If the last 5 years has taught us anything, it is that data breaches are inevitable. Users still make errors, systems are still vulnerable and cyber-criminals’ hunger for hacking shows no sign of being satisfied.
It would be wrong to say that all data is of equal value, but a loss of data of any type has potentially wide ranging implications for any organisation and its stakeholders.
The consequences of a data breach go beyond simple business disruption to include a loss of intellectual property, competitive advantage, corporate knowledge, brand equity, customer loyalty and trust. Worse still, a data loss could result in lost revenue, breach of compliance regulations and, under the General Data Protection Regulations (GDPR), some serious financial penalties.
Whilst the GDPR is an EU-specific initiative, data integrity is very much a global issue; with similarly strict regulations soon to be introduced in the US and across Asia. In the US, for example, new healthcare data protection regulations expose negligent individuals to criminal proceedings. In an increasingly digitised and connected world, data has become the currency of business.
In November, Tesco Bank announced a data breach in the UK. Thousands of customer accounts were illegally accessed and money was withdrawn. The hackers were careful to remove just enough money to make it worth their while, but not so much has to draw immediate attention to themselves.
Although the true nature of the breach may not have been confirmed as we write this, it seems to have been made possible by contactless payments made through smartphones. The UK news was full of sensational stories of “unprecedented loss of financial data”. Sorry to say, this was not as rare an incident as you might think.
In February of 2016, the Bank of Bangladesh suffered a similar breach. This time it was $81million removed from customer accounts by hackers who managed to subvert the SWIFT system. What made the headlines for this breach was that SWIFT was previously seen as a closed, trusted network for global financial institutions.
Cyber-criminals are becoming increasingly sophisticated in their attacks and banking data is a high priority target, because of the potential for financial gain. On average, it takes more than 12 months for data breaches to come to light, so hackers have plenty of time to exploit their ill-gotten gains.
GDPR’s Impact – A reality-check for executives and boards
Embarrassing as this incident was for Tesco Bank, it could have been much, much worse. To their credit, Tesco seem to have been quick to act. 24 hours of disruption to digital transactions and things seem to have been brought back under control. But what was the impact of that 24 hours?
A day’s lost revenue might not seem like too big a deal, but then there was the loss of trust in the brand and the fact that they had to pay back the £2.5 million that was taken from their customers’ accounts. So, the damage mounts up.
£2.5 million doesn’t really seem like a lot of money to a major financial institution and Tesco might think they have escaped without punishment – assuming there is no subsequent financial penalty applied. However, if this had taken place when the new European GDPR legislation was being enforced, it would have been a different story altogether.
We have mentioned the General Data Protection Regulations (GDPR) in previous posts. But, for the uninitiated, here is a very brief overview.
First proposed in January 2012, and approved in April 2016, the GDPR is designed to unify data protection rules across Europe and set out compliance obligations for the movement of data; both within the EU and between EU member states and their global partners.
Set to become law in May 2018, one of the major talking points of the legislation has been the hefty financial penalties proposed as a result of non-compliance. Organisations suffering a data breach can expect to be fined up to 4% of their annual turnover. Not profit. Turnover. (or €20 million, whichever is greater).
This means Tesco Bank could have been facing a GDPR imposed penalty of an eye-watering £1.9 billion. Now, businesses have been accused of not taking data breaches seriously in the past as the cost of prevention outweighed the cost of repair. Not anymore. With this level of fine on the horizon, everyone is sitting up and paying attention.
The strict nature of the financial penalties proposed under the GDPR is already influencing data protection regulations around the world. Whilst ‘zero-tolerance’ might not be the words people are using, it’s a fairly accurate description of the way we’re headed. We will all be watching with interest as the rest of the world formalizes its approach to data protection in the digital era.
Senetas is a leading developer and manufacturer of certified high-assurance encryption hardware; dedicated to protecting network transmitted data without compromising performance.
Senetas high-assurance Layer 2 Metro and Carrier Ethernet encryptors protect sensitive network data in transit. They have been trusted to protect network data for Cloud and data centre services, Big Data applications, financial transactions, CCTV networks, infrastructure and SCADA control systems in more than 35 countries.