Wonga data breach highlights many companies still unprepared for GDPR
5 min read
10 April 2017
Wonga has become the latest company in the data breach hotseat – and many have used the incident to talk about GDPR and cybersecurity.
Last year saw the rise of the data breach – 727,000 kids were compromised when a CloudPets hack leaked their voice recordings and over 65,000 Tumblr emails surfaced on the darknet. Yahoo! and LinkedIn suffered a similar fate – and the trend doesn’t look set to stop in 2017.
That’s where Wonga comes in. Many have deemed it one of the largest UK hacks, with the controversial payday loan company claiming 245,000 customers were affected. Names, addresses, phone numbers and bank account numbers were all stolen. This combination of details was particularly worrying, the BBC cited Alan Woodward, University of Surrey’s cybersecurity expert, as saying.
Like always, high-profile breaches offer insight into what needs to be improved – Wonga’s initial statement claiming accounts were secure are in stark contrast to Woodward’s words, for example. The company brings to light that despite our recent push for better cyber security, the data breach as we know it has become inevitable. And according to Richard Henderson, Absolute’s global security strategist, “it’s the next steps that will make or break a company.”
He has a point; many will be closely scrutinising the way Wonga handles the data breach, which certainly hasn’t helped its reputation any in the wake of previous scandals. The reason for this increased scrutiny, however, could be in large part due to the upcoming GDPR – and whether Wonga can live up to its expectations. In the eyes of Henderson, Wonga has failed thus far, and maintained that the GDPR couldn’t come quickly enough.
“With brands being breached so frequently, consumers need more stringent controls and protection in terms of detection and notification so that organisations start to take this threat seriously,” he said. “With enforcement not being too far away, it really is disappointing to see organisations continuing to fail. “
Although Wonga contacted customers to notify them of the breach, there doesn’t seem to be much clarity around the scale of the attack and who was affected. That’s a no-no when the GDPR comes into effect. As was suggested by Henderson, under the GDPR, companies will have 72 hours after becoming aware of the data breach to notify the relevant authority. And under Article 32, where a breach puts individuals at risk, companies will have to inform customers – in clear and plain language. Transparency will be crucial. Has Wonga failed to clear the first hurdle then?
GDPR regulations will also hopefully see security efforts tightened – a statement James Thompson, regional director EMEA at SecureAuth, agreed on. He offered key words of advice on what companies will look to implement before GDPR becomes law.
“This is another hefty reminder to organisations holding personal and financial data to continually innovate security and authentication approaches to keep ahead of attackers. Use layering methods of risk analysis checks before the user even logs in, such as device recognition, analysis of the physical location of the user, or through past and current login history.
“Recognising user behaviours that are out of character for an account is also key to protecting against actors staying undetected within your network for elongated periods of time. Critically, businesses need to be able to identify and flag deviations in user behaviour. Firms can request additional authentication at this point or simply end a session, shooting down the attackers’ ability to move around once inside the network. That way, cyber criminals never gain the access they need to complete their mission. Stolen credentials should become completely worthless.”
Whether you agree with Henderson or Thompson, it’s becoming clear that the GDPR will put a lot of weight on the shoulders of bosses – which some may still be unprepared for.