Conservative Party Conference data breach – the fallout and implications

Conservative Party Conference data breach – the fallout and implications

News broke this week that a flaw in the Conservative Party’s conference app led to personal details being exposed to the public. The data included the phone numbers of high ranking politicians and officials such as Boris Johnson and Michael Gove, and reporters such as Sky News political editor Faisal Islam.

Conservative Party Conference data breach

The incident shows how easy it is to run foul of data protection laws. Even at the highest levels of government, a simple mistake can lead to data being leaked. The Conservative Party may attempt to pass accountability onto the company that created the app, Crowd Comms, but this might not be enough as both are responsible for ensuring data security under the rules of GDPR.

Given the high profile nature of the breach, there are good reasons to be concerned. Several ministers received nuisance calls from members of the public, and there are other security issues. Other attendees – including a RAF squadron leader and a Met police officer – also had their data revealed.

Considering the high profile individuals and security issues involved, the ICO may look to fine both Crowd Comms and the Conservative Party. With GDPR only recently coming into force, it could want to set a precedent – as well as appear politically impartial.

Whatever the outcome, this is a deeply embarrassing incident for the Conservatives. The political fallout remains to be seen, but it shows how easy it is to run foul of GDPR. Note that the breach came from an app designed by a third party, but the Conservatives may still be liable.

You can find out more about the full story here: https://news.sky.com/story/senior-tory-mps-phone-numbers-exposed-in-app-flaw-11512323

If you’d like help assessing your own company’s requirements under GDPR, get in touch with us about performing a Gap Analysis to test your compliance.

Morrison’s Security Breach Summary

Morrison’s Security Breach Summary

In 2014, Morrison’s suffered a security breach that released the pay roll data of nearly 100,000 employees. The data contained personally identifiable data (PII) on employees, including names, addresses, and even employee salary information.

The perpetrator was a former employee, who has been subsequently arrested and sentenced to eight years in prison. Morrisons have not been held liable for this employee’s action, and in truth, it will be difficult to both anticipate and protect oneself from an “inside job”.

However, Morrisons can still be found responsible for the actions of the now former employee, who allegedly had a grudge against the company due to previous disciplinary incidents. It would be unfair to state that Morrisons’ former disciplining of this single individual was the catalyst for their actions. However, could Morrisons have prevented something like this from happening?

Possibly. This employee did not unlawfully obtain the data, in fact, as a part of Morrisons’ It division, they had access to the pay roll information. This would make the employee either a data controller or data processor for Morrisons.

Morrisons could have taken more action to prevent this breach, though, Firstly, they should have realised the risks of letting a previously disciplined employee handling personal data, and from that, they could have restricted their access.

Because Morrisons were not found liable for these actions, they would unlikely be fined the full figure of 20 million Euros, or 4% of their annual turnover. But, this highlights the issue that organisations and employers need to be more aware and on their toes when it comes to potential risks. To avoid any potential breaches, you must reduce the possibility of them happening to begin with.

https://www.technologylawdispatch.com/2017/12/privacy-data-protection/morrisons-found-vicariously-liable-for-a-data-breach-committed-by-one-of-its-employees/?utm_source=Mondaq&utm_medium=syndication&utm_campaign=View-Original

Uber Security Breach – How GDPR would Punish Them

Uber Security Breach – How GDPR would Punish Them

The Uber security breach has raised many questions regarding the companies policies, ethics, and general understanding regarding their customers’ personal data.

Under GDPR if your organisation experiences a breach in security, you have 72 hours to contact the appropriate authorities once you become aware of the breach. You can use those 72 hours to set things right, to enhance your security measures and unless that data is encrypted, you must also contact the data subjects affected.

Uber did not report this breach to either the authorities or their customer for 6 months. This alone is damning enough to slap Uber with a substantial fine.

Furthermore, Uber paid the hackers a ransom so that they would delete the data. While this is the main reason Uber’s sense of ethics iis being questioned, it’s generally a poor decision in terms of data security and the business, too.

Firstly, how are they to know that the hackers will or have delete the data once the ransom is paid? They can’t, so it’s a huge risk paying the ransom (alleged to be up to $100,000.) Secondly, this money could (and should) be used to enhance the security measures of the firm, to employ data security officers and analysts to discover how this happened – whether Uber has even done this is unclear. In fact, the Chief of Security at the company ho made this deal has now been fired. Finally, the fine for such an infraction of GDPR will leave Uber with a huge fine. $100,000 might be a small percentage of that fine, but to essentially throw that money away is a poor decision.

So how bad would the fine actually be for Uber under GDPR? The very worst would be either 4% of their annual turnover or 4 million Euros, whichever is higher. With large company like Uber, it is likely to be the 4%. Here’s our estimate of Uber’s fine…

Uber’s approximate revenue for 2016: $6, 500, 000, 000 (6 billion, 500 million dollars) x 0.04 (4%) = $260,000,000. This is significantly higher than 20 million EUR, and over double the highest amount Equifax would have to pay (from our estimations in this article).

While there has only really been a few high-profile cases of breaches and lack of GDPR compliance like this, two of the bigger firms have been American companies. This suggests that US organisations are either unaware of the regulations and the consequences of GDPR, or are willing to risk these fines in order to keep their reputation intact. Unfortunately, for them, this hurts their reputation even more. EU citizens will be looking at whether they can trust, not only Equifax and Uber, but other high-profile large American organisations – and rightly so. The default tactic for American associations (whether businesses, industries, or whatever) is to cover something up, especially when it comes to data breaches.

DO NOT follow the example set by these businesses. If you experience a security breach, it is better to make those who need to be aware of it aware than to hide it…

Read more on GDPR fines, penalties and consequences here: https://activaconsulting.co.uk/gdpr/gdpr-fines-penalties-consequences/

How Equifax would be affected under the new GDPR laws

How Equifax would be affected under the new GDPR laws

The massive US crediting company Equifax has recently announced a breach that affects over 140 million data subjects (potentially including 400,000 UK residents), but under GDPR laws they would’ve (and should’ve) been in very deep trouble.

The breach of data occurred on September 7th 2017 with data affecting millions of people, and it’s remarkably delicate data, too. Some data includes data subjects’ addresses and dates of birth, but much more worryingly, data such as credit card details were part of the breach.

From May 2018, when such a breach occurs and affects EU and UK customers, the organisation must contact its data subjects to make them aware of data that has been breached (unless it is pseudonymised and encrypted). However, there is confusion as to whether Equifax have even done this. The news of the breach being made public can be seen as Equifax alerting their customers publicly – this type of announcement is acceptable if it is efficient for the organisation – it’s easier to notify 100 million people at once rather than individuals 100 million times.

The massive US crediting company Equifax has recently announced a breach that affects over 140 million data subjects (potentially including 400,000 UK residents)...

“The massive US crediting company Equifax has recently announced a breach that affects over 140 million data subjects (potentially including 400,000 UK residents)..”

Equifax will no doubt claim then that they have informed the data subjects. But, data subjects may miss this announcement and be unaware of the breach. It is much safer for an organisation to send a group mailout, a newsletter, or equivalent, to all the data subjects affected with a list of potential data affected, too.

But even if Equifax can be excused for this, then length for which they waited before notifying everyone is inexcusable.

The breach occurred on the 7th September 2017. Under GDPR regulations, you will have to notify the appropriate authorities about a breach within 72 hours of becoming aware of the breach. However, Equifax were sitting on this for over a month with reports claiming Equifax became aware of the breach on 29th July – many weeks earlier. This is nowhere near in compliance with GDPR regulations, and this doesn’t even indicate when the breach actually took place initially.

Equifax appear to have operated in a way that they would hope no one noticed what happened – which is definitely the wrong way to approach these things. A hack, although often preventable by security procedures, is not always the fault of the victim organisation. The organisation’s reputation may be tarnished, but by following the example Equifax have set, the organisation will have more to worry about than just their reputation.

The organisation’s reputation may be tarnished, but by following the example Equifax have set, the organisation will have more to worry about than just their reputation.

“The organisation’s reputation may be tarnished, but by following the example Equifax have set, the organisation will have more to worry about than just their reputation.”

The worst Equifax would have expected under GDPR laws would be a 4% of the organisation’s annual turnover or 20,000,000 EUR fine, whichever is higher – either way, this is a huge sum to pay for something avoidable. Taking the revenue of the company as the figure to use for the group’s turnover we can hypothetically calculate the 4% fine they could have received if GDPR laws were in place. Here’s the maths behind what Equifax’s potential fine could be.

Equifax’s turnover (2016): $3144.9 million, or $3,144,900,00 (3 billion, 144 million, and 900 thousand dollars) x 0.04 (4%) = $125,796,000 , 20,000,000 EUR.
Sources of turnover figures (http://www.hoovers.com/company-information/company-search.html?term=equifax&maxitems=100, https://en.wikipedia.org/wiki/Equifax)

Now, take this sum with a pinch of salt – the revenue figure shown may not be entirely accurate, and so the final figure won’t be either. However, this represents the huge cost a company like Equifax will be at risk of if they don’t comply with GDPR laws.

Remediation costs would also be a huge figure, especially for a large organisation like Equifax. The number of data subjects affected and the number of Equifax employees significantly increases the cost Equifax would need to pay to remedy the situation. Equifax bringing in a cyber security company to analyse how the breach happened is also another costly element to remediation. This cost added on to the potential $125 million they could pay is a huge financial consequence to not complying to GDPR.

 

Equifax have rightly come in for heavy criticism for how they’ve handled  the situation. Their stocks fell by 13% the day after the breach was made public and three high-ranking executives, including CEO Richard Smith, have “retired” (or rather, have been quietly dismissed.)

This situation looks set to go on for a while, so we may have a string of articles to cover Equifax as this news story unfolds… because it looks like the problems here may be much deeper than what we’ve been told so far.

Read more on GDPR fines, penalties and consequences here: https://activaconsulting.co.uk/gdpr/gdpr-fines-penalties-consequences/