Week after week media outlets spout out news about large companies failing to disclose old breaches, suffering current security breaches or refusing to explain their situation surrounding a breach of data. All these scenarios carry different circumstances for each individual companies and each of them carry implications for customers and questions surrounding regulatory framework.
Over the past week we’ve seen both Dixons, a large tech company, and Reddit, one of the large online communities, disclose data breaches to the public. Below Lawyer Monthly has collated the latest comments and opinions on these breaches, with some insight into the ongoing conundrum of cybersecurity worldwide.
Gareth Oldale, Partner, Sharpe Pritchard:
The fact that an extra 9 million people than was originally envisaged have been impacted by the Dixons Carphone data breach only serves to increase the severity of the breach, and so increase the likelihood of even more stringent action being taken by the ICO. The number of data subjects impacted is one of the criteria that the ICO will consider when determining the level of any fines it issues.
It appears (although it has not yet been confirmed) that this breach will be investigated under the “old” data protection regime, as the breach occurred before the GDPR came into force on 25 May. If this is the case, then the maximum fine that could be issued by the ICO would be £500,000 (as opposed to €20million or 4% of Dixons Carphone’s annual worldwide turnover, whichever is the greater, under the GDPR). Accepting that there is a different upper limit of the fine, the fact that nearly ten times as many people as original envisaged have been impacted will almost certainly mean that this would be one factor leading towards a higher fine. On the other hand, the fact that Dixons Carphone appears to have taken steps to seek to remedy the data breach very quickly, and appears to be engaging pro-actively with the ICO, will count in its favour. Still the most damning feature of this breach, however, is the fact that it follows so soon after another quite similar breach by the same corporate group in which the company was issued with a then-record fine of £400,000.
If individuals have suffered damage as a result of the data breach, then they may be entitled to receive compensation from Dixons Carphone. It is still too early to say if such a claim for compensation would be likely to be successful, but it is certainly an area which privacy activists and consumer rights groups are watching carefully.
The ICO has seen a huge increase in the number of data breaches being reported since the introduction of the GDPR. Some of those are very benign, low risk and low impact, meaning that no formal enforcement action or fines are required. For the more serious breaches, such as this one by Dixons Carphone, however, we can expect to see the ICO using the tools available to it under the GDPR to protect the rights of data subjects and seek to encourage better privacy practices and fewer data breaches moving forwards.
Matt Middleton-Leal, general manager, EMEA, Netwrix:
Dixons’ breach is a classic example of an organisation that simply did not have sufficient visibility into its IT infrastructure, and by extension its most important asset: in this case, its customers’ confidential data. I would implore all organisations to ensure that they can track in an automated fashion all confidential data and who has access to it within the company. The faster that an organisation can detect, investigate and stop an attack in its tracks, the better its changes of preventing damage and avoiding significant financial penalties in the era of GDPR.
Unfortunately, what secured us yesterday does not seem to be securing us today; industry must take a security from the inside-out approach. We must learn from mistakes and keep security strategies up to date as users, business needs and IT infrastructures change in order to safeguard organisations and the data they’re entrusted with.
Reddit’s data breach appears to have occurred due to the inadequate protection of employee credentials. One can only assume that the insider accounts that were hijacked in this case were legitimate; it’s a cause for significant concern that this failed to raise any internal alarms before data was stolen.
Unfortunately, this is just the latest in a long line of attacks where external attackers have become de facto insiders using stolen credentials, allowing them to hide in plain sight within a network. It is essential that organisations have full visibility into their IT infrastructure, enabling them to spot potentially suspicious activity in real-time and intervene before sensitive data and systems are compromised. Without this level of control – including ensuring that users’ credentials are recorded and appropriate to their role – these kinds of breaches are set to continue.
Andrew Bushby, UK Director, Fidelis Cybersecurity:
Initial reports suggested that Dixons’ breach took quite some time to detect and mitigate, and now we’re being told that an additional nine million customers were impacted. With GDPR’s safeguarding and notification requirements, organisations really need be on top of their game with cybersecurity, so it’s rather unfortunate that such a huge discrepancy can exist.
This is a classic visibility problem that organisations everywhere can and must learn from. With the sophistication and persistence of today’s cybercriminals, security teams need to have real visibility of what’s happening to their systems at all times, providing the ability to proactively find the unknown threats, and not just in the aftermath of an attack. With this incident already being investigated by the ICO, it will be interesting to see how this error affects the final outcome – particularly with network defence being such a critical aspect of GDPR. Questions will no doubt be asked about the security measures around the data before the breach, and why so many impacted customers were missed at the time of notification.
Reddit’s is a concerning response to a data breach, as the onus has been placed on the user to first determine if they were impacted and then to evaluate the potential repercussions themselves. It’s surprising to see an organisation dismiss its duty of care in such a public way – particularly one whose reputation as a safe haven for anonymous opinions has now been jeopardised. What’s more, if European citizens were in fact impacted, it could pose a real GDPR conundrum for the organisation.
Broadly, this incident shines a light on the need for more robust, layered security measures around sensitive data. Network intrusions are now inevitable, but it’s what happens next that can really make or break an organisation. With the sophistication and persistence of today’s cybercriminals, security teams need to have real visibility of what’s happening to their systems at all times, providing the ability to proactively find unknown threats, and not just in the aftermath of an attack. Serious questions must be asked about the security measures around the data, Reddit’s reluctance to properly notify affected users and the overall response by its spokespeople.
Nigel Jones, former Head of Legal for Google and Founder, The Privacy Compliance Hub:
Dixons Carphone said that the data breach that was reported back in June affected 10 million of its customers rather than the 1.2 million it originally estimated. What will now be interesting is how the breach will be dealt with by the regulator. The regulator (the ICO) commented back in June that it was looking at whether the breach would be covered by the 1998 or 2018 Data Protection Acts. This is important as the level of fines that can be imposed under each Act is very different.
Under the 1998 Act, the maximum fine is £500,000 (which is the amount the ICO has notified Facebook that it intends to levy for the Cambridge Analytica breach). Under the 2018 Act, the maximum fine is 4% of turnover which could be an eyewateringly large sum. Dixons Carphone has got on the front foot by saying that there is no evidence of any fraud, but its shareholders will be hoping that the ICO do not use this breach as a test case for its increased regulatory powers. They will also be hoping that the 10 million customers affected by this breach don’t jump ship to another provider, or bring legal actions of their own.
Ross Brewer, VP & MD EMEA, LogRhythm:
It may call itself the ‘front page of the internet’ but ‘front page of the news’ is probably more relevant today. Disclosing a data breach often goes hand-in-hand with disclosing the scale and telling those affected, but Reddit has decided that it won’t be doing that. Instead, it has advised any users who are concerned to check their own inboxes for any unusual activity between 3rd and 17th June, the period in which the hack took place. That’s not a great response. Any company that leaves customers vulnerable shouldn’t then expect them to investigate themselves. Moreover, if any European citizens are caught up in the breach, it’s in breach of GDPR.
Hackers were able to gain access to databases by intercepting the text messages sent as part of Reddit’s two-factor authentication measures. They got their hands on employee credentials, which were then used to access two databases of user data – one of which contained usernames and email addresses relied on for the company’s ‘email digest’ function.
This breach reinforces that businesses must be doing more to protect all sensitive data. Two-factor authentication can’t be the sole measure, it needs to be a part of a wider cybersecurity setup. This means automated detection through tools such as NextGen SIEM and User and Entity Behaviour Analytics (UEBA) which can quickly flag anomalous activity so that potential threats are shut down from the outset.
Feel free to offer Your Thoughts in the comment box below and tell us what you think.