The General Data Protection Regulation (GDPR) defines a data breach as:
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.”
Personal data only includes information relating to living natural persons who: can be identified or who are identifiable, directly from the information in question; or who can be indirectly identified from that information in combination with other information. Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances.
In particular, this type of data could create more significant risks to a person’s fundamental rights and freedoms. For example, by putting them at risk of unlawful discrimination because of sexual orientation or religious belief.
What are the three types of Data Breaches in GDPR?
Confidentiality, integrity, availability
The following is a breakdown of the three key concepts that form the CIA triad:
- Confidentiality is roughly equivalent to Confidentiality measures are designed to prevent sensitive information from unauthorised access attempts. It is common for data to be categorised according to the amount and type of damage that could be done if it fell into the wrong hands. More or less stringent measures can then be implemented according to those categories.
- Integrity involves maintaining the consistency, accuracy and trustworthiness of data over its entire lifecycle. Data must not be changed in transit, and steps must be taken to ensure data cannot be altered by unauthorised people (for example, in a breach of confidentiality).
- Availability means information should be consistently and readily accessible for authorised parties. This involves properly maintaining hardware and technical infrastructure and systems that hold and display the information.
We can all think of situations in our private lives when we may have been the victim of a Data Breach. How many time has the app you use for your online banking failed and was not available to you for a period of time, without warning, well that is a Data Breach and the data controller would have made a decision to report this to the Supervisory Authority or not.
What happens if you breach GDPR?
If there is a personal data breach, you have a duty to report the breach to the ICO in certain circumstances. This should be done within 72 hours of when you become aware of the breach. You may also need to notify the individuals affected by the breach if there is a high risk of there being an adverse effect to the rights and freedoms of those individuals. If that is the case, you must notify the individuals without undue delay. In any event, you must keep a record of any personal data breaches, regardless of whether you are required to notify the breach.
Consequences of non-compliance
As mentioned above, the penalties for failing to comply with these obligations can be very serious. Consumers have a reasonable expectation that businesses take care of the personal information they collect and that the information is processed only for the purposes it was collected for. The law now better reflects this expectation and businesses risk severe penalties if they fail to comply.
For less serious breaches, you can be fined up to the greater of:
- £10 million; or
- 2% of the firm’s global turnover.
More serious offences can incur fines up to the greater of:
- £20 million; or
- 4% of the firm’s global turnover.
Unsurprisingly, these fines have attracted controversy because of the impact they could have on SMEs. It may be reassuring to bear in mind that these fines are worst-case scenarios and the ICO will consider mitigating factors such as the severity of the breach and a company’s efforts to comply with the GDPR.
GDPR Data Breach examples
If your organisation is to successfully tackle cyber security risks, you need to know what to look out for.
That’s where Verizon’s 2020 Data Breach Investigations Report comes in. Its year-long investigation into the causes of data breach has revealed the 6 most common ways that organisations fall victim.
We took at look at each of those in this blog and see which one comes out on top.
1. Physical actions (4%)
We tend to think of data breaches as being a result of cyber crime, but Verizon found that a significant number of incidents don’t involve technology at all.
Most physical incidents involve the theft of paperwork or devices such as laptops, phones and storage devices. Employees are increasingly encouraged to work from home or on the go, but if they don’t keep an eye on their assets, an opportunist crook could easily steal them.
The other leading physical action is card skimming. This is where crooks insert a device into card readers and ATMs to harvest payment card information.
Organisations consistently overlook the threat their employees pose, but Verizon found that more than one in twelve data breaches are caused by a member of staff using information improperly.
There are two main ways this happens. The first is privilege abuse, in which employees misuse information they’ve been given legitimate access to.
This isn’t necessarily for malicious purposes. The employee might have stumbled on the information accidentally, which can happen if the organisation doesn’t set up appropriate access controls.
Alternatively, the employee could have ignored access policies. This can happen when, for example, an employee alters a document without following the correct procedure.
The second common type of privilege misuse is data mishandling. This occurs when sensitive information is copied, shared, accessed, stolen or otherwise used by an employee who isn’t authorised to do so.
3. Malware (17%)
Cyber criminals can use malware for any number of purposes, but Verizon’s report highlights a handful of prominent types, including RAM scrapers, which scan the memory of digital devices to collect sensitive information. POS (point-of-sale) systems are particularly vulnerable to RAM scraping.
The report also noted the prevalence of keyloggers, which capture the keys struck on a keyboard. They’re usually used to steal passwords and other sensitive information.
4. Social engineering (22%)
Verizon’s research found that almost a quarter of data breaches are caused by fraudsters simply acting as though they belong.
You’re probably aware of phishing, in which cyber criminals send malicious emails that look legitimate, but Verizon also highlighted the threat of financial pretexting.
Pretexting is similar to phishing in that crooks contact their targets under false pretences to gain their information (in this case, financial information specifically).
However, pretexters contact victims by phone as well as by email, and rather than duplicating a legitimate organisation’s website, they simply request that the target send them their financial details.
Once they have that information, the crooks can commit fraud, sell the data or contact a third party (such the victim’s bank or a supplier that the victim’s employer works with) requesting information about their account history.
5. Human error (22%)
Breaches don’t have to be caused by someone acting maliciously. Verizon found that more than one in five incidents was the result of a mistake made by an employee.
The most common errors involved sensitive information being sent to the wrong person. This might involve sending an email to the wrong person, attaching the wrong document or handing a physical file to someone who shouldn’t have access to the information.
The next most common cause of human error was misconfiguration, which typically involves leaving a database containing sensitive information online without any password restrictions.
6. Criminal hacking (45%)
It shouldn’t be a surprise that criminal hacking is the top cause of data breaches, because it’s often necessary to conduct specific attacks. Malware and SQL injection, for example, are usually only possible if a criminal hacks into an organisation’s system.
What might come as a surprise is how many activities criminal hacking encompasses. It’s usually associated with computer coding, but Verizon found that the most common criminal hacking technique involved stolen credentials.
This doesn’t require any technical knowledge. Crooks can purchase the credentials on the dark web, find them written down, crack them using a password-generating machine or guess them.
Once a cyber criminal has a user’s login credentials, they can perform any number of nefarious activities, but it usually boils down to extracting information to commit fraud or sell on the dark web, or to launch further attacks, such as phishing scams.
Read the original article here
How to report a GDPR Breach
Organisations must report GD breaches to the relevant supervisory authority within 72 hours of becoming aware of it. Most Supervisory Authorities have links to the reporting process on their websites. The link to the ICO reporting page is – https://ico.org.uk/for-organisations/report-a-breach/
But before you send your notification, you should check that it meets the GDPR’s notification requirements. Incidents only need to be reported if they “pose a risk to the rights and freedoms of natural living persons”.
‘Risk’ here refers to the possibility of data breach victims facing economic or social damage (such as discrimination), reputational damage or financial losses.
What should a data breach notification include?
Your data breach notification should state:
- The type of personal data breach, including the type and estimated number of individuals affected, and the type and estimated number of personal data records concerned;
- The name and contact details of a point of contact where further information can be obtained, such as that of the DPO (data protection officer);
- The possible outcomes of the personal data breach; and
- A list of measures taken or being taken to deal with the breach and appropriate measures taken to mitigate any adverse effects.
Notifying affected individuals
After your supervisory authority has been notified, you must also see if you need to inform affected individuals. If the data breached would cause a ‘High Risk’ to the rights and freedoms of the individual, you have to notify each effected data subject of the Data Breach.
At the very least, this should comprise a statement that lets them know that an incident has occurred. However, you might also choose to set up a web page and helpline that people can use to find out more and have their questions answered.
What’s the maximum penalty to an organisation of a GDPR Data Breach?
1. Google – €50 million ($56.6 million)
Although Google’s fine is technically from 2019, the company appealed against it. In March 2020, judges at France’s top court for administrative law dismissed Google’s appeal and upheld the eye-watering penalty.
How the violation(s) could have been avoided: Google should have provided more information to users in consent policies and should have granted them more control over how their personal data is processed.
2. H&M – €35 million ($41 million)
On October 5, 2020 the Data Protection Authority of Hamburg, Germany, fined clothing retailer H&M €35,258,707.95 — the second-largest GDPR fine ever imposed.
H&M’s GDPR violations involved the “monitoring of several hundred employees.” After employees took vacation or sick leave, they were required to attend a return-to-work meeting. Some of these meetings were recorded and accessible to over 50 H&M managers.
Senior H&M staff gained ”a broad knowledge of their employees’ private lives… ranging from rather harmless details to family issues and religious beliefs.” This “detailed profile” was used to help evaluate employees’ performance and make decisions about their employment.
How the violation(s) could have been avoided: Details of the decision haven’t been published, but the seriousness of H&M’s violation is clear.
H&M appears to have violated the GDPR’s principle of data minimization – don’t process personal information, particularly sensitive data about people’s health and beliefs, unless you need to for a specific purpose.
H&M should also have placed strict access controls on the data, and the company should not have used this data to make decisions about people’s employment.
3. TIM – €27.8 million ($31.5 million)
On January 15, 2020 Italian telecommunications operator TIM (or Telecom Italia) was stung with a €27.8 million GDPR fine from Garante, the Italian Data Protection Authority, for a series of infractions and violations that have accumulated over the last several years.
TIM’s infractions include a variety of unlawful actions, most of which stem from an overly-aggressive marketing strategy. Millions of individuals were bombarded with promotional calls and unsolicited communications, some of whom were on non-contact and exclusion lists.
How the violation(s) could have been avoided: TIM should have managed lists of data subjects more carefully and created specific opt-ins for different marketing activities.
4. British Airways – €22 million ($26 million)
In October, the ICO hit British Airways with a $26 million fine for a breach that took place in 2018. This is considerably less than $238 million dollar fine that the ICO originally said it intended to issue back in 2019. So, what happened back in 2018?
British Airway’s systems were compromised. The breach affected 400,000 customers and hackers got their hands on login details, payment card information, and PI like travellers’ names and addresses.
How the violation(s) could have been avoided: According to the ICO, the attack was preventable, but BA didn’t have sufficient security measures in place to protect their systems, networks, and data. In fact, they didn’t even have basics like multi-factor authentication in place at the time of the breach. Going forward, the airline should take a data-first security approach, invest in security solutions, and ensure they have strict data privacy policies and procedures in place.
5. Marriott – €20.4 million ($23.8 million)
While this is an eye-watering fine, it’s actually significantly lower than the $123 million fine the ICO originally said they’d levy. So, what happened? 383 million guest records (30 million EU residents) were exposed after the hotel chain’s guest reservation database was compromised. PI like guests’ names, addresses, passport numbers, and payment card information was exposed.
Note: The hack originated in Starwood Group reservation system in 2014. While Marriott acquired Starwood in 2016, the hack wasn’t detected until September 2018.
How the violation(s) could have been avoided: The ICO found that Marriott failed to perform adequate due diligence after acquiring Starwood. They should have done more to safeguard their systems with a stronger data loss prevention (DLP) strategy and utilized de-identification methods.