Data Security During The Coronavirus Crisis – The Lessons Behind The Breaches – Privacy

As the pandemic continues to threaten our health, our economy
and our world as we know it, a more covert threat is rapidly
increasing in our digital world: cyber-attacks. In this current
climate, for many our only option is to use digital technology to
work remotely, order our groceries and virtually connect with
others. Hackers are quickly exploiting our increased reliance on
online services and the fact we are now interacting with our
colleagues over new mediums, with cyber-attacks reportedly up by
37% over the last month. Now more than ever is the time to take
cybersecurity seriously.

Over the past year, we’ve seen the UK’s data protection
regulator (the ICO) crack down on organisations’ poor security
measures. Insufficient security has led to a concerning amount of
employee and customer personal data being compromised and serious
reputational and financial damage for the organisations involved.
Some of the breaches took place pre-GDPR so the old fine limit of
£500,000 applied. Data protection law requires organisations
to have appropriate security measures and robust procedures in
place to prevent the personal data it holds being deliberately or
accidentally compromised. Looking at the ICO’s recent fines, we
can understand what is considered “poor security” in the
eyes of the regulator.






Organisation

Date

Fine

Data breach

Types of personal data

Security inadequacies

Other comments

Cathay Pacific (Hong Kong’s national
airline)

March 2020

£500,000 (maximum amount under old Data Protection Act
1998)

Failing to secure its systems led to customers’ personal
data being compromised.

Names, passport and identity details, dates of birth, postal and
email addresses, phone numbers and historic travel information.

o Unencrypted database backups;


o Lack of multi-factor authentication for users;


o Inappropriate access levels for user accounts; and


o Inadequate anti-virus protection, penetration testing and
patch management.

Important factors in the ICO’s decision to impose the
maximum penalty were:


o Number of individuals affected (9.4 million);


o Duration of breach (3 years, 7 months) so there weren’t
adequate measures in place to spot the breach earlier; and


o The types of personal data compromised (passport and identity
details) were susceptible to social engineering, phishing attacks
and potential fraud.

DSG Retail (owner of Dixons and
Curry’s PC World)

January 2020

£500,000 (maximum amount under old Data Protection Act
1998)

Failing to secure its systems, leading to a security breach
during where malware was installed on its point of sale (POS)
terminals at a number of stores leading to customers’ personal
data being compromised.

Names, postcodes, email addresses, failed credit card checks and
payment card details.

o The POS systems were not segregated from the wider corporate
network;


o No local firewall was implemented on the POS terminals;


o Software patching was inadequate;


o Vulnerability scanning was infrequent; and


o POS software was outdated.

Important factors in the ICO’s decision to impose the
maximum penalty were:


o Number of individuals affected (14 million);


o As a retailer processing customers’ payment card
information, DSG were required to, but failed to, comply with the
Payment Card Industry Data Security Standard; and


o DSG did not expedite its security remediation plan following
the serious issues flagged by an external information security
assessment some 12 months earlier.

Marriott


Read about our thoughts on thishere.

July 2019

£99 million (intention to fine under GDPR)

Failing to undertake appropriate due diligence during the
acquisition in relation to Starwood Hotels’ guest reservation
system, which was compromised and exposed guests’ personal
data.

Names, postal and email addresses, phone numbers, passport
numbers, account information, dates of birth, genders, arrival and
departure information.

o Starwood Hotels’ legacy guest reservation system had not
been migrated to Marriott’s reservation system;


o Lack of defence in depth allowed attackers to access the
systems for years after the breach;


o Lack of protection over administrator accounts;


o Failure to segregate as credit card numbers stored in
encrypted form and the encryption keys were stored on same server;
and


o Some passport numbers were not encrypted.

Important factors in the ICO’s initial decision were:


o Number of individuals affected (339 million); and


o The exposure of customer personal data was not identified
until four years after the breach.


Marriott is appealing the fine and the ICO has delayed issuing
its final monetary penalty notice until June 2020.

British Airways


Read about our thoughts on this here.

July 2019

£183 million (intention to fine under GDPR)

Failure to secure its systems which led to user traffic to the
BA website being diverted to a fraudulent site and customers’
personal details being compromised.

Names, addresses, log in details, payment card details, travel
booking details.

o Failure to update Javascript;


o Failure to identify a well-known and preventable security
vulnerability;


o Lack of effective monitoring of potential vulnerabilities;


o Failure to segregate payment data from third-parties; and


o Failure to audit the website and conduct risk assessments.

Important factors in the ICO’s initial decision were:


o Number of individuals affected (500,000); and


o BA made improvements to its security arrangements since
discovering the breach.


British Airways is appealing the fine and the ICO has delayed
issuing its final monetary penalty notice until May 2020.

So what can we learn from these
breaches?

With cyber-attacks more prevalent than ever in this increasingly
digital world, we recommend that organisations make cybersecurity a
priority and consider the following key tips:

  1. Start with the basics

The GDPR requires organisations to take “appropriate
technical and organisational measures” to protect
individuals’ personal data. But how can organisations determine
what is “appropriate” security? There is no
one-size-fits-all approach when it comes to information security
and organisations will be expected to consider the size of the
network and information systems, the amount and type of personal
data held, the costs of implementing the security measures and the
state of technological developments (i.e. what is deemed as
appropriate at that particular time considering the developments in
technology). The Cyber Information Sharing Partnership scheme is a
useful way of sharing threats and useful tools or processes to
combat threats with other industry participants.

However, it is clear that the regulator will look at the
established frameworks and guidance provided by expert bodies, such
as the UK’s National Cyber Security Centre (“NCSC”).
The NCSC sets out five key principles which it calls its
“Cyber Essentials” which can be implemented to
immediately strengthen an organisation’s cyber security:

  • Use a firewall to secure your internet connection;

  • Choose the most secure settings for your devices and
    software;

  • Control who has access to your data and service;

  • Protect yourself from viruses and other malware; and

  • Keep your devices and software up to date.
  1. Comply with industry specific security
    standards

The ICO considers the above Cyber Essentials as the most basic
set of security measures that all organisations should have in
place and will criticise those organisations that fail to meet the
fundamental principles of data security. The Cyber Essentials
certification scheme (essentially an annual cyber MOT) does provide
a useful starting point in highlighting basic areas of
non-compliance. However, many organisations will need to consider a
higher level of security required in accordance with industry
specific security standards, such as the ISO 27000 series of
standards or the PCI DSS (for payment card information). Both DSG
and Cathay Pacific argued that the ICO imposed unjustifiably high
standards of data security by reference to industry norms at the
relevant time, and that the identified security inadequacies were
isolated incidences in otherwise robust systems.

The obligation to invest in potentially very expensive security
measures that are beyond what is required in a particular industry
sector is likely to put pressure on the boards of companies,
particularly in this uncertain economic climate. However, the ICO
does expect large organisations to step up their game in relation
to their cybersecurity as they will “lead by example” for
other smaller businesses. The financial burden of implementing
appropriate security measures is likely to be an important
consideration for organisations during this time.

  1. Address the issue now rather than later

If you identify a critical security inadequacy or threat in your
systems (particularly those systems holding customer or employee
personal data), you must act on remediating this threat quickly.
The ICO has criticised organisations for failing to take action
quickly enough in response to identified security threats.
Importantly, this may be an aggravating factor in the ICO imposing
a high penalty as seen with DSG’s wilful decision to ignore the
critical vulnerabilities identified by an external assessment and
Cathay Pacific’s negligence in failing to follow its own
policies. Both DSG and Cathay Pacific were fined under the old data
protection regime where the maximum fine was £500,000. It is
likely that if both security breaches occurred during the current
GDPR regime, the fines would be significantly higher.

This is a useful reminder for all organisations to act quickly
on any identified security issues, be prepared to disclose security
audit reports, and document a clear security remediation plan to
demonstrate to the regulator that the organisation is being
proactive and prioritising its security infrastructure. Whilst, the
ICO has made it clear that during the current pandemic, it
understands that strains on both financial and human resources may
result in understandable delays to data subject request responses,
it has emphasised that security standards must not be
compromised.

  1. Consider the responsibilities that sit with the supply
    chain

Post-GDPR, processors can now be found culpable for failing to
comply with the GDPR, although the extent to which the ICO has
investigated processors providing the underlying infrastructure or
otherwise processing has been limited. The focus seems to remain on
the controllers. Controllers always look to mitigate the risks from
the supply chain by imposing information security standards and
contractual indemnities in their contracts with processors so, in
the event a failure by the processor causes a controller to incur
losses, then it can recover these sums from the processor. It is
unlikely that cyber insurance will cover regulatory fines for data
breaches. Organisations will also struggle to pass on the liability
for such fines to its processors by way of indemnity or damages
claims as it is likely to prove difficult for an organisation to
demonstrate that it is entirely blameless for the actions of its
processors, as controllers have an obligation to carry out
sufficient due diligence on the processors they appoint. Careful
consideration should be given to how things are now operating
during the Covid-19 lockdown or the ongoing requirements to work
from home, particularly where new systems or processors are being
used (such as video conferencing via Zoom or Microsoft Teams).
Organisations implementing new technology during lockdown should
ensure this new processing activity is covered by the
organisation’s existing policies and sufficient due diligence
is conducted in relation to any new processors in order to mitigate
any potential security risks, Industry or company security
standards may now also be impossible to comply with as envisaged in
a contract and companies should consider whether other requirements
should now be imposed on processors or processes adapted to
minimise the risk of a data breach.

  1. Looking beyond the fines

Crucially, it’s important for organisations to remember that
the biggest hit may not be a fine from the ICO. This may be trumped
by the loss of consumer trust and reputational damage. Indeed, the
parent company of British Airways, AIG group, suffered a drop in
its share price immediately following the ICO’s announcement of
its first intention to fine under the GDPR.

An organisation’s response to a security breach is vital as
being proactive and engaging with affected customers appropriately
following the breach can be a mitigating factor in the ICO’s
decision to fine. It will also help to demonstrate that building up
consumer trust is the organisation’s priority. With the
increase in recent data breach class actions (as British Airways is
currently facing), the resolution of a security breach is more
important than ever.

For detailed information about how your organisation can
implement effective cybersecurity measures, see our Cybersecurity Toolkit.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Source link

Leave a comment