The quite remarkable results of research this week shows the shocking state-of-preparedness of UK firms with respect to GDPR. Only further highlighted in ‘the real world’ by a data breach from a large high-street organisation.
One survey found that only 18% of UK Large and Multinational Organisations were ‘highly confident’ about meeting the GDPR deadline of next May. The fact that only 25% of law firms surveyed feel GDPR ready, despite being a more favourable figure, is perhaps the more worrying statistic.
If the specialists in law are struggling, how else is everyone else supposed to be ready?
Yesterday’s news that high-street pawnbroker, Cash Converters, suffered a serious data breach has highlighted just how unready the vast majority of businesses are. Not just because that it occurred, but also where it occurred.
The fact that the breach occurred on an old system that was no longer used by the public brings to light the fact that there is just so much data in so many systems that it’s not just your bright, shiny new systems with state-of-the-art security that you need to worry about.
Jon Topper, CEO of UK tech company The Scale Factory has said, “When migrating away from old solutions it’s important to bear in mind that old digital assets will still be running and available online until such time as they are fully decommissioned. As a result, they should still be treated as ‘live’, which means maintaining a good security posture around them, keeping up with patching and so forth.”
There’s so much data in so many places, it’s tough to keep track of it all. However, just as ignorance of the law is no defence, the initial response from Cash Converters that the website that was hacked was being managed by a third party just won’t cut it under GDPR regulations: if it is your data to look after and keep secure, there are no mitigating circumstances.
From the 25th May 2018 under GDPR the maximum fine raises from half a million pounds to €20 million or 4% or annual global turnover
Under the current Data Protection Act, the Information Commissioners Office has several options when it finds an organisation is in breach of the act – including imposing a monetary penalty of up to £500,000. From the 25th May 2018 under GDPR the maximum fine raises from half a million pounds to €20 million or 4% or annual global turnover – whichever figure is higher. A very substantial increase.
The full fall out of the Cash Converters data breach isn’t yet known*, but if it is serious and if this attack had happened in 6 months times, would the full force of GDPR be brought down on them, or will there be a ‘softer’ approach to the first few months considering the seeming lack of preparedness across the board?
Cash Converters has already taken a huge hit in recent years. Following the introduction of the Financial Conduct Authority’s rate cap on High-Cost Short-Term Credit in January 2015 they made the decision to cease offering personal loans in store and online, effectively ending their biggest source of turnover. They stopped lending towards the end of June 2016, just before the end of their financial year. In their accounts, they state that in the year ending 30th June 2016 their turnover from ‘continuing operations’ was £13.9m — but that the turnover from ‘discontinued operations’ was significantly higher at £26.3m.
Yesterdays headlines certainly won’t do them any favours.
I feel sympathy for many of their customers who have felt the need to take out high-interest loans in the past – especially if it is their data that has been stolen in this attack. On the face of it, it may not seem that cybercriminals would choose to target people who are struggling financially, but only the desperate would choose to turn to such high-interest loans – and desperation makes people especially vulnerable. If this is a planned attack by cyber-criminals looking to utilise what they can find for financial gain, then they may have chosen their perfect targets.
However, as Andre Stewart, VP at Netskope, points out, “While many Cash Converters customers may be wondering if their username and password are among the stash of stolen data, the fact is that the stolen credentials shouldn’t give any cause for concern – if basic cyber hygiene procedures were followed.
But what are the chances that those passwords have been used for multiple accounts and remain the same? The truth is that we make it too easy for cyber attackers to tap into our online accounts and data by leaving our log-in credentials unchanged for years at a time, using the same details across accounts or choosing insecure passwords which are far too obvious.”
This is certainly sound advice for the here and now in a data-driven world that relies on the password to protect ourselves. But perhaps the password has had its day? As James Romer from SecureAuth points out in a recent interview at IP Expo 2017 relying on a username protected by a password is extremely vulnerable to thefts such as Cash Converters (or any of the myriad of security breaches over recent years) – once the username and password is in the hands of the criminals, they have access to whatever system they have hacked. What they can’t steal, however, are your regular patterns of behaviour – instead of just relying on a password, ‘a behaviour profile’ can offer better protection. Any deviation from your normal pattern of behaviour and a red flag is raised.
Passwords aren’t going to disappear anytime soon – but as the sole means of protecting our data, their days will have to eventually come to an end. Even simple 2-factor authentication has its limits and will have to be superseded by a stronger strategy.
Data is all around us – more than that, data is integral to everything we do in the modern world. GDPR makes clear, in no uncertain terms, that how organisations protect that data is of paramount importance. But so is how we ourselves, as individuals, take responsibility for our own security. Technological and strategic advancements will improve matters over time. But, as we know, the cybercriminals will never be too far behind, no matter what rules and regulations are put in place.
* Update – just prior to going to press, we received this comment from Jason Hart, CTO of Data Protection, Gemalto:
“This is yet another case of a company not protecting the sensitive customer data it holds. While no credit card information was taken, hackers were able to access usernames, passwords and addresses, which can be used to launch social engineering attacks. This should serve as yet another wakeup call that businesses need to protect this type of data at its source. Through methods like encryption, hackers may be able to take the data, but not actually be able to read it, ensuring it can’t be used. It’s incredibly frustrating to see these attacks continue to hit the headlines, given the relative ease of methods that are out there now to prevent them.”