Universities and charities in the UK, US, and Canada have all been affected by a hack that hit software supplier Blackbaud.
Over 20 universities and charities have stated they were affected after Blackbaud – a supplier of administration and financial software – was hacked back in May, with personal data being held for ransom.
Blackbaud agreed to pay the ransom, despite this being against the advice of most law enforcement agencies. Most worryingly, however, it took a long time to inform those affected.
According to BBC News:
Questions are being asked about why Blackbaud took weeks to inform its customers of the hack.
Under General Data Protection Regulation (GDPR), companies must report a significant breach to data authorities within 72 hours of learning of an incident – or face potential fines.
The UK’s Information Commissioner’s Office [ICO], as well as the Canadian data authorities, were informed about the breach last weekend – weeks after Blackbaud discovered the hack.
You can read the full article from the BBC here.
How Blackbaud has approached the hack is extremely worrying, especially given how sensitive data was stolen including “phone numbers, donation history and events attended”.
There is no guarantee that the hackers destroyed this data despite the ransom being paid, and the length of time Blackbaud took to deal with this issue has left those affected unable to take steps to prevent themselves.
If you want advice on how to handle these kind of situations and your data protection procedures, get in touch with us today for our expert advice.
A Dixons data breach has led to the company being fined £500,000 by the ICO. At least 14 million people were affected after malware was installed on computer systems, allowing hackers to steal customers’ personal data.
The malware was installed on “point of sale” tills at stores for Currys, PC World, and Dixons travel. In addition to names, email addresses, and postcodes, the hackers also gained access to 5.6 million card details.
According to The Guardian:
Steve Eckersley, the ICO’s director of investigations, said the ICO had found “systemic failures” in the way Dixons Carphone looked after its customer data. “Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud,” he said.
This demonstrates the importance of cybersecurity in today’s digital age. Dixons has made basic errors in its approach – despite the area of business it is in – and is now paying the price.
However, the fine could have been much greater. This Dixons data breach took place between July 2017 and April 2018, just before GDPR came into force. As a result, Dixons has been fined the maximum amount for a breach of the Data Protection Act 1998 instead, for which the penalties are much less severe.
For comparison, British Airways was fined £183 million for a data breach last year. Dixons has been fortunate in this case – although the same cannot be said for their customers. The Guardian goes on:
Eckersley said: “The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”
Alex Baldock, the group chief executive of Dixons Carphone, said the company disputed some of the ICO’s findings and was considering its grounds for appeal. The company had, he said, made significant investment in its information security systems and processes. There was “no confirmed evidence of any customers suffering fraud or financial loss as a result”, he added.
“We are very sorry for any inconvenience this historic incident caused to our customers,” said Baldock. “When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident. We duly notified regulators and the police and communicated with all our customers.”
Click here to read The Guardian’s article in full.
Dixons has, at least, responded to the data breach in the proper way by notifying the ICO and doing what they could to limit the damage. Their cybersecurity failings, however, were considerable, and will hopefully be learned from.
Our GDPR consultants are here to help if you have concerns about your own data protection programme. Get in touch with us today to find out what we can do for you!
Foreign exchange company Travelex has suffered a severe hack that has forced it to deactivate all computer systems in an attempt to protect data and contain a virus.