A data breach is amongst the worst things to befall a 21st century business. The consequences of a cyber-attack include significant loss of customers, irreparable reputational damage and, soon, significant fines under the GDPR. And that’s just scratching the surface.
Some of these attacks, such as ransomware and Distributed Denial of Service (DDoS) attacks can be proactively defended against to a degree, ensuring you are doing all you can to keep your customer data safe. But what if an attack is less black and white, and may be the result of the smallest glitch in your matrix?
On Friday 7th April 2017, the short-term loan company Wonga discovered it had been the victim of a cyber-attack, affecting an estimated 245,000 customers in the UK and a further 25,000 in Poland. Wonga began alerting those affected on Saturday by email and text, stating:
‘We are writing to you as we believe there may have been illegal and unauthorised access to some of your personal data on your Wonga.com account.
‘We are urgently working to establish further details, but this may have included one or more of the following: name, email address, home address, phone number, the last four digits of your card number (but not the whole number) and/or your bank number and sort code.
‘We do not believe your Wonga account password was compromised and believe your account should be secure, however if you are concerned you should change your account password. We also recommend that you look out for any unusual activity across any bank accounts and online portals.’
The statement can also be found on the company’s website.
Though the exact nature of the Wonga data breach has yet to be discovered and it remains unclear whether the Information Commissioner’s Office (ICO) will need to investigate the breach, the scale of the attack highlights the importance of cybersecurity and regulatory compliance. A spokesperson for the ICO said: “All organisations have a responsibility to keep customers’ personal information secure. Where we find this has not happened, we can investigate and may take enforcement action.”
It’s not the first time we’ve seen a high-profile attack, in October 2016, the ICO fined TalkTalk a record fine of £400,000 for a data breach affecting 157,000 customers. Most of whom did not have bank details stolen. And that’s just one of many.
The General Data Protection Regulation (GDPR), the European Union’s new legislative framework for the protection of personal data, introduces new responsibilities for businesses regarding data breaches (amongst many other changes).
According to the GDPR, Wonga must have reported the data breach to the relevant supervisory authority within 72 hours of becoming aware of it and notified those affected without undue delay. Failing to do so under the GDPR can result in a fine of up to €10m (£8.5m) or 2% of the company’s global annual turnover, depending on which figure is greater.
The responsibilities set out by the Regulation will enable businesses to better protect their customers’ personal data, with standards such as privacy by design making sure that security is a priority from the very beginning of any creative process, and not an afterthought. Although the GDPR is already in effect – as of 27th April 2016 – businesses were given a 25 month lead in time to get their houses in order and make sure they are compliant.
The maths whizzes amongst you will have registered that the lead in time is now somewhat shorter almost a year on. Don’t panic, our latest whitepaper – GDPR is around the corner: Are you ready? – is here to help.