2020 data breaches: lessons from our DPOs
A record-breaking year
2020 was quite the year for headline-grabbing data breaches thanks to a combination of record-breaking numbers and behind-the-hack tales. Despite huge investments in security tools and awareness, organisations of all sizes struggled to fully protect their data from cyber criminals.
The fact that a significant number of enterprises have yet to meet their GDPR compliance objectives is surely a factor at play here. A 2019 study by Capgemini revealed that 36% of business leaders polled identified the complexity of the GDPR’s requirements as one of the top barriers to achieving full compliance – complexity that a Data Protection Officer (DPO) is intended to manage, whether as an in-house role or as an outsourced managed service. Twelve months and a succession of data breaches later, it seems the situation has not much improved.
Here at Bulletproof, we believe that there are some fairly uncomplex ways in which the DPO function can be applied to reduce the likelihood of a data breach and minimise the aftershocks if one does occur. To this end, our team of GDPR experts looked at five UK data breach cases that occurred in 2020, to see what lessons can be learnt, and how better use of the DPO function might have mitigated the respective outcomes.
Last summer, an investigative team from Safety Detectives found a web-facing database that had no password protection, no data encryption, nor any other apparent security measures. It belonged to cosmetics and fashion retail brand Avon. Closer inspection revealed a range of personal data which included full names, phone numbers, birth dates, email addresses, postal addresses, payment records, and administrator-user emails. The server also contained a wealth of technical information such as 40,000+ security tokens, OAuth tokens, technical logs, account settings, and much more besides, that would be incredibly useful for hackers in committing further cyber attacks.
Safety Detectives alerted Avon to the high risk of an unprotected server and the company’s security teams took remedial actions. It is not known if cyber criminals may have found the exposed data before Safety Detectives did, but to date no data traceable to Avon has appeared on the dark web.
Lessons from our DPO
- Avon has established a strong online sales channel, and it is likely that it sees this as accounting for a greater proportion of its future sales. The Society of Corporate Compliance and Ethics has suggested that Avon’s customer profile adds to the seriousness of this security lapse. ‘Many of Avon’s customers are considered to be older and less tech savvy,’ it says, ‘[putting] them at additional risk of phone and mail scams perpetrated using the leaked data.’ Although UK data protection regulations require online retailers to ensure all customer data is adequately secured, a DPO could consider advising tighter controls than the bare minimum to protect those in social profiles who're more likely to be more vulnerable to scams.
Babylon Health’s GP at Hand app enables private and NHS healthcare patients to have audio and video consultations with physicians via their smartphones, and reportedly has more than 2.3m registered UK users.
On June 9, 2020, a GP at Hand user checked his account and found he had been given access to some 50 videos of other patients’ consultations – clearly not a feature the app should legitimately provide. The user alerted Babylon Health via Twitter, although in an undated website notice the company later said that it had already been told about the glitch by an internal source. The issue was resolved ‘within two hours’, Babylon Health stated on its website: ‘This [issue] was the result of a software error and not a malicious attack’.
As Babylon Health recognised that the error might constitute a data breach within the articles of the GDPR it was referred to the ICO within 72 hours. The ICO’s investigation eventually concluded that the incident did not contravene the GDPR.
Lessons from our DPO
- Babylon Health’s website advisory was articulate and highlighted the fact that the company had notified the ICO of the incident. A DPO’s input into public announcements following a security incident helps to ensure that key messages get across and that affected parties feel properly informed.
The globally-interconnected, interwoven fabric of the web is revealed most acutely when a company like Blackbaud gets hit by a ransomware attack. The US-based cloud software services provider supports a range of CRM, fundraising and financial management applications. Many of its users are charities, universities and third-sector organisations.
Blackbaud has said that it knew a substantial data set was stolen as part of the attack – it did not, however, inform its many user organisations of this until around two months later. In the intervening time the company announced that it had ‘paid the cyber-criminal’s demand with confirmation that the [data] copy they removed had been destroyed’.
After an initial investigation, it advised users that it ‘found that no encrypted information, such as bank account details or passwords, nor credit card or other financial information was access[ed]’. But in October it emerged that Blackbaud had, inadvertently or not, downplayed the extent of the data stolen both in terms of number of clients affected and the data types it included. ‘Further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords,’ the company admitted in a regulatory filing with the US Securities and Exchange Commission on September 29.
In the US, at least 10 class-action lawsuits have been filed against Blackbaud. In the UK, students, staff and partners at the University of Cumbria who may have had personal details taken are also preparing to take legal action against the firm. More than 160 Blackbaud user organisations in the UK have reported the breach to the ICO, whose investigation is ongoing.
Lessons from our DPO
- Any suggestion that Blackbaud delayed informing its clients that data pertinent to individuals in their organisation may have been stolen by its attackers because it was not aware of the fact, will be scrutinised by regulators. If they decide that an incident is not sufficiently serious to be reported to the ICO, incident victims must maintain their own records of the incident that explain why they made that decision.
On May 19 2020 easyJet announced that data records for more than 9m of its customers had been purloined by a ‘highly sophisticated attacker’. The company revealed that the stolen data included some 2,208 credit and debit account details that included each account’s three-digit CVV number.
The airline reportedly found out about the breach in January 2020, but although it notified the ICO and NCSC about it ‘promptly’, it did not inform the affected customers until April.
The ICO’s investigation is ongoing. Although some pundits have suggested that the ICO will show leniency given the pressures placed on the airline sector by the Coronavirus pandemic, the regulator will be mindful of the fact that this is the second major breach by a UK airline since the GDPR kicked-in – BA being the first, since fined £20m – and that it expects business sectors to take heed of its power to fine. The fact that cyber attackers exploited vulnerabilities in easyJet’s security that existed before the pandemic took hold could be a factor in its inquiry.
EasyJet has not revealed the specifics of how the ‘highly sophisticated attacker’ was able to access and take the data, but told the media the hacker(s) seemed to be after the ‘company’s intellectual property’, as opposed to its customers’ personal data.
Meanwhile, like BA, easyJet has become the subject of a class action lawsuit, brought by the same law firm, PGMBM. The action is seeking to extract compensation to the value of £18bn.
Lessons from our DPO
- To some minds, the statement that the ‘highly sophisticated’ attacker was after ‘intellectual property’ rather than customer data could ring a tad hollow – easyJet is an aircraft operator, not an aircraft designer. And shouldn’t a business the size of easyJet have in place cyber safeguards that are just as ‘highly sophisticated’ as their attackers’? Such comments can prove disingenuous to the wider world, and even help the case of litigants should legal action ensue as a result of the data breach. DPOs monitor the fall-out from data breaches experienced by other businesses, and are well positioned to advise on dos-and-don’ts of post-incident public statements.
On New Year’s Eve 2019, the REvil hacker group launched a cyber-attack on foreign exchange specialist Travelex. It used Sodinokibi ransomware to encrypt Travelex’s network, delete backup files, and exfiltrate more than 5Gb of PII data, which (according to unverified reports) included social security numbers, dates-of-birth, and card payment information.
Travelex has a presence in more than 60 countries and operates over 1,000 ATMs worldwide. It provides currency services for banks, supermarkets and travel agencies in 60 countries. Those services were also disrupted due to the attack. Travelex websites across Europe, Asia and the US remained offline for almost two weeks after the attack. A notice to visitors said they were down for ‘planned maintenance’.
It is unclear if Travelex informed its B2B customers of the reason behind the service suspension, but it did not notify the ICO of the data breach within the statutory 72 hours.
REvil initially demanded $6m (£4.6m) ransom from Travelex. Payment would apparently lead to the 5Gb of exfiltrated data being deleted and access to the company’s networks/databases restored. Travelex has not stated whether it has in fact paid this, but according to The Wall Street Journal, a ransom of $2.3m in Bitcoin has been handed over.
Travelex initially stated that it did not believe any of its personal data had been breached, and this might be why it did not notify the ICO. The consequences of not performing adequate analysis on if personal data has been leaked could land Travelex with a substantial fine.
Lessons from our DPO
- Travelex’s line of business makes it subject to data protection requirements in addition to those of the GDPR. The Financial Conduct Authority has also said it is in contact with the firm to ensure fair treatment of customers who were left without funds by the outage. The DPO has an increasingly important role in regard to managing data protection challenges with multiple regulatory bodies, not just the ICO.
Meet your data protection obligations
Our DPOs are certified GDPR practitioners and data privacy experts. Find out more about how we support organisations across a range of industry sectors, successfully guiding them through the complex responsibilities of data protection.Learn more
Trusted cyber security & compliance services from a certified provider
Get a quote today
If you are interested in our services, get a free, no obligation quote today by filling out the form below.