Commentary of “Britain fines Carphone Warehouse £400,000 over data breach” (https://www.thestar.com.my/tech/tech-news/2018/01/10/britain-fines-carphone-warehouse-400000-pounds-over-data-breach/), Sergey Khayruk, InfoWatch Group’s Analyst would like to share the following: –
“Carphone Warehouse, a UK retailer, is facing a £400,000 fine, one of the largest amounts ever charged by the UK Information Commissioner’s Office (ICO), for personal data of some three million customers being compromised. Following an investigation, the ICO identified that the company had failed to take adequate steps to ensure information security and intruders were able to access its system due to an out-of-date and vulnerable WordPress software. Surprisingly, the resulting attack was active during 15 days before being detected by the company’s security team.
When the EU General Data Protection Regulation (GDPR) takes effect in May 2018, the maximum penalty for a data leak will be $20 million or 4% of annual worldwide turnover of a company. Note that the GDPR will also apply to the United Kingdom, which is no longer an EU member.
In the transition period, organizations will still have a chance to improve their cybersecurity systems.
We can expect that the US supervisory bodies will follow the EU and increase liability for failure to protect information properly.
Recently, several US companies were charged with huge penalties for data leaks. Thus, VTech, a vendor of electronic learning toys, was found guilty of collecting children’s personal information from connected devices and now has to pay a $650,000 penalty, i.e. $1 for each download of the insecure app by minors.
Earlier, Hilton hotel chain agreed to a $700,000 settlement with the U.S. Attorney General’s office for credit card details of more than 364,000 hotel guests being leaked.
If the US and EU regulatory tightening proves to be effective, other countries will most likely follow the lead. The risk of huge penalties for failure to protect personal data and other sensitive information will push many companies to rethink their cybersecurity attitude, which is especially relevant for Southeast Asia, where the risk of data leaks is becoming extremely high because information security can’t keep pace with ever-evolving digital technology.
Every company should develop a habit of regular monitoring of enterprise information security, checking its information systems for vulnerabilities, and, last but not least, updating its legacy information protection tools, including the adoption of end-to-end DLP systems.”