The first post-GDPR breach: Companies are still playing fast and loose with customers’ data
5 min read
13 June 2018
The recent Dixons Carphone data breach has attracted more eyes than usual, as businesses wait to see how things pan out in this post-GDPR era.
Dixons Carphone is the latest in a long line of businesses to have suffered a data breach. As its CEO acknowledged, when a company gets hacked and loses data, the response and actions of the board and management team become hugely important.
This is more true now than ever before. Dixons Carphone was the victim of “unauthorised data access”, which compromised 5.9 million payment cards and 1.2 million personal data records. But what makes this case so interesting is that it’s the first breach to hit the headlines since GDPR was enforced.
It is also believed the hacking attempt began in July 2017. Under new regulations, companies can be fined up to 4% of annual turnover. But will the penalty be the same for hacks that took place pre-GDPR?
According to Ross Brewer, VP and MD EMEA of LogRhythm, either way, the scale and time-frame of the data breach is “staggering”. It indicates that the “company lacks vital threat detection capabilities”.
The reality is that breaches like this are all too common. According to a Forrester study, two-thirds of companies were hacked in the past two years, and 80% of security breaches involved privileged credentials. What is more surprising, experts have exclaimed, is that companies are still playing fast and loose with customers’ data.
Luke Brown, VP EMEA at WinMagic, for one, suggested that while it’s good to close off the unauthorised access – as Dixons has done – “it’s simply closing the barn door after the horse has bolted. The data is still out there.
“A sensible posture that organisations should adopt is to assume systems will get breached – because they will – and then put in place processes to minimise the risk. Perhaps the most simple thing to do is to ensure data is encrypted. That way if the worst does happen, the data will be unreadable to anyone who’s not authorised to read it.”
Brewer likewise maintained that Dixons Carphone will be hit with a hefty fine for lax security.
He said: “With the implications of a data breach so widely discussed – particularly in the lead-up to the implementation of GDPR – it constantly surprises me that businesses are not investing in the right tools to protect data.
“While some may have given into the inevitability of a data breach, the repercussions of a successful attack under GDPR are now so much more severe. Reputations can be rebuilt, but not a lot of bosses can say they won’t be impacted by a significant fall in shares and a huge GDPR fine.”
It doesn’t matter if it’s a careless mistake or a malicious attempt to leak data, companies must put in place measures to identify sensitive customer data and build controls around when that data can be accessed and by whom. After all, if a data breach now occurs, companies will only have 72 hours to report to the ICO.
“From a security standpoint, all bosses need to get real visibility of what’s happening to their systems at all times” said Andrew Bushby, UK director at Fidelis Cybersecurity. “It provides the ability to proactively find the unknown threats, not just in the aftermath of an attack. As cybercriminals become more determined, deception technology must become a fundamental element of any organisational security defence strategy.
“By placing decoys, traps and lures on the network, organisations can expose and defuse attacks before any real damage is done – all while protecting key data assets wherever they reside. The timing for Dixons here is slightly awkward. Questions by the ICO will no doubt be asked about the safeguarding measures around the data before the breach, and why so many personal records were put at risk in the first place.”
One thing’s for certain though. The immediate apology and claim of responsibility in this story is typical of the more mature approach we can expect going forwards.