GDPR Breach: Ready, Get-Set, Go!

So here we go, GPPR has been in force for just under two months and already two well known brands have been caught in its net.

Luxury retailer, Fortnum & Mason, have detailed the loss of some 23,000 customer records, which include emails, telephone numbers and delivery addresses of customers who filled out a survey, or took part in an online competition, being affected.

Fortnum had used Typeform, who specialise in creating such surveys, to organise these forms. It was Typeform who discovered that an unknown third party had gained access to its server and downloaded the data.

And, Travelodge has announced that 180,000 personal details of its clients were taken, which included date of birth, passport numbers and billing information.

As a result and under the new GDPR regulations (disclosure within 72 hours of a breach), both company’s have been forced to contact each person whose data has been lost, all of whom will need to change their details, such as passwords, and will need to monitor their personal credit rating closely, as well as any bank accounts and credit card statements, as there could be indications of ID fraud.

Colin Tankard, Managing Director of data security company, Digital Pathways, suggests, that this level of diligence can go on for a couple of years. Stolen data could be held for such a period until the ’heat goes down,’ with those affected forgetting about their details being taken, then the hackers strike.

Image of Colin Tankard, Managing Director of Digital Pathways    Colin Tankard, Managing Director of Digital Pathways

“If both of these brands had encrypted their data, they would not need to contact each customer as, under GDPR, if the data is encrypted, it is only the Information Commissioners Office (ICO) who need to be advised, as the encryption protects the data from being read.

“Data discovery tools can locate any sensitive data which has been created and stored within a network, even in back up tapes. And, such tools make a subject access request simple, as the name of the requester is used for the search and any relevant data is tagged and its location identified.

Click here to read the full article in Global Security Magazine