Cybersecurity Roundup: GDPR Fines, Infocyte, Barracuda and Critical Start
This week, the U.K. Information Commissioner’s Office (ICO) announced plans to fine British Airways $230 million and Marriott $124 million under the General Data Protection Regulation (GDPR) for data breaches disclosed last year.
The British Airways breach compromised 500,000 customers’ data, while the Marriott breach involved the loss of 339 million guest records. Both companies will have an opportunity to appeal the decisions.
The total proposed fines far exceed the previous highest fine of $645,000 doled out to Facebook for serious breaches of data protection law in 2018.
Terry Ray, senior vice president and fellow at Imperva, tells us the GDPR “forgiveness window” has closed and businesses that can’t answer the following simple questions certainly can’t prevent data breaches:
- Where is user data stored?
- Who accesses user data?
- How much data do they access?
- Should they access user data?
- Do they access more user data than usual?
- Can I stop a breach attempt if it is detected?
“Technology has existed for almost two decades now that answers these questions, but organizations have been much too slow to implement it,” he said. “Those that have often only implement data security in less than 10% of their actual data space. This is like installing anti-malware on only 10% of corporate laptops, hoping that the other 90% never get infected. Hope is not a plan, as they say. Neither is selective data security.”
The more an MSSP or security provider offers services around data security, the more this problem extends to them as well, Ray said. Of course, this always depends on their contract, he said.
“I once made a comment about a public data breach and the corporate owner of the data – the company that actually collected the data – expressed concern that I was not clear in my statement, that they had not, in fact, lost the data,” he said. “Instead it was a third party this corporation had hired to store and analyze the data that was breached. The fact is, both companies were at fault. Did the primary data collector exercise effective due diligence on the data storage entity? What controls did that company expect the service company to have implemented? What reporting was provided to verify effective review of data access?”
The scrutiny that businesses should be putting on third-party providers is going up and savvy businesses need to not only keep costs down often by outsourcing, but also now consider the cost of a breach at the third party as the breach impacts both entities, Ray said.
Matt Aldridge, Webroot’s senior solutions architect, tells us the key message is GDPR penalties are real and they are significant. This is good news from a privacy enforcement perspective, but companies need to take this as a wake-up call to address their data security and privacy compliance very quickly if they are not already well ahead on this, he said.
“From a reputation-protection standpoint alone, being in the spotlight for data-protection transgressions and data breaches is not at all good for business,” he said. “On the enforcement side, it is likely that more clear guidance will be needed so that companies can more easily ensure they are operating in a fully compliant state before they are breached, rather than attempting to demonstrate this after a breach has occurred.”
It’s now more important than ever that compliance efforts made by organizations go hand in hand with verifiable security controls and strong processes, Aldridge said. All of these efforts need to be much more carefully scrutinized and recorded than has been the case in the past, he said.
“MSSPs and compliance specialists can play a key role in helping companies to achieve this, along with other cybersecurity service providers, but in turn those companies must ensure that they have done and recorded their due diligence when selecting …