For a number of years, there has been an open battle between cybercriminals interested in stealing personal and financial data from companies holding that information and security firms who want to protect that information from ever being exposed.
It’s a war fought on a global scale and, given the rewards on offer for both the cyber-attackers and the companies trying to stop them, there’s no evidence that the war will stop anytime soon.
There were some major data breaches in the UK and around the world in 2018 and we report on five of the most remarkable in this article. We then look at what might be in store in 2019 and how best to protect your practice or chambers from attack.
In September, hundreds of thousands of BA customers’ personal and financial data was stolen after a particularly sophisticated hack which stretched out over two weeks.
380,000 payments were “compromised” prompting the airline to take out a full-page ad in the Metro newspaper apologising for the incident.
40,000 customers were affected by a breach of online concert ticket seller Ticketmaster in June. The breach occurred as a result of a malware attack on a third-party vendor (Inbenta) used by the company. On discovering the problem, Inbenta’s software was withdrawn from use on Ticketmaster’s network of European sites.
5% of its users were affected by the breach – information stolen included users’ names, telephone numbers, email addresses, postal addresses, log-in details, and payment details.
The company promised to compensate all users for any loss and offered them a free 12-month identity monitoring service allowing them to detect any unusual financial activity against their name.
In a first since the introduction of GDPR, Hayes Connor launched a class-action law suit against the company on behalf of the victims. Hayes Connor admitted that it was likely that Ticketmaster might be fined by the ICO but that would not in any way financially compensate users for any losses or distress caused by the breach.
It’s not been a good year for Facebook. As 2018 came to a close, there were many opinion pieces floating around the internet and in the national press arguing for a break-up of Facebook because it was too dominant and it did not use that dominance responsibly.
In October, the company revealed that 30 million of its users had been affected by a “massive hack” and that the FBI had asked the company not to reveal who the perpetrator of the attack might be. Information stolen included users’ locations, dates of birth, recent searches, and information on their relationships. Business Insider listed a comprehensive run-down of the person information stolen by the hackers.
Last year, Dixons Carphone, the parent company of Currys, PC World, and Carphone Warehouse among others, reported a data breach from summer 2017 last year thought initially to affect 1.2 million customer records. The hack was part of an attempt to access the financial details contained on 5.9 million cards in the processing systems of the business, according to TechWorld.
The retailer informed the Information Commissioner’s Office even though there had been no evidence of fraud as a result of the attack on its systems. Later, the company revised its estimate of the number of affected customers up to 10 million, a substantial rise on its initial assumption.
In September, Equifax was fined £500,000 by the Information Commissioner’s Office relating to a cyber-attack that affected 15m people in the UK. It was part of a worldwide attack which involved over 146m consumers around the world.
The company was warned by the US government about a “critical vulnerability” in its cyber-security systems by the US government in March 2017 but, according to the ICO report, it did not act upon the issues raised and this led, eventually, to the breach.
What’s to come in 2019
To date, the ICO has only acted against one firm after the introduction of GDPR. We were among many companies which predicted that the regulator would not be particularly punitive in its approach in the immediate aftermath of GDPR – and we were right.
In 2019, we think the regulator is likely to become far more proactive and aggressive in its approach to GDPR and data security compliance. Quoted on the CSO website, senior staff writer J.M. Porup believes that “(e)nforcement is going to be harsh beginning in the first half of 2019. Companies engaged in surveillance capitalism, like Google and Facebook, are in for a rough few years."
We’ve written about multi-factor authentication before and it’s a core part of Sprout IT’s service offering to clients. Computer Weekly columnist Corey Nachreiner (Waterguard Technologies) calls on all businesses large and small to embrace it in 2019, calling the solution “much easier and less expensive” than other security alternatives.
Protecting your practice or chambers
Sprout IT works with legal firms across the UK providing the latest cybersecurity to protect client’s information and the reputations of our customers. To speak with one of our team about mitigating the threat from cybercrime and data breaches, call us today on 020 7036 8530 or email us. To read more about cyber security news and legal IT technology publications, follow our Legal IT & Technology blog.