GDPR mistakes so far
It’s been just over one month since the General Data Protection Regulation (GDPR) came into practice, but already, some businesses have fallen foul of the new legislation. Since May 25th, the watchdog that oversees the regulation has received more than 1,300 complaints and businesses have logged 60 breaches of people’s personal data with the watchdog. Under GDPR, an organisation can be fined up to 4% of annual global revenue if it is deemed to have failed to comply with the new law in its handling of customer data. With this in mind, we take a look at data breaches that have happened in the last month, and if they could find themselves with a hefty fine.
Retail
One of the first to fall victim to a data breach was in retail. The retailer had been subject to a huge data breach that compromised an abundance of customer data, including some payment details of 5.9 million customers. With GDPR now in play, this breach could cost the company a hefty sum. Due to revenue of £10.5bn in 2017, the maximum of fine could be as much as £400 million. However, it transpires that the breach occurred before GDPR came into effect. Therefore, it is still unclear whether ICO will issue a fine under GDPR. Fines aside, the incident itself will likely cause substantial reputational damage. Software companies One software provider also fell at the feet of GDPR when suffering a data breach earlier this month. It was reported that an attacker stole personal information and credit card data from hundreds of people within the businesses it serves. The unnamed attacker managed to exploit a vulnerability in an application hosted on the firm’s server to install a malicious software. It is thought that businesses affected could exceed one thousand. Details accessed by the hacker include personal information such as first and last names, addresses, email addresses, and nationality, as well as financial details such as card numbers, expiration dates, and names of cardholders. If it’s identified that known vulnerable components were involved that could have been discovered and prevented through a penetration test, for example, this organisation could be in trouble. Full details, however, are yet to be confirmed. Online business Another well-known business took a big hit this month. It suffered a serious breach, which is said to have affected 40,000 UK customers. The organisation posted on social media that malicious software on a third-party customer support product caused the hack, and that they contacted all those affected. It is still not known how data was compromised, but information stolen could include names, addresses, email addresses, telephone numbers, payment details and website log-in details. The company claims to be confident that it has complied with GDPR rules, maintaining that it acted ‘very quickly’ and informed all relevant authorities, including the ICO. Worryingly, however, this breach has the potential to lead to more, as criminals use the headlines to their advantage to create follow-up phishing scams. “After an incident like this, criminals from around the world will jump at the chance to try and catch a few unsuspecting people out,” said Brooks Wallace from the cyber-security specialist Trusted Knight. “If you receive any emails purporting to be from this particular company asking for any personal information, discard them.” Don’t fall at the first hurdle Here at SCC, we have security solutions to ensure your data doesn’t fall into the wrong hands. At SCC we help businesses to ensure their security is never compromised. Click here to see our solutions