UK & American Universities affected by Blackbaud hack

UK & American Universities affected by Blackbaud hack

Universities and charities in the UK, US, and Canada have all been affected by a hack that hit software supplier Blackbaud.

Over 20 universities and charities have stated they were affected after Blackbaud – a supplier of administration and financial software – was hacked back in May, with personal data being held for ransom.

Blackbaud agreed to pay the ransom, despite this being against the advice of most law enforcement agencies. Most worryingly, however, it took a long time to inform those affected.

According to BBC News:

Questions are being asked about why Blackbaud took weeks to inform its customers of the hack.

 

Under General Data Protection Regulation (GDPR), companies must report a significant breach to data authorities within 72 hours of learning of an incident – or face potential fines.

 

The UK’s Information Commissioner’s Office [ICO], as well as the Canadian data authorities, were informed about the breach last weekend – weeks after Blackbaud discovered the hack.

You can read the full article from the BBC here.

How Blackbaud has approached the hack is extremely worrying, especially given how sensitive data was stolen including “phone numbers, donation history and events attended”.

There is no guarantee that the hackers destroyed this data despite the ransom being paid, and the length of time Blackbaud took to deal with this issue has left those affected unable to take steps to prevent themselves.

If you want advice on how to handle these kind of situations and your data protection procedures, get in touch with us today for our expert advice.

Dixons data breach leads to £500,000 fine

Dixons data breach leads to £500,000 fine

A Dixons data breach has led to the company being fined £500,000 by the ICO. At least 14 million people were affected after malware was installed on computer systems, allowing hackers to steal customers’ personal data.

The malware was installed on “point of sale” tills at stores for Currys, PC World, and Dixons travel. In addition to names, email addresses, and postcodes, the hackers also gained access to 5.6 million card details.

According to The Guardian:

Steve Eckersley, the ICO’s director of investigations, said the ICO had found “systemic failures” in the way Dixons Carphone looked after its customer data. “Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud,” he said.

This demonstrates the importance of cybersecurity in today’s digital age. Dixons has made basic errors in its approach – despite the area of business it is in – and is now paying the price.

However, the fine could have been much greater. This Dixons data breach took place between July 2017 and April 2018, just before GDPR came into force. As a result, Dixons has been fined the maximum amount for a breach of the Data Protection Act 1998 instead, for which the penalties are much less severe.

For comparison, British Airways was fined £183 million for a data breach last year. Dixons has been fortunate in this case – although the same cannot be said for their customers. The Guardian goes on:

Eckersley said: “The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”

 

Alex Baldock, the group chief executive of Dixons Carphone, said the company disputed some of the ICO’s findings and was considering its grounds for appeal. The company had, he said, made significant investment in its information security systems and processes. There was “no confirmed evidence of any customers suffering fraud or financial loss as a result”, he added.

 

“We are very sorry for any inconvenience this historic incident caused to our customers,” said Baldock. “When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident. We duly notified regulators and the police and communicated with all our customers.”

Click here to read The Guardian’s article in full.

Dixons has, at least, responded to the data breach in the proper way by notifying the ICO and doing what they could to limit the damage. Their cybersecurity failings, however, were considerable, and will hopefully be learned from.

Our GDPR consultants are here to help if you have concerns about your own data protection programme. Get in touch with us today to find out what we can do for you!

Private messages for sale from 81,000 hacked Facebook accounts

Private messages for sale from 81,000 hacked Facebook accounts

News has broken that 81,000 hacked Facebook accounts have had their private messages stolen. The hackers are now attempting to sell this data on, at the price of 10 cents (8p) per account, and are also claiming that they have obtained details from even more accounts – 120 million – although this has not been verified.

hacked facebook accounts hackerFacebook has already faced huge problems regarding data protection. It was fined £500,000 earlier this year for its role in the Cambridge Analytica scandal, and it now looks like it will be facing further penalties from the Information Commissioner’s Office (ICO). Regardless of the scale of this latest breach, things are looking bad for the social media giant.

Whatever happens next, a new fine will tell us something useful. The Cambridge Analytica scandal took place before GDPR came into effect in May, so the fine against Facebook was brought according to the pre-existing data laws. Specifically, it came under the Data Protection Act 1998. A new fine relating to this latest breach, however, will fall under GDPR.

It’s important to note that Facebook have not been able to hide behind being a US company. And as it turns out, they may have been fortunate that the Cambridge Analytica scandal was exposed before May 25th; it’s impossible to say what the fine would have been under GDPR, but it may well have been considerably greater than £500,000.

No matter what, though, the single biggest issue here is the ongoing risk to users. Facebook is a built around people’s personal data, but has so far been unable to provide adequate protection for that data. If the trend continues, there could be even more trouble ahead for the company.

You can find out more about this latest data breach of hacked Facebook accounts here.

And if you want to ensure that your company is GDPR compliant, make us of our GDPR Gap Analysis to make sure that you avoid heavy fines.