On August 5, 2015, the British mobile phone retailer, Carphone Warehouse discovered a “sophisticated attack” on its systems, possibly compromising the personal information of 2.5 million customers and the encrypted credit card data of an additional 90,000 customers.
Carphone Warehouse waited 3 days before alerting its customers about the breach via email. The Information Commissioner’s Office (ICO) investigated the attack and upon examining Carphone Warehouse’s data handling processes, characterized the “number of distinct and significant inadequacies in the security arrangements” as “striking.”
The following ICO investigation resulted in fines of £400,000. It confirmed the breach had jeopardized the personal information of over 3 million customers and 1,000 employees. UK Information Commissioner, Elizabeth Denham stated Carphone Warehouse had not “been actively assessing security systems and ensuring defence against such attacks.” In fact, the retailer was hacked using old WordPress software, which emphasizes the importance of maintaining state of the art security practices.
The General Data Protection Regulation (GDPR), which is less than 90 days from going into effect, is reminding business owners that they’re responsible for protecting and controlling their private data. Data breaches like the one experienced by Carphone Warehouse are the subject of more news stories than ever and they happen to businesses everywhere, in every industry, of any size. Companies should have processes in place that are specifically designed to both prevent and react to hacks if and when they occur.
There’s no individual solution equipped to guarantee breach prevention and technology alone isn’t enough. Companies must overhaul underlying processes and train employees to follow proper procedures. The GDPR stipulates that every business handling the personal data of EU citizens must ensure it has adequate security measures in place. Had they been found liable under the GDPR, the fines could have cost Carphone Warehouse over £17 million or 4% of its annual global revenue. And that is just the beginning…
In 2016, Uber was the victim of a cyber attack that exposed the personal information of 57 million people, including riders and drivers. Instead of reporting the incident to the proper authorities or to those affected, the rideshare service attempted to keep the situation secret by paying the hackers $100,000 to delete the stolen data.
Not only did the company not to inform regulators, it also gave into extortion demands – at the request of both its chief executive, Travis Kalanick and chief security officer, Joe Sullivan. More concerning is the fact that Uber’s executives tried to conceal the damage further by making the payout appear as though it was part of a bug bounty – a deal offered by web companies to pay individuals for exposing or reporting vulnerabilities.
Both the cyber attack and Uber’s response to it affected the company’s reputation. Uber is by no means the only available rideshare service and recent skepticism surrounding the company may have lost them significant market share. The way Uber responded to being hacked should serve as an example for the importance of accountability for businesses.
Much like trust, reputation takes years to build and only moments to destroy. Brand perception depends on how companies react to the sometimes inevitable risks associated with being in business. A proactive approach to security is best for building good rapport because overlooking something like basic encryption can have a lasting affect, as it did in a 2009 incident involving a stolen laptop.
A personal computer was stolen from the home of a UK-based lawyer while she was on vacation. The laptop contained highly sensitive information about individuals involved in 8 of the court cases she was working at the time. The lawyer had some physical security measures in place but neither the device nor the sensitive information on it were properly encrypted. At the time, the ICO couldn’t issue monetary penalties but it did issue a press release which quickly picked up media attention. Almost a decade later, searching the lawyer’s name online still results in reports of the data breach. Her career and her reputation have been drastically affected by the mistake.
The incident left a permanent mark on the lawyer’s standing and come May 25th, failing to comply with GDPR security requirements could also result in fines up to £500,000. The legal profession handles some of the most sensitive information available. Individuals and businesses alike in this industry must secure any personal data they use because exposure can also compromise the crucial work they do in court.
Always be prepared
The cost of a data breach isn’t limited to financial loss. The repercussions of inadequate data handling processes can extend further and last longer than a one-time fine. Trust, reputation, and customer loyalty are all at stake if companies don’t take steps toward prevention and respond to breaches correctly. Unfortunately, anyone can get hacked, so it’s always best to prepare for a breach, create a response plan to minimize fines and thwart public mistrust.