twitter facebook rss

Security Fails require GDPR

Posted by on July 8, 2017.

It might seem as if the penalty fines of up to 4% of global turnover contained within GDPR are a bit draconian — but they are not. Three separate incidents over the last few weeks demonstrate just how many businesses simply don’t care about their customers’ privacy; and I doubt if such attitudes can be changed without serious sanctions. In fact, it will probably require that European regulators make a few high-profile, high-value examples before organizations take GDPR and privacy seriously.

The example incidents have exposed millions of personal details. They are not the result of state-sponsored advanced hackers nor even common-or-garden criminal hackers. All of these details were exposed through simple negligence and lack of concern by the organizations themselves — and these are just the ones that have made headlines and we know about.

One. In mid-June the details of 198 million American voters were left exposed, unprotected and unencrypted on an Amazon AWS server.

Two. At the beginning of this month, the AA acknowledged that details of at least 117,000 of its customers were exposed in 13GB of backup data. Quite incredibly, AA president Edmund King commented, “as the data was not sensitive, and our third-party supplier informed us that the data was only accessed several times, the case was closed.”

Firstly, the data included full names, physical addresses, IP addresses, and purchase details of AA shop customers. That will be classified as sensitive personal data under GDPR. Secondly, the suggestion that nobody need worry because it had only been accessed ‘several times’ is callous to say the least. That it had been accessed at all means that there could potentially be a copy being hawked around the Russian underground as we speak. And thirdly, the AA had not and probably would not have disclosed the incident at all had it not been outed by the media.

Three. In this last week it was reported that the WWE had exposed details of more than 3 million customers in at least two databases — one of which was specifically European customers — again on AWS. This time the details contained were most definitely sensitive: educational background, earnings and ethnicity, home and email addresses, birthdates, and customers’ children’s age ranges and genders, where supplied.

WWE’s official statement, like that of the AA, leaves a lot to be desired: “Although no credit card or password information was included, and therefore not at risk, WWE is investigating a vulnerability of a database housed on Amazon Web Services (AWS), which has now been secured.”

In each case there is sufficient personal information for hackers to craft compelling spear-phishing emails that can lead to identity theft. It doesn’t appear that any card details were lost — but frankly I would worry more about the personal details. I can change my card; I cannot change my identity. And we won’t even go into the idea that strange people could know where young children live.

In the last two examples, the attitude of ‘oh, well, it doesn’t really matter’ is appalling.

We have known for more than two years that GDPR is coming. Now there is little more than 10 months to go. These incidents demonstrate that many businesses still just don’t care. It’s going to require the European regulators to kick some serious financial butt before privacy is taken seriously by all of business.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Expert Views, Kevin Townsend's opinions | Tags: