It’s been a big week for sanctions dished out by the ICO over data breaches. On Monday, British Airways received a record fine of £183m for a hack in 2018 the data of half a million of its customers leaked. Two days later, Marriott was fined almost £100m after hackers stole records of 339 million guests last year.
So what’s going on – why so many fines all of a sudden?
Some of you might wince at these four little letters, but much more than that tiresome pop-up asking you to accept cookies on a website, the GDPR is the most important piece of UK legislation in data privacy and marks a new era for data protection across the world.
If you need a refresher on the key aspects of the GDPR, we have some no-nonsense blogs that you can check out here. The legislation came into force last year but its impact hadn’t really been felt in the real world – until this week.
At long last, we are seeing companies finally being made to take responsibility for their customers’ data. As stated by information commissioner Elizabeth Denham, “The law is clear, when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights”.
Data breaches happen regularly, but it often takes time for them to be discovered – often years. Facebook, Deliveroo, Uber, LinkedIn, G-Mail, – so many companies have had their databases hacked and leaked that they’ve almost tried to make out that it’s just a feature of life in the digital era.
But the ICO has sent a clear message this week that this will no longer be accepted, issuing the first two fines under the GDPR which can now charge companies up to 4% of their annual global turnover, instead of the maximum of £500,000 under the previous UK data protection scheme.
British Airways received the first fine and the biggest in history, totalling £183m which is 1.5% of their £11.6b worldwide turnover last year. Data from 500,000 of their customers was stolen from their website and mobile app last year, due to what the ICO deems “poor security arrangements” in place to protect customer information from being accessed.
Two days later, Marriott received a fine of almost £1000 million after hackers stole the personal data of 339 million guests, including credit card details, passport numbers and dates of birth. The breach wasn’t discovered until last year but is suspected to have started in 2014, when the systems of Starwood hotels group, who Marriott acquired in 2016, were compromised.
The database was located in the US, which makes this case a strong warning that companies do not have to be in the EU/EEA to comply with the GDPR. The ICO says Marriott “failed to undertake sufficient due diligence”, a ruling against which Marriott have said it will appeal.
This week’s events have brought some necessary attention to a problem we’ve been fighting against for a long time – the rights of individuals’ data security.
Heads are now turning to the likes of Deliveroo, whose customers have suffered fraudulent activity on a continual basis and frequently take to Twitter to complain about, in some cases, nearly £1000 worth of fraudulent transactions.
According to the 2019 Verizon Data Breach Investigations Report, 80% of hacking-related data breaches involve compromised and weak credentials.
The GDPR is doing much-needed work in holding companies accountable for not protecting their customers’ data properly. But if we use the same passwords across all of our accounts, we are leaving the door wide open for hackers.
We get it; how are you expected to remember unique passwords for every single one of your accounts? It’s hard enough to remember your usernames. This is why Yoti offers a free password manager that generates 14-character, unique passwords which are auto-filled so you never have to remember a password again.
It’s time to face the music. It’s not just up to the big companies, but us as individuals too. We protect our houses and cars, so why not our digital lives too?