Featured Article – Data Breaches: The Fallout

In this article, we look not just at data breaches but also at the impact of data breaches on business and organisations.

Data Breaches

A personal data breach, as defined by the UK’s data watchdog and regulator, The Information Commissioner’s Office (ICO), is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.” This definition highlights, therefore, that a breach could be accidental or deliberate, and could be more than just about losing personal data.  For example, data breaches could occur through third-party access, accidentally sending data to the wrong recipient, devices being lost or stolen, altering data without permission or losing the availability of personal data.

GDPR

As UK businesses should know, GDPR (the regulations of which will soon be brought into UK law, post-Brexit) alongside The Data Protection Act 2018 (DPA 2018), covers how companies and organisations collect and handle data. The ICO is the body in charge of enforcing these data regulations.

Under the current law, companies and organisations must notify the ICO of a breach within 72 hours of becoming aware of it, even if all the details are not available yet.

Data Breach Consequences For Businesses

There are many different consequences of a data breach for businesses, not all of which are legal. Examples of the effects that a data breach can have include:

– Loss of customer trust, leading to …

– Loss of customers and, therefore, a loss of income from those customers, and a gift to competitors (strengthening of competitors) as customers jump ship. One well-known example is the TalkTalk data breach back in 2015 where the hack of 155,000+ customer records resulted in the loss of 100,000+ customers within months. 

– Fines. For example, the ICO gave British Airways the biggest ever fine (to date) under GDPR at £183 million for a data breach where the personal details of 500,000 customers were accessed by hackers. In addition to the British Airways fines, other big company fine decisions arrived at by the ICO just in the second half of this year alone for data breaches include Ticketmaster UK Limited on 13 November 2020,  £1.25 million for failing to protect customers’ payment details, and Marriott International Inc on 30 October 2020, fined £18.4million for failing to keep millions of customers’ personal data secure.  GDPR sets a maximum fine of €20 million (£18 million) or 4% of annual global turnover (whichever is greater) for the most serious data breaches, although infringements don’t always result in fines.

– Loss of revenue. A big loss of customers means a big loss of revenue; the knock-on effects of which can be cuts and a loss of jobs.  In TalkTalk’s case, the initial financial hit was £15 million with exceptional costs of £40 to £45 million.

– Other (perhaps unconnected) areas of the business under the same brand being tarred with the same brush.

– Lost potential of future customers.

– Loss of upsell opportunities for other services.

– Falling share prices.

– Damage to reputation. For example, a CISO Benchmark Report (2020) showed that the number of organisations that reported reputational damage from data breaches has risen from 26 per cent to 33 per cent in the past three years. Taking Facebook’s Cambridge Analytica data-sharing scandal as an example, a survey by The Manifest (2019) showed that 44 per cent of social media users surveyed said that their view of Facebook had become more negative after Cambridge Analytica. Getting a bad reputation can now be exacerbated by the speed of communications, naming and shaming online (often on multiple websites) and the fact that bad news can hang around for a long time on the Internet and can be extremely difficult to remove, hide, or distract from.  Re-building reputation and trust can be a long and expensive process.

– Facing difficult questions, often in a very public setting e.g. Facebook questioned by the U.S. Congress, or a grilling by shareholders, and other business stakeholders.

– Costly disruption and downtime. Data breaches can bring the business to a standstill, and companies without business continuity or disaster recovery plans can suffer more serious financial and other consequences or could go out of business altogether (see below).

– The business being forced to close.  For example, a 2019 survey, commissioned by the National Cyber Security Alliance (U.S.) and conducted by Zogby Analytics found that 10 per cent of small businesses that suffered a data breach closed down and 25 per cent filed for bankruptcy.

– Lawsuits.  Carrying on with the example of Facebook’s Cambridge Analytica scandal, following a £500,000 ICO fine for data breaches, the social media giant was hit with a £266 billion lawsuit by the Australian Information Commissioner. There is also the possibility that in the event of a data breach, companies may incur huge costs by having to pay compensation to victims.

Damage to the supply chain. A loss of customers and bad publicity that hangs around for a long time can inflict damage to other businesses in the supply chain.  This, in turn, could lead to loss of alliances and synergies that helped create a product’s/service’s differentiation of source of competitive advantage.

– Loss of supplier trust. Many suppliers now prefer to do business with companies that are GDPR compliant as a way of helping to maintain their own compliance.  A serious data breach could not only damage or destroy current supplier relationships but could result in word getting around within the industry, thereby scuppering future value-adding relationships with some suppliers.

End-User Victims

Although the main focus of this article is the effects on businesses of data breaches, it should not be forgotten that end-users who have had their personal details stolen, lost, or compromised are also victims.  It should be remembered that many end-users still indulge in password sharing (using the same password for several websites and platforms) and using generally weak passwords. This can amplify the effects of one data breach through one company as their personal details are sold and shared among other cybercriminals who may use credential stuffing to access other websites for the same user.  Examples of the consequences that end-user data-breach victims can face include:

– Theft of bank details, money, and other personal details.

– Having to change multiple passwords and enact credit freezes.

– Fraud and extortion.

– Identity theft and complications resulting from this.

Biometric Data Breach

As the use of biometric data for verification is now gaining in popularity due its security advantages over passwords, the big problem with a breach of biometric data e.g. faces and fingerprints are that, unlike passwords and PINs, it can’t be changed.  This means that unless there are multiple forms of verification in a system, stolen biometric data could continue to be damaging for an end-users far into the future and could cause problems for companies that have invested heavily in a biometric system.  A recent example of a potential biometric data (fingerprint scanning) breach was where, back in August 2019, Suprema, a South Korea-based biometric technology company, and one of the world’s top 50 security manufacturers, was reported to have accidentally exposed more than one million fingerprints online after installing its standard Biostar 2 product on an open network. The bigger potential problem was that Biostar 2 is part of the AEOS access control system, which is used by over 5,700 organizations in 83 countries, including big multinational businesses, SMEs, governments, banks, and even the UK Metropolitan Police.

Dealing With A Data Breach

How a company deals with a data breach can make a big difference in the outcome for that company.  For example, a good approach to dealing with a data breach may be evaluating the situation, closing loopholes and removing the threat, then offering transparent and open communications e.g. notifying customers, notifying the ICO, issuing a public statement (on the website) and opening communication channels with customers (online chat, social media, telephone, and email).

Prevention

Prevention is clearly the best way to avoid the negative effects of breaches and this requires assessing risks, putting data security and data privacy policies in place, training staff, keeping anti-virus, patches and fixes up to date, monitoring for new threats and potential risks, paying attention to staying GDPR compliant and much more.