The proliferation of higher-impact data breaches worldwide has caused intense debate and forced people to demand answers to why our human right to privacy appears to mean so little now.
Businesses, in turn, are starting to wake up and consider their data collection, use and sharing practices; fearing the economic and human impact of a data breach – and rightly so.
Meanwhile, the General Data Protection Regulation (GDPR), a milestone piece of European Union (EU) regulation addressing data protection and privacy for individuals within the EU and the export of data outside it, is here. This has created a further need for businesses to re-examine their practices.
Despite these shifts in attitude and legislation, 2018 has still stood out as a bad year for headline-grabbing data breaches.
The Facebook data scandal – more a breach of trust than technically a data breach – has been one of the most widely reported scandals of the year. Some 87 million Facebook users from across the globe were notified that their details were shared with data mining firm Cambridge Analytica. The data was harvested in 2015, and the late revelations sparked a huge investigation, a Senate Hearing for Mark Zuckerberg and could still lead to huge fines for the social networking giant.
The UK’s National Health Service (NHS) inadvertently shared the confidential health data of 150,000 patients. The breach – stemming from a coding error in an IT system used regularly by GPs – meant that opt-out requests for sharing this data failed to be acknowledged, exposing the sensitive data to NHS Digital, the organization’s digital service arm.
Barcelona-based software-as-a-service (SaaS) company Typeform suffered a breach caused by attackers downloading a partial backup of its customer data. This affected customers of household names such as Travelodge and Australian online marketplace Airtasker.
One of the most recent breaches involved SaaS firm PageUp, one of the largest compromises to security down under since mandatory breach notification came into effect and occurring just two days before GDPR was introduced. The company holds data belonging to the likes of Commonwealth Bank, Telstra and Coles in Australia and is facing class action lawsuits from a number of its customers.
In one of the year’s more elaborate cybersecurity mishaps, hackers used a subtle piece of malware on users of Browsealoud, assistive technology software that adds text-to-speech functionality to websites, to use compute resources to mine cryptocurrency. More than 4,000 customers were affected in total and victims included government organizations in the UK, US and Australia.
Sporting giant Adidas suffered a data breach that may have leaked the personal information of millions of its customers. This data included usernames, contact information and even encrypted passwords.
Ticketmaster UK revealed that a malware attack on a customer support product, hosted by Spain-based artificial intelligence (AI) provider Inbenta, exposed the data of close to five per cent of its customers globally. Ticketmaster is tipped to receive one of the first large fines for breaching GDPR rules.
Fitness application MyFitnessPal suffered a massive data breach affecting around 150 million accounts, caused by a link-up to sports clothing and equipment manufacturer Under Armour. App users were required to change their passwords following the announcement of the breach.
Earlier in the year, credit reporting agency Equifax identified a further 2.4 million consumers in the US affected by its infamous data breach last year. The latest victims had names and partial driver’s license details stolen, but social security numbers were reportedly kept safe.
In just the past few days, it emerged that Chinese hackers had infiltrated the Australian National University (ANU) in the hopes of stealing valuable intellectual property (IP). The Canberra-based University’s systems were reportedly first compromised in 2017 and the University has been working with intelligence agencies for months in attempts to minimize the impact.
These are just some of the high-profile data breaches that have occurred in the first half of the year, and the full-year review might paint an even more worrying picture.
Despite the seemingly never-ending onslaught of cyberattacks, research from Accenture suggests that organizations’ recent security investments are starting to pay off, with 87 per cent of focused cyber-attacks prevented so far in 2018, compared to 70 per cent in the same period last year.
While this is positive news, there is still much work and education to be done to ensure organizations are protecting themselves, customers and partners from increasingly more-sophisticated and damaging cyberattacks.
The costs of finding your organization on the wrong side of a breach are colossal. The IBM-sponsored Ponemon Institute’s 2017 Cost of Data Breach Study highlights the average total cost of a data breach is US$3.62 million worldwide, reaching as high as $7.35 million in the US.
But damage to the wallet is only the beginning of the fallout from major data breaches – customer and other stakeholder relations can be left in tatters by leaving sensitive data exposed, and the public’s tolerance for failing to protect their private data is fading fast.
The pressure often leads to heads rolling as indicated in Shred-it’s 8th Annual State of the Industry – Information Security report, which revealed that almost a third of UK companies which have suffered a data breach have terminated at least one employee’s contract for negligence.
Ultimately, people and businesses suffer in the aftermath of a data breach, but the onus is on the latter to put the right resources in place to ensure our privacy and data are protected.