Here’s our pick of the scariest regulatory breaches of 2019…that is, so far…
British Airways hit with record fine following cyberattack
UK-based airline British Airways faced a record fine of £183 million ($229 million) after suffering a cyberattack, which saw the details from approximately 380,000 booking transactions stolen, the information included bank card numbers, expiry dates and CVV codes!
The UK Information Commissioner’s Office said it was the biggest penalty it had ever issued and it’s the first to be made public following the implementation of the EU Update to Data Protection Regulation (GDPR).
Marriott faces $123 million fine
U.S. hotel group Marriott has become the second firm to face a huge GDPR fine. The hotel group could be facing a fine of over £99 million ($123 million). It shows the global impact of the regulation, which covers the personal data of EU citizens.
Marriott was first alerted to the fact it was hit by a cyberattack in September last year, but the incident wasn’t reported until November. Then in March of this year, more information emerged about the breach after a testimony by Marriott’s Group CEO Arne Sorenson. Sorenson said 383 million guest records and 18.5 million encrypted passport numbers were breached.
Details included 9.1 million encrypted payment card numbers and 385,000 valid card numbers, in addition to 5.25 million unencrypted passport numbers.
Equifax: a $575 million penalty!
2017 saw Equifax lose the personal and financial information of nearly 150 million people. The company had failed to fix a critical vulnerability for months and then failed to inform the public of the breach for weeks after it been discovered.
In July 2019 the credit agency agreed to pay $575 million, potentially rising to $700 million, in a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and all 50 US states and territories over the company’s failure to take reasonable steps to secure its network.
The year of GDPR enforcement: Fines like those to British Airways and Marriott dwarf penalties in 2018, as regulators turn to enforcing the new rules now that the “year of transition” has passed.
What can you do to avoid data privacy breaches?
With increasing cyber-crime and the growing demands on organisations to comply with new legislative and regulatory requirements, managing enterprise risk and the processes around critical policies and procedures is essential to mitigate liability and ensure best practice. Whilst the benefits of using internet applications and technologies are numerous and almost immeasurable, businesses should have a strategy in place to address the exposure to potential risks posed by cybersecurity.
Cybersecurity and combating data privacy breaches covers a range of risks, such as loss, theft and/or manipulation of sensitive or private data; the introduction of viruses, and computer fraud. Some may be malicious but some may be caused by human error. The resultant controls from a risk management process typically fall into two categories – the implementation of a software solution (such as a firewall) to address specific threats; and the creation of policies and procedures for internal purposes.
- STEP ONE – Identify an independent trusted cybersecurity specialist to undertake an audit. Once the report has been received and digested, a strategy needs to be put in place to ensure all the risks identified are professionally managed to protect the business from reputational risk.
- STEP TWO – Implement a Risk Management solution, to ensure that risks are identified; that they are centrally recorded; their impact and likelihood calculated; their controls are put in place; and an audit trail is available to report on any controls that remain outstanding.
Whilst the creation of well-drafted policies and procedures are a cornerstone of a cyber-security program, if they are not professionally managed and communicated to all employees, they are almost worthless.
Posting critical policies on an intranet in the hope they are read is no longer sufficient to ensure that your employees are aware of the threats posed by cybercrime and data privacy breaches. Businesses need to be able to evidence that all employees have received, read and understood the policies, and confirmed that they have agreed to abide by them.