Over 600GB of unsecured customer data was discovered on an Amazon cloud database last month. The records belonged to approximately 4 million US Time Warner Cable (TWC) customers. The data, which had been set to allow public access, rather than limit access to administrators or authorised users, was discovered accidentally by a digital security company while investigating an unrelated breach.
According to a report published after the discovery, Broadsoft Inc, a third-party communications company engaged by TWC, are to blame for the breach.
Left wide open on the internet, the data included home addresses and contact numbers, information about customers’ home gateways, and account settings. Internal TWC data was also exposed, which could have provided an opportunity for hackers to access more sensitive information via the company network.
Although it is believed the data was not accessed by anyone with malicious intent, the incident is just the latest of many to hit the headlines over the past few years, raising questions about entrusting third-parties with your data.
It isn’t just your reputation that is at stake
In May 2018, the EU’s General Data Protection Regulations will come into force. Under this new legislation, third-parties will be liable if they mishandle personal data. Crucially, you and your third-parties will be responsible for ensuring they comply with certain rules, such as how they keep records, or deal with a data breach. The financial penalties for failing to comply are severe, with the maximum fine being 4% of a company’s global annual turnover, or €20,000,000 (whichever is greater).
What can you do?
Businesses must become more stringent and proactive about vetting third-parties before entrusting them with their data in order to minimise the risk of a data breach. Developing policies and procedures to qualify providers before you award them a contract, and regularly auditing their operations is advisable. Identifying all of your third-party data handlers, and asking what they are doing to protect your data and how they comply with GDPR is a good place to start. This may mean changing suppliers if you aren’t satisfied they are doing enough.
Unfortunately, as with the TWC breach, an oversight or mistake by an employee is harder to mitigate. This is why it is vital to utilise encryption as part of your cybersecurity strategy. Encrypted data cannot be deciphered without the corresponding key. If encrypted data is leaked, hacked, or left unsecured on a server by your third-party, it will not be of use to anyone without the key. It will also not constitute a personal data breach under GDPR since any personal information will be undecipherable.
At Digital Pathways, we work with businesses to secure their data to protect against cyber threats, including data breaches. We can review your current arrangements and help you implement changes to enhance your protection, minimise cybersecurity risks, and prepare for GDPR.
If you have a question about protecting and securing your data, please contact us on 0844 586 0040, or fill in our contact form and we’ll gladly get back to you.