The breaches so far and how to ensure that you’re not next

Last month British Airways disclosed that approximately 380,000 customers’ personal, contact and payment information had been compromised by hackers from online bookings made between 21 August and 5 September 2018.

They are now among a number of major companies who have fallen foul of the new data protection legislation. The Information Commissioners Officer (ICO) received 6231 complaints in first 6 weeks after the legislation came into force. This was a 160% increase on the same period the year before.

Who else has been affected since 25 May 2018?

  • Ticketmaster– In June 2018 the log in information, payment data, addresses name and telephone numbers of 40,000 people was at risk;
  • T Mobile– hit by hackers who gained access to around 2 million customer’s details;
  • Superdrug– hackers claimed personal details from 20,000 accounts;
  • Reddit– their systems were accessed in June. Hackers accessed staff member’s accounts and were able to take email addresses of their current users;
  • Timehop– ongoing cyber-attack in July 2018 with names, addressing and keys allowing access to previous posts having been taken.

Companies are now under a duty to disclose data breaches within 72 hours.  Levels of fines have not been published yet, but British Airways are potentially facing a payment of £475 million in compensation to customers in addition to the fine that will be imposed by the ICO.

To minimise the risks of falling foul of the GDPR, you should follow the steps set out below;

  1. Complete your compliance process– whilst the ICO may take a more relaxed view if you have a plan in place that you are working your way through, you are still technically in breach if not fully compliant.


  1. Data processing agreements- check who you are sharing data with and ensure that there’s a data processing agreement in place.


  1. Continuously assess the threats and risk to your business – with a clear view you can determine the appropriate security measures.


  1. Consider cyber essentials insurance – to provide your systems with the relevant security measures such as firewalls and gateways.


  1. Secure your data on the move and in the office – for example, using separate storage devices or servers which are locked away and/or password protected.


  1. Secure your data in the cloud – use a two-step authentication for access to the cloud.


  1. Train your staff – make sure that they are aware of their roles and responsibilities and are able to recognise threats such as phishing e-mails.


  1. Review effectiveness of systems – check software security messages and run regular security scans on your systems.


  1. Minimise your data – only keep personal data that is up to date and accurate.


  1. Review IT support– review copies of security assessments carried out by your IT provider and ensure that they have entered into a data processing agreement with you.


For ongoing support with your data protection compliance and data risk management please contact us.

CategoryEmployment Law, GDPR, HR

Links: Privacy & Cookies / Terms of Use / Copyright 2018