whether this data was also used to influence the outcome of the Brexit referendum.

Again, the crucial takeaway here is that organisations must inspect third-party applications closely, analyse any data integrations with their data, and assess any potential implications on security.

Dixons Carphone

The Dixons (Carphone Warehouse) data breach took place in 2017 and resulted in 10 million customer records being accessed from Currys PC World and Dixons Travel stores. The details stolen by cyber criminals include names, addresses, phone numbers, dates of birth, and email addresses. All of which can be used by cybercriminals to commit further crimes. The hackers also got access to the records of 5.9 million payments cards (nearly all of which were protected by chip and pin).

Again, while this case took place in 2017, the ramifications have continued into this year.

This Dixon’s Carphone breach underlines how vital it is that businesses arm themselves against threats. And the good news is that there are some simple steps that can reduce your exposure to attack.

For example:

  • Review your data and security processes. Once you know what you are dealing with, you can then document the controls you have in place and evaluate any potential risks
  • Establish where improvements are needed. By undertaking a review, it should be easy to see where improvements need to be made to comply with regulations and industry standards
  • Undertake training. Carry out training to ensure your staff are aware of how important data protection is. Particularly as, according to the Information Commissioner’s Office (ICO), accidental disclosure or human error is a leading cause of personal data breaches
  • Put robust reporting mechanisms in place. While a data hack is a massive blow to any company, the decision not to report cyber violations will only make matters worse.

If your business does become the victim of a cyber-attack, you will be held accountable for any failures in your processes and systems. So the more you can do to show that you take your data protection responsibilities seriously the better.

But don’t leave it until a breach occurs to protect your business. At Hayes Connor Law, we help companies, in-house legal teams and other organisations to meet their data protection obligations. Providing advice and support on compliance, data breaches, defamation and cybercrime we have all the expertise and experience you need to reduce your exposure to risk.

Leading our field when it comes to understanding this often complex area of law, our expert, pragmatic legal advice ensures the highest quality outcome – both in terms of results and service delivered.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.