GDPR Breach: Ready, Get-Set, Go!
July 2018 by Colin Tankard, Managing Director Digital Pathways
So here we go, GPPR has been in force for just under two months and already two well known brands have been caught in its net.
Luxury retailer, Fortnum & Mason, have detailed the loss of some 23,000 customer records, which include emails, telephone numbers and delivery addresses of customers who filled out a survey, or took part in an online competition, being affected.
Fortnum had used Typeform, who specialise in creating such surveys, to organise these forms. It was Typeform who discovered that an unknown third party had gained access to its server and downloaded the data.
And, Travelodge has announced that 180,000 personal details of its clients were taken, which included date of birth, passport numbers and billing information.
As a result and under the new GDPR regulations (disclosure within 72 hours of a breech), both company’s have been forced to contact each person whose data has been lost, all of whom will need to change their details, such as passwords, and will need to monitor their personal credit rating closely, as well as any bank accounts and credit card statements, as there could be indications of ID fraud.
Colin Tankard, Managing Director of data security company, Digital Pathways, suggests, that this level of diligence go on for a couple of years. Stolen data could be held for such a period until the ’heat goes down,’ with those affected forgetting about their details being taken, then the hackers strike.
“If both of these brands had encrypted their data, they would not need to contact each customer as, under GDPR, if the data is encrypted, it is only the Information Commissioners Office (ICO) who need to be advised, as the encryption protects the data from being read.
“Data discovery tools can locate any sensitive data which has been created and stored within a network, even in back up tapes. And, such tools make a subject access request simple, as the name of the requester is used for the search and any relevant data is tagged and its location identified.
Already, it seems that many companies are being ‘hit’ with requests regarding the use of personal information, putting huge strain on company resources. No surprise here as far as Tankard is concerned, but he does find it hard to believe that after months of pre-GDPR consultancy work and reports on what needs to be done, companies have not installed technology that would solve these problems.
“Companies must, automatically, move any personally identifiable data to a secure location, where encryption is applied” he adds.
“It seems a ‘no brainer’ to me to do this, rather than face a huge fine, high costs of managing and notifying thousands of people, as well as handling their subsequent questions, the public disclosure and the bad press.
“Perhaps I’m missing something!”