The Dixons Carphone data breach shows how vulnerable customer’s data can still be despite the introduction of GDPR last month. The breach is the first large scale attack on the telecoms industry to come to light since GDPR came into effect at the end of May – and whilst the attack occurred before the GDPR deadline – it was only discovered earlier this month.
It is clear that many companies are still not prepared.
The wider telecoms industry is one of the most targeted by hackers. Last year the UK’s National Cyber Security Centre confirmed that Russian hackers had their sights firmly set on UK telecoms businesses. Organisations including Yahoo, EE and Three have all suffered major breaches in the past couple of years, yet organisations still seem to feel a false sense of security.
The Dixons Carphone breach involved 5.9 million payment cards and 1.2 million personal data records in an attack that reportedly began last summer.
Whilst a breach of financial data is a serious cause for concern, the loss of personal data is arguably even more significant. Whilst individuals are able to seek compensation via insurance claims for financial loss, how can we put a value on personal data such as emails and photographs?
This personal data is often accessed by hackers who auction it off on the dark web for others to exploit. Hacked information including names, addresses and logins can lead to serious personal harm and fraudulent activity against individuals. Business has a basic obligation to protect the customer from such attacks. As I mentioned in an interview following the Dixons Carphone breach for BBC news last week, for businesses to fail to adequately encrypt such valuable personal information is unforgivable.
Whilst cyber security talent in the UK is considerable relative to other nations, our standing as a global economic powerhouse and the status of London as one of the world’s most important financial centres, means that businesses must continuously evolve and invest in their defences to prevent their consumers’ data from being compromised.
Chief Executives can no longer bury their heads in the sand. Cyber security is a board level issue, and should not fall to the peripheries. Senior executives and board members are expected to take an increasing role in data protection going forward – particularly due to the eye-watering GDPR fines they now face if they get it wrong – but it is yet to become apparent whether this is really happening in businesses.
What can businesses do?
We live in a data age. Our data is our most valuable digital asset but it is acutely vulnerable and undervalued. There are a number of easy steps businesses can take to improve their cyber defences and data protection practices. Galaxkey provides quick, straightforward data management services to business, enabling companies to protect data and retain their customers’ ownership and control of it.
Those who continue to prioritise short-term profit margin above customers’ security will continue to suffer breaches and pay the price. It’s time to wake up and encrypt.