In March 2020 it was reported that Virgin Media had suffered a personal data breach due to cloud storage of a marketing database where access controls were wrongly configured. This meant that the names and contact details of up to 900,000 of its customers were accessible online by anyone who cared to look.
This is not the first time that online databases have been left vulnerable.
In July 2019 the ICO fined a London estate agency for a security breach which left data of over 18,000 tenants exposed for two years. The incident involved a transfer of personal data from one server to that of a partner organisation without having the correct settings in place. This omission meant that access restrictions were not implemented and allowed anyone going online to have full access to all the data stored between March 2015 and February 2017. The information put at risk included application records with bank statements, salary details, copies of documents to prove identity as well as names and addresses of tenants and landlords.
Also in March 2020 the Information Commissioner’s Office fined Cathay Pacific Airways £500,000 for a similar personal data breach where, between October 2014 and May 2018, its computer systems lacked appropriate security. This resulted in customer personal data in some 9.4 million customer records being exposed.
What these incidents show is that not only are access controls missing or wrongly configured, but also that no one carried out any audit checks after implementation. The Cathay Pacific incident was only discovered after a third party cybersecurity firm was hired to investigate a hacking attack.
GDPR has a new principle of Accountability. For anyone who has so far missed the point, it means checking, auditing, monitoring. Stop and consider the loss of customer trust if your organisation suffers a personal data breach. Would the situation be recoverable or would customers go to a more professional competitor?
And what is the role of the Data Protection Officer or Compliance Adviser in this? Actually their role is not to carry out all the compliance checks personally. They would not necessarily have the skill set to undertake an IT audit for example. The role is actually to check the checkers. That means ensuring that each operational and functional area of the business understands the need for compliance checks and undertakes them regularly and to a good standard. Audit checks might also be the remit of Internal Audit.
So what is going wrong? Are Boards being misled by fake accounts of compliance checks? Are DPOs only reacting to issues raised and not getting involved in some investigative work? Boards need to look at where the compliance framework is lacking. It could be lack of skills or experience or simply lack of time but the consequences are devastating for the business. It is a cultural issue as well as an organisational one and that can only be changed from top down.
Data Protection Consulting offers a remote compliance checking service for the organisational aspects of data protection. We check website content, policies and procedures and provide online training solutions for staff. Contact us now for a quote.
Mandy Webster, Data Protection Consultant