As the pandemic continues to threaten our health, our economy and our world as we know it, a more covert threat is rapidly increasing in our digital world: cyber-attacks. In this current climate, for many our only option is to use digital technology to work remotely, order our groceries and virtually connect with others. Hackers are quickly exploiting our increased reliance on online services and the fact we are now interacting with our colleagues over new mediums, with cyber-attacks reportedly up by 37% over the last month. Now more than ever is the time to take cybersecurity seriously.
Over the past year, we've seen the UK's data protection regulator (the ICO) crack down on organisations' poor security measures. Insufficient security has led to a concerning amount of employee and customer personal data being compromised and serious reputational and financial damage for the organisations involved. Some of the breaches took place pre-GDPR so the old fine limit of £500,000 applied. Data protection law requires organisations to have appropriate security measures and robust procedures in place to prevent the personal data it holds being deliberately or accidentally compromised. Looking at the ICO's recent fines, we can understand what is considered "poor security" in the eyes of the regulator.
|
Organisation |
Date |
Fine |
Data breach |
Types of personal data |
Security inadequacies |
Other comments |
|
Cathay Pacific (Hong Kong's national airline) |
March 2020 |
£500,000 (maximum amount under old Data Protection Act 1998) |
Failing to secure its systems led to customers' personal data being compromised. |
Names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historic travel information. |
o Unencrypted database backups; o Lack of multi-factor authentication for users; o Inappropriate access levels for user accounts; and o Inadequate anti-virus protection, penetration testing and patch management. |
Important factors in the ICO's decision to impose the maximum penalty were: o Number of individuals affected (9.4 million); o Duration of breach (3 years, 7 months) so there weren't adequate measures in place to spot the breach earlier; and o The types of personal data compromised (passport and identity details) were susceptible to social engineering, phishing attacks and potential fraud. |
|
DSG Retail (owner of Dixons and Curry's PC World) |
January 2020 |
£500,000 (maximum amount under old Data Protection Act 1998) |
Failing to secure its systems, leading to a security breach during where malware was installed on its point of sale (POS) terminals at a number of stores leading to customers' personal data being compromised. |
Names, postcodes, email addresses, failed credit card checks and payment card details. |
o The POS systems were not segregated from the wider corporate network; o No local firewall was implemented on the POS terminals; o Software patching was inadequate; o Vulnerability scanning was infrequent; and o POS software was outdated. |
Important factors in the ICO's decision to impose the maximum penalty were: o Number of individuals affected (14 million); o As a retailer processing customers' payment card information, DSG were required to, but failed to, comply with the Payment Card Industry Data Security Standard; and o DSG did not expedite its security remediation plan following the serious issues flagged by an external information security assessment some 12 months earlier. |
|
Marriott Read about our thoughts on thishere. |
July 2019 |
£99 million (intention to fine under GDPR) |
Failing to undertake appropriate due diligence during the acquisition in relation to Starwood Hotels' guest reservation system, which was compromised and exposed guests' personal data. |
Names, postal and email addresses, phone numbers, passport numbers, account information, dates of birth, genders, arrival and departure information. |
o Starwood Hotels' legacy guest reservation system had not been migrated to Marriott's reservation system; o Lack of defence in depth allowed attackers to access the systems for years after the breach; o Lack of protection over administrator accounts; o Failure to segregate as credit card numbers stored in encrypted form and the encryption keys were stored on same server; and o Some passport numbers were not encrypted. |
Important factors in the ICO's initial decision were: o Number of individuals affected (339 million); and o The exposure of customer personal data was not identified until four years after the breach. Marriott is appealing the fine and the ICO has delayed issuing its final monetary penalty notice until June 2020. |
|
British Airways Read about our thoughts on this here. |
July 2019 |
£183 million (intention to fine under GDPR) |
Failure to secure its systems which led to user traffic to the BA website being diverted to a fraudulent site and customers' personal details being compromised. |
Names, addresses, log in details, payment card details, travel booking details. |
o Failure to update Javascript; o Failure to identify a well-known and preventable security vulnerability; o Lack of effective monitoring of potential vulnerabilities; o Failure to segregate payment data from third-parties; and o Failure to audit the website and conduct risk assessments. |
Important factors in the ICO's initial decision were: o Number of individuals affected (500,000); and o BA made improvements to its security arrangements since discovering the breach. British Airways is appealing the fine and the ICO has delayed issuing its final monetary penalty notice until May 2020. |
So what can we learn from these breaches?
With cyber-attacks more prevalent than ever in this increasingly digital world, we recommend that organisations make cybersecurity a priority and consider the following key tips:
- Start with the basics
The GDPR requires organisations to take "appropriate technical and organisational measures" to protect individuals' personal data. But how can organisations determine what is "appropriate" security? There is no one-size-fits-all approach when it comes to information security and organisations will be expected to consider the size of the network and information systems, the amount and type of personal data held, the costs of implementing the security measures and the state of technological developments (i.e. what is deemed as appropriate at that particular time considering the developments in technology). The Cyber Information Sharing Partnership scheme is a useful way of sharing threats and useful tools or processes to combat threats with other industry participants.
However, it is clear that the regulator will look at the established frameworks and guidance provided by expert bodies, such as the UK's National Cyber Security Centre ("NCSC"). The NCSC sets out five key principles which it calls its "Cyber Essentials" which can be implemented to immediately strengthen an organisation's cyber security:
- Use a firewall to secure your internet connection;
- Choose the most secure settings for your devices and software;
- Control who has access to your data and service;
- Protect yourself from viruses and other malware; and
- Keep your devices and software up to date.
- Comply with industry specific security standards
The ICO considers the above Cyber Essentials as the most basic set of security measures that all organisations should have in place and will criticise those organisations that fail to meet the fundamental principles of data security. The Cyber Essentials certification scheme (essentially an annual cyber MOT) does provide a useful starting point in highlighting basic areas of non-compliance. However, many organisations will need to consider a higher level of security required in accordance with industry specific security standards, such as the ISO 27000 series of standards or the PCI DSS (for payment card information). Both DSG and Cathay Pacific argued that the ICO imposed unjustifiably high standards of data security by reference to industry norms at the relevant time, and that the identified security inadequacies were isolated incidences in otherwise robust systems.
The obligation to invest in potentially very expensive security measures that are beyond what is required in a particular industry sector is likely to put pressure on the boards of companies, particularly in this uncertain economic climate. However, the ICO does expect large organisations to step up their game in relation to their cybersecurity as they will "lead by example" for other smaller businesses. The financial burden of implementing appropriate security measures is likely to be an important consideration for organisations during this time.
- Address the issue now rather than later
If you identify a critical security inadequacy or threat in your systems (particularly those systems holding customer or employee personal data), you must act on remediating this threat quickly. The ICO has criticised organisations for failing to take action quickly enough in response to identified security threats. Importantly, this may be an aggravating factor in the ICO imposing a high penalty as seen with DSG's wilful decision to ignore the critical vulnerabilities identified by an external assessment and Cathay Pacific's negligence in failing to follow its own policies. Both DSG and Cathay Pacific were fined under the old data protection regime where the maximum fine was £500,000. It is likely that if both security breaches occurred during the current GDPR regime, the fines would be significantly higher.
This is a useful reminder for all organisations to act quickly on any identified security issues, be prepared to disclose security audit reports, and document a clear security remediation plan to demonstrate to the regulator that the organisation is being proactive and prioritising its security infrastructure. Whilst, the ICO has made it clear that during the current pandemic, it understands that strains on both financial and human resources may result in understandable delays to data subject request responses, it has emphasised that security standards must not be compromised.
- Consider the responsibilities that sit with the supply chain
Post-GDPR, processors can now be found culpable for failing to comply with the GDPR, although the extent to which the ICO has investigated processors providing the underlying infrastructure or otherwise processing has been limited. The focus seems to remain on the controllers. Controllers always look to mitigate the risks from the supply chain by imposing information security standards and contractual indemnities in their contracts with processors so, in the event a failure by the processor causes a controller to incur losses, then it can recover these sums from the processor. It is unlikely that cyber insurance will cover regulatory fines for data breaches. Organisations will also struggle to pass on the liability for such fines to its processors by way of indemnity or damages claims as it is likely to prove difficult for an organisation to demonstrate that it is entirely blameless for the actions of its processors, as controllers have an obligation to carry out sufficient due diligence on the processors they appoint. Careful consideration should be given to how things are now operating during the Covid-19 lockdown or the ongoing requirements to work from home, particularly where new systems or processors are being used (such as video conferencing via Zoom or Microsoft Teams). Organisations implementing new technology during lockdown should ensure this new processing activity is covered by the organisation's existing policies and sufficient due diligence is conducted in relation to any new processors in order to mitigate any potential security risks, Industry or company security standards may now also be impossible to comply with as envisaged in a contract and companies should consider whether other requirements should now be imposed on processors or processes adapted to minimise the risk of a data breach.
- Looking beyond the fines
Crucially, it's important for organisations to remember that the biggest hit may not be a fine from the ICO. This may be trumped by the loss of consumer trust and reputational damage. Indeed, the parent company of British Airways, AIG group, suffered a drop in its share price immediately following the ICO's announcement of its first intention to fine under the GDPR.
An organisation's response to a security breach is vital as being proactive and engaging with affected customers appropriately following the breach can be a mitigating factor in the ICO's decision to fine. It will also help to demonstrate that building up consumer trust is the organisation's priority. With the increase in recent data breach class actions (as British Airways is currently facing), the resolution of a security breach is more important than ever.
For detailed information about how your organisation can implement effective cybersecurity measures, see our Cybersecurity Toolkit.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
