It’s been a big week for sanctions dished out by the Information Commissioner Officer (ICO) over data breaches. On Monday, British Airways was informed that it faces a record fine of £183m for a hack in 2018 that led to the data of half a million of its customers being leaked. Two days later, Marriott was brandished with proposed fine of almost £100m after hackers stole records of 339 million guests last year.
So what’s going on – why so many fines all of a sudden?
Some of you might wince at these four little letters, but much more than that tiresome pop-up asking you to accept cookies on a website, the GDPR is the most important piece of UK legislation in data privacy and marks a new era for data protection across the world.
If you need a refresher on the key aspects of the GDPR, we have some no-nonsense blogs that you can check out here. The legislation came into force last year but its impact hadn’t really been felt in the real world – until this week.
At long last, we are seeing companies finally being made to take responsibility for their customers’ data.
As stated by information commissioner Elizabeth Denham, “The law is clear, when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights”.
Data breaches happen regularly, but it often takes time for them to be discovered – often years. Facebook, Deliveroo, Uber, LinkedIn, G-Mail, – so many companies have had their databases hacked and leaked that they’ve almost tried to make out that it’s just a feature of life in the digital era.
But the ICO has sent a clear message this week that this will no longer be accepted, flexing the new powers granted by the GDPR to charge companies up to 4% of their annual global turnover, instead of the maximum of £500,000 under the previous UK data protection scheme.
The British Airways fine is the first proposed under the GDPR, and totalling £183m, it amounts to 1.5% of the company’s £11.6b worldwide turnover from last year. The ICO has ruled that the company had “poor security arrangements” in place to protect customer information from being accessed, which led to data from 500,000 of their customers to be stolen from their website and mobile app last year.
Two days later, the ICO announced their intention to fine Marriott almost £100 million after hackers stole the personal data of 339 million guests, including credit card details, passport numbers and dates of birth. The breach wasn’t discovered until last year but is suspected to have started in 2014, when the systems of Starwood hotels group, who Marriott acquired in 2016, were compromised.
The database was located in the US, which makes this case a strong warning that companies do not have to be in the EU/EEA to comply with the GDPR. The ICO says Marriott “failed to undertake sufficient due diligence” when it bought Starwood, a ruling against which Marriott have said it will appeal.
This week’s events have brought some necessary attention to a problem we’ve been fighting against for a long time – the rights of individuals’ data security.
Heads are now turning to the likes of Deliveroo, whose customers have suffered fraudulent activity on a continual basis and frequently take to Twitter to complain about, in some cases, nearly £1000 worth of fraudulent transactions.
According to the 2019 Verizon Data Breach Investigations Report, 80% of hacking-related data breaches involve compromised and weak credentials.
The GDPR is doing much-needed work in holding companies accountable for not protecting their customers’ data properly. But if we use the same passwords across all of our accounts, we are leaving the door wide open for hackers.
We get it; how are you expected to remember unique passwords for every single one of your accounts? It’s hard enough to remember your usernames. This is why Yoti offers a free password manager that generates 14-character, unique passwords which are auto-filled so you never have to remember a password again.
It’s time to face the music. It’s not just up to the big companies, but us as individuals too. We protect our houses and cars, so why not our digital lives too?