2020 Data Breaches: Lessons from our DPOs

Nicky Whiting Headshot
Written by Nicky Whiting   Head of Compliance

11/12/2020

A record-breaking year

2020 was quite the year for headline-grabbing data breaches thanks to a combination of record-breaking numbers and behind-the-hack tales. Despite huge investments in security tools and awareness, organisations of all sizes struggled to fully protect their data from cyber criminals.

The fact that a significant number of enterprises have yet to meet their GDPR compliance objectives is surely a factor at play here. A 2019 study by Capgemini revealed that 36% of business leaders polled identified the complexity of the GDPR’s requirements as one of the top barriers to achieving full compliance – complexity that a Data Protection Officer (DPO) is intended to manage, whether as an in-house role or as an outsourced managed service. Twelve months and a succession of data breaches later, it seems the situation has not much improved.

Here at Bulletproof, we believe that there are some fairly uncomplex ways in which the DPO function can be applied to reduce the likelihood of a data breach and minimise the aftershocks if one does occur. To this end, our team of GDPR experts looked at five UK data breach cases that occurred in 2020, to see what lessons can be learnt, and how better use of the DPO function might have mitigated the respective outcomes.


Case Study: Avon

Last summer, an investigative team from Safety Detectives found a web-facing database that had no password protection, no data encryption, nor any other apparent security measures. It belonged to cosmetics and fashion retail brand Avon. Closer inspection revealed a range of personal data which included full names, phone numbers, birth dates, email addresses, postal addresses, payment records, and administrator-user emails. The server also contained a wealth of technical information such as 40,000+ security tokens, OAuth tokens, technical logs, account settings, and much more besides, that would be incredibly useful for hackers in committing further cyber attacks.

Safety Detectives alerted Avon to the high risk of an unprotected server and the company’s security teams took remedial actions. It is not known if cyber criminals may have found the exposed data before Safety Detectives did, but to date no data traceable to Avon has appeared on the dark web.

Lessons from our DPO

Luke Peach Headshot
Luke Peach  Data Protection Officer

  • Although Avon’s data was exposed when it should not have been, and there was a clear and unacceptable risk to its integrity, no evidence has emerged that the data had been accessed by criminals. Having unprotected personal data publicly revealed by independent ‘investigators’ can become almost as damaging as actually being hacked. A DPO’s sound understanding of regulatory compliances could prove critical to investing a public response with the correct context.
  • Safety Detectives had not been contracted by Avon to find vulnerabilities in its systems. So does the incident have to be reported to the ICO? It’s reasonable to assume that Avon would rather not do so unless strictly required to. In situations like this the DPO’s counsel is critical to decisions made. A DPO who knows your GDPR obligations thoroughly can save time and resources by knowing when a data compromise incident has to be reported – and when it does not.
  • Avon has established a strong online sales channel, and it is likely that it sees this as accounting for a greater proportion of its future sales. The Society of Corporate Compliance and Ethics has suggested that Avon’s customer profile adds to the seriousness of this security lapse. ‘Many of Avon’s customers are considered to be older and less tech savvy,’ it says, ‘[putting] them at additional risk of phone and mail scams perpetrated using the leaked data.’ Although UK data protection regulations require online retailers to ensure all customer data is adequately secured, a DPO could consider advising tighter controls than the bare minimum to protect those in social profiles who're more likely to be more vulnerable to scams.

Case Study: Babylon Health

Babylon Health’s GP at Hand app enables private and NHS healthcare patients to have audio and video consultations with physicians via their smartphones, and reportedly has more than 2.3m registered UK users.

On June 9, 2020, a GP at Hand user checked his account and found he had been given access to some 50 videos of other patients’ consultations – clearly not a feature the app should legitimately provide. The user alerted Babylon Health via Twitter, although in an undated website notice the company later said that it had already been told about the glitch by an internal source. The issue was resolved ‘within two hours’, Babylon Health stated on its website: ‘This [issue] was the result of a software error and not a malicious attack’.

As Babylon Health recognised that the error might constitute a data breach within the articles of the GDPR it was referred to the ICO within 72 hours. The ICO’s investigation eventually concluded that the incident did not contravene the GDPR.

Lessons from our DPO

Rebecca Bada Headshot
Rebecca Bada  Data Protection Officer

  • Superficially, Babylon Health’s breach seems minor compared to some of the bigger data compromise incidents that made headlines in 2020 . However, it holds some instructive lessons that highlight the value of the DPO function. For instance, organisations have to ensure that all patient records – from written records to scans and videos – now count as personal data, and must be treated and secured as such.
  • The GP at Hand malfunction was a software error rather than a more ‘traditional’ cyber security flaw. But with apps playing an increasingly central role in our daily lives, secure software development is now an integral part of cyber security. The DPO’s role as an educator helps remind the IT crowd that generic technological slips have consequences in the data protection world.
  • The issue was communicated to Babylon Health by the user via a Tweet – which instantly made it public knowledge. The DPO’s lesson here is that it has become necessary to ensure that social media accounts are monitored for such alerts, and also that there should be clear, easily-findable contact details on both app and websites for people to get in touch if they have a data security concern. Increasingly, organisations’ web contact details for data privacy enquiries go directly to the DPO.
  • The user who Tweeted appears subsequently to have been contacted by the media to provide additional comment – comment that was not favourable to Babylon Health. In such situations a timely direct contact by a DPO to a user/customer can defer the possibility of potentially damaging comments posted in the public domain.
  • Babylon Health’s website advisory was articulate and highlighted the fact that the company had notified the ICO of the incident. A DPO’s input into public announcements following a security incident helps to ensure that key messages get across and that affected parties feel properly informed.

Case Study: Blackbaud

The globally-interconnected, interwoven fabric of the web is revealed most acutely when a company like Blackbaud gets hit by a ransomware attack. The US-based cloud software services provider supports a range of CRM, fundraising and financial management applications. Many of its users are charities, universities and third-sector organisations.

Blackbaud has said that it knew a substantial data set was stolen as part of the attack – it did not, however, inform its many user organisations of this until around two months later. In the intervening time the company announced that it had ‘paid the cyber-criminal’s demand with confirmation that the [data] copy they removed had been destroyed’.

After an initial investigation, it advised users that it ‘found that no encrypted information, such as bank account details or passwords, nor credit card or other financial information was access[ed]’. But in October it emerged that Blackbaud had, inadvertently or not, downplayed the extent of the data stolen both in terms of number of clients affected and the data types it included. ‘Further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords,’ the company admitted in a regulatory filing with the US Securities and Exchange Commission on September 29.

In the US, at least 10 class-action lawsuits have been filed against Blackbaud. In the UK, students, staff and partners at the University of Cumbria who may have had personal details taken are also preparing to take legal action against the firm. More than 160 Blackbaud user organisations in the UK have reported the breach to the ICO, whose investigation is ongoing.

Lessons from our DPO

Vera Ishani Headshot
Vera Ishani  Data Protection Officer

  • Because of its UK user organisations, Blackbaud must be compliant with the requirements of the GDPR, and they also chose to follow best practices and appoint a DPO. It might be possible, then, that its data protection advisor was part of the decision-making process that shaped Blackbaud’s response to the incident.
  • Blackbaud’s negotiations with its attackers is, of course, one of cyber security’s most contentious debates. As the GDPR-designated Data Processor, Blackbaud would be expected to encrypt the data it holds and maintain secure backups. As will also be seen below with Travelex, the fact that Blackbaud felt it had no option but to pay to regain access to its data indicates that the company did not have adequate backups of its data that it could revert to as part of a business continuity plan – and so reject ransom demands. This could be a strategic deficit that will almost certainly be taken into consideration when the ICO assesses whether the company was non-compliant with the GDPR.
  • Any suggestion that Blackbaud delayed informing its clients that data pertinent to individuals in their organisation may have been stolen by its attackers because it was not aware of the fact, will be scrutinised by regulators. If they decide that an incident is not sufficiently serious to be reported to the ICO, incident victims must maintain their own records of the incident that explain why they made that decision.

Case Study: easyjet

On May 19 2020 easyJet announced that data records for more than 9m of its customers had been purloined by a ‘highly sophisticated attacker’. The company revealed that the stolen data included some 2,208 credit and debit account details that included each account’s three-digit CVV number.

The airline reportedly found out about the breach in January 2020, but although it notified the ICO and NCSC about it ‘promptly’, it did not inform the affected customers until April.

The ICO’s investigation is ongoing. Although some pundits have suggested that the ICO will show leniency given the pressures placed on the airline sector by the Coronavirus pandemic, the regulator will be mindful of the fact that this is the second major breach by a UK airline since the GDPR kicked-in – BA being the first, since fined £20m – and that it expects business sectors to take heed of its power to fine. The fact that cyber attackers exploited vulnerabilities in easyJet’s security that existed before the pandemic took hold could be a factor in its inquiry.

EasyJet has not revealed the specifics of how the ‘highly sophisticated attacker’ was able to access and take the data, but told the media the hacker(s) seemed to be after the ‘company’s intellectual property’, as opposed to its customers’ personal data.

Meanwhile, like BA, easyJet has become the subject of a class action lawsuit, brought by the same law firm, PGMBM. The action is seeking to extract compensation to the value of £18bn.

Lessons from our DPO

Luke Peach Headshot
Luke Peach  Data Protection Officer

  • The BA data breach and fine was a big-splash media story, but this does not guarantee that its ramifications will be absorbed at senior executive level. Any DPO would have known the ICO expects that its judgement against BA is a wake-up call to other airlines and prompt them into doubly-ensuring that their data protection provisions were 100% compliant with the GDPR.
  • Even though an organisation may have a DPO in place, their influence is only as good as that organisation’s inclination to act upon their advice and counsel. We’d certainly be interested to know if easyJet’s inhouse DPO had raised concerns about the level of the company’s data protection prior to the January attack.
  • The GDPR can prove a two-pronged drain on corporate coffers. In addition to fines for non-compliance, under Article 82 of the Regulation, customers have a right to compensation for inconvenience, distress, annoyance, and loss of control over their data – hence the growth in popularity of class actions due to data breaches. So it’s doubly important that organisations have GDPR expertise on call.
  • Storing the CVV numbers from credit and debit cards contravenes the strict PCI DSS regulation that all organisations which process payment data are bound by. This means that, in addition to GPDR and class-action fines, easyJet will also likely face PCI DSS non-compliance financial penalties. The storing of CVV data should have been picked up by a DPO and red-flagged for immediate remediation.
  • To some minds, the statement that the ‘highly sophisticated’ attacker was after ‘intellectual property’ rather than customer data could ring a tad hollow – easyJet is an aircraft operator, not an aircraft designer. And shouldn’t a business the size of easyJet have in place cyber safeguards that are just as ‘highly sophisticated’ as their attackers’? Such comments can prove disingenuous to the wider world, and even help the case of litigants should legal action ensue as a result of the data breach. DPOs monitor the fall-out from data breaches experienced by other businesses, and are well positioned to advise on dos-and-don’ts of post-incident public statements.

Case Study: Travelex

On New Year’s Eve 2019, the REvil hacker group launched a cyber-attack on foreign exchange specialist Travelex. It used Sodinokibi ransomware to encrypt Travelex’s network, delete backup files, and exfiltrate more than 5Gb of PII data, which (according to unverified reports) included social security numbers, dates-of-birth, and card payment information.

Travelex has a presence in more than 60 countries and operates over 1,000 ATMs worldwide. It provides currency services for banks, supermarkets and travel agencies in 60 countries. Those services were also disrupted due to the attack. Travelex websites across Europe, Asia and the US remained offline for almost two weeks after the attack. A notice to visitors said they were down for ‘planned maintenance’.

It is unclear if Travelex informed its B2B customers of the reason behind the service suspension, but it did not notify the ICO of the data breach within the statutory 72 hours.

REvil initially demanded $6m (£4.6m) ransom from Travelex. Payment would apparently lead to the 5Gb of exfiltrated data being deleted and access to the company’s networks/databases restored. Travelex has not stated whether it has in fact paid this, but according to The Wall Street Journal, a ransom of $2.3m in Bitcoin has been handed over.

Travelex initially stated that it did not believe any of its personal data had been breached, and this might be why it did not notify the ICO. The consequences of not performing adequate analysis on if personal data has been leaked could land Travelex with a substantial fine.

Lessons from our DPO

Rebecca Bada Headshot
Rebecca Bada  Data Protection Officer

  • It seems that Travelex did not have very recent backups of the data that Sodinokibi had encrypted. In fairness, given the speed and scale of data generation of many global businesses, truly instantaneous data back-up is hugely challenging, but say experts, not impossible within acceptable margins of completeness. Technology such as continuous replication and data rewind would have enabled the company to revert data back to a known, clean and ransomware-free version before the attack and preserve its reputation and money.
  • Travelex’s decision not to respond effectively in terms of notifying the ICO and communicating the situation with key stakeholders may have been down to a business decision, in which case a DPO’s advice might well have been overruled. If so, it could prove an expensive one for its UK operations. The ICO can impose a maximum fine of 4% of Travelex’s turnover – potentially around £31m, according to reports.
  • Travelex’s line of business makes it subject to data protection requirements in addition to those of the GDPR. The Financial Conduct Authority has also said it is in contact with the firm to ensure fair treatment of customers who were left without funds by the outage. The DPO has an increasingly important role in regard to managing data protection challenges with multiple regulatory bodies, not just the ICO.

Summary card header

In Summary

These examples from the UK data breach casebook indicate that many organisations have ground to cover when it comes to really understanding the difference effective compliance can make to cyber resilience. Leveraging the value of the DPO function is key to this.

The DPO should not be deemed a role apart from frontline IT security ops, but as an expert asset with specialist insights and knowledge of the regulatory compliances. Crucially, they:

  • Advise on whether a security incident actually qualifies as a data breach within the GDPR.

  • Advise on the proper formulation and delivery of key messages should a security incident occur.

  • Advocate awareness of the fact that good data protection often means effective backup regimens.

  • Be a point of contact as organisations’ data governance obligations involve multiple regulators.

  • Serve as an expert informed link between data owners and data holders.


Our experts are the ones to trust when it comes to your cyber security

  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.