Website and database hacks raise serious issues for organisations of any size. Because of the range of data that is stored by organisations, a data breach can have various implications. These range from the potential for the fraudulent use of such information to breaches of data protection legislation which can lead to fines or other penalties for organisations.
Talk Talk – October 2015
In October 2015, internet and phone services provider Talk Talk announced that its website had been the target of a large-scale cyber-attack and that customer names, contact details, bank account details and credit card numbers had been stolen. Talk Talk initially reported the theft of 1.2 million email addresses, names and phone numbers, 21,000 unique bank account numbers and sort codes, 28,000 partial credit and debit card numbers and 15,000 dates of birth, albeit, these numbers were subsequently revised down.
Ashley Madison – August 2015
In August 2015, hackers stole and leaked personal information from the online infidelity service Ashley Madison. The website had a membership of 37 million people. The group claiming responsibility for the hack, called Impact Team, claimed to have complete access to Ashley Madison's parent company's database, including user records for every single member. Reports indicate that detailed information, including credit card transactions and GPS coordinates, was included in the files that were leaked online.
US Government, Office of Personnel Management – June 2015
June 2015 saw the announcement of a massive data breach of US Government data involving the Office of Personnel Management (OPM), the human resources function of the federal government and the Interior Department. The OPM also handles security clearances.
Sensitive information relating to more than 21.5 million people was stolen. The OPM records personal information for all federal employees, including social security numbers, employment and educational information, and health, criminal and financial histories.
The increase in cyber-attacks and sheer range of targets indicates that no organisation, demonstrated by the effects of attacks on government bodies, is immune. Furthermore, many of the cyber-attacks that have occurred recently were carried out using relatively old and unsophisticated methods. Businesses should consult with security experts to ensure that systems are protected as far as possible. Internal procedures should also be put in place to ensure that when a breach does occur, the organisation is well placed to mitigate its effects.
Data stolen through cyber-attacks can be used for fraudulent purposes. Examples include the following:
- Fraud against the company from whom the data was stolen (for example, by using bank records and contact details of senior staff).
- Fraud against individuals who are the subjects of data (for example, by using customer email addresses, passwords and bank details).
- Fraud against third parties (in situations where, for example, individuals use stolen data to pose as others to defraud third parties). Importantly, there is a large market for stolen data, which gives rise to concerns in respect of identity theft and fraud.
In addition to fraud and crime more generally, there are additional data protection concerns that arise through cyber-attacks and resulting data breaches. Data controllers have an obligation to protect personal data that they hold. In the event of a data breach, they will fail to meet their obligations under the Data Protection Act 1998, potentially resulting in fines being imposed. The proposed new European General Data Protection Regulation, due to come into force in approximately 2018, will have far reaching implications for data controllers, increasing the level of fines dramatically up to a maximum of 4% of annual worldwide turnover, and (amongst others) adding new obligations in relation to data security.