Posted by Kevin on July 29, 2014.
If I had a bunch of active credit card numbers whose loss had not been disclosed, I might be able to sell them on the black market for up to $20 each (see Juniper Networks). For a quick sale, I might offer a 50% discount on this price. So if I had 430,599 such cards, I might get $4,305,990 for them (in excess of £2.5m).
You could say that the forces of crime and disorder offer me a £2.5m incentive to be less than secure in my methods for keeping these cards safe.
In the UK, the Information Commissioner’s Office is charged with overseeing compliance with the Data Protection Act. One of his options is to apply a monetary penalty (fine) on companies that do not comply with the Act (for example, companies that lose active credit card numbers). The Data Protection Act requires companies to store personal data securely. By definition a company that loses personal data is in breach of the Data Protection Act.
Earlier this month the ICO fined Think W3 Ltd £150,000 for the loss of 430,599 active credit card numbers (together with some assorted personal details). Incidentally, Think W3 also stored and lost a further 733,397 expired credit card numbers, which is de facto also in breach of the Act’s requirements for the company to keep its records up to date, and to not store them for any longer than necessary.
The Information Commissioner said,
The Commissioner’s underlying objective in imposing a monetary penalty notice is to promote compliance with the Act and this is an opportunity to reinforce the need for data controllers to ensure that appropriate and effective security measures are applied to personal data stored on their information technology systems.
Monetary Penalty Notice on Think W3 Ltd
No wonder we’re losing the battle.Submitted in: News, News_hacks |