Official enquiries into data breaches naturally take a long time to reach their conclusions and none of the large breaches we mentioned in the last newsletter have been handed judgements yet. We do however know a little more about what happened and how many people have been affected.
For instance, we now know that the Dixons Carphone breach affected some 10 million customers, not just the 1.2 million it was previously thought to have affected. Bank and payment card details weren’t accessed but there is now apparently evidence that some information was totally removed from their systems. The Group published its Q1 trading statement on 6 September and luckily for them don’t appear to have been negatively impacted by the data breach.
The Typeform breach is still under investigation as well. The data in question was accessed via a back-up tape dated 3 May so any data after that date should be secure. However, it has been claimed that the data that was accessed was unencrypted and so would be relatively easy to use. If you think your organisation may have been affected by this breach you really should have reported it to the ICO by now in order to meet the GDPR reporting regulations: if you haven’t, for whatever reason, we’d suggest taking a ‘better late than never’ approach and getting your paperwork to them ASAP!
It is now apparent that it was a subcontractor of Ticketmaster’s that caused their breach. Inbenta Technologies operate a chatbot on the Ticketmaster site and that is where the problem originated. It remains unclear which of the Data Protection regulations Ticketmaster will be prosecuted under.
There must be other, more interesting news around at the moment, because all seems to have gone quiet on the Facebook front. The ICO’s investigation is continuing and their findings are due to be published in October, so we don’t have long to wait now.
The Facebook investigation is actually just a small part of a much larger investigation currently being carried out by the ICO. It started in May 2017 to investigate ‘invisible processing’ and ‘micro-targeting’ of political adverts during the EU Referendum and has grown to become the largest investigation of its kind carried out by any of the DPAs. It involves social media sites, political parties and campaign groups, universities, analytics firms and data brokers. According to a statement from the ICO the investigation has involved up to 40 investigators working full time; it has identified 172 organisations of interest, with 30 of these organisations being their main interest; and 285 individuals. It is likely to result in both regulatory and criminal proceedings.
Both sides of the EU Referendum are being investigated and all political parties in the UK have been notified that their data sharing practices will be audited this year so there is clearly a lot more news to come out of the investigation.
One organisation that has already been fined in relation to this investigation is Lifestyle Marketing (Mother & Baby Ltd), also known as Emma’s Diary. They have received a £140,000 fine for collecting and selling the information of over one million people. The information was sold to Experian Marketing Services, an organisation used by the Labour Party, and was used to profile new mums in the run up to the General Election in 2017.
British Airways’ website and mobile app were targeted by hackers in late August, with the breach only being discovered a few days later at the beginning of September. Some 380,000 customers who used the website or mobile app to make or change a booking while the hack was ongoing suffered a loss of full payment card details, including CVV numbers. The hack was a highly targeted piece of work with a serious amount of effort having been put in to make it difficult to spot on the website. BA have received a fair amount of negative press over the breach, with many of those affected quickly taking to social media to complain about the incident; legal firm SPG Law has taken it upon themselves to seek compensation for the affected BA customers over the ‘inconvenience, distress and misuse’ of their data. If successful, this case could cost BA up to £475 million in compensation for ‘non-material damage’ as required under the GDPR. And then there’s the potential ICO fine which The Daily Telegraph calculates as standing somewhere around £897 million if BA is found to be in breach of GDPR regulations.
To be fair to BA however, once they discovered the breach, they communicated with affected customers very quickly and followed up in a timely manner seeking to reassure people and to provide as much information as possible. Since the incident they have also offered UK customers 12 months free access to a credit and identity monitoring service. The irony is not lost on us however, that this service will be provided by Experian, parent to Experian Marketing Services mentioned in the story above.
Equifax Ltd, yet another credit reference agency, felt the full force of the ICOs wrath this month, being handed a £500,000 fine as a result of the 2017 data breach of their parent company, the US-based Equifax Inc. This pre-GDPR breach affected some 145 million customers worldwide of which 15 million were in the UK. Equifax Ltd was found to have ‘failed to take appropriate steps’ to protect UK citizens’ data, and that multiple failures had led to personal data being kept for longer than necessary. Apparently, Equifax Inc had been warned earlier in 2017 of critical vulnerabilities in its systems but had failed to take action to fix them.
Outside the reach of the GDPR, but of interest nonetheless, is the timely reminder from Air Canada of the need for decent password security. They noticed some ‘suspect activity’ on their app between 22 and 24 August and locked down 1.7 million user accounts as a precaution. They now know that about 20,000 user accounts were affected by the breach and while no financial details were taken, full passport details may well have been accessed. This provides a serious risk for identity theft as many of the institutions who ask for passport details as a means of identification don’t actually ask to see the document itself, they just need the details. App users had to create a password that was 6-10 characters long but didn’t even need to include symbols which makes them remarkably easy to break as people often use simple words in those circumstances.