GDPR four years later – How are businesses getting on?

The EU’s General Data Protection Regulation (GDPR) marks its fourth anniversary after coming into effect on 25th May 2018. Since then, it has paved the way for other data protection regulations, including the CCPA, and 1.6 billion euros of fines have been issued. 

While the UK has adopted its own version – UK GDPR, companies of all sizes continue to fall short of GDPR compliance due to data protection violations such as data breaches.  

Four years on, despite the record number of fines issued by the Information Commissioner’s Office (ICO) over the past financial year (2020/21) at £42m, organisations have taken complying with GDPR and other data protection regulations more seriously.  

Unfortunately, recently, the ICO fined facial recognition database firm Clearview AI £7.5 million for breaching UK data protection rules – which is still a significant reduction from its original fine of £17m in November 2021. The organisation was fined for developing an online database by collecting over 20 billion images of people’s faces and data from publicly available information sources on the internet and social media. It did not notify any of the individuals involved that their images were being collected or used in this way – which goes against data protection regulations. 

What’s the biggest challenge with GDPR? 

We spoke to our CTO, Jason Stirland, who highlighted, “the biggest challenge with GDPR remains that it’s not always fully understood by employees.  

“This is why regularly refreshing data protection training in all employees is crucial – no matter their level – as it ensures that every employee understands their GDPR obligations to protect themselves and the organisation.  

“Data breaches can happen for several reasons, and with employees being the most vulnerable resource, human errors will tend to occur. Be that as it may, reducing the likelihood of data breaches happening remains an organisational responsibility to train employees on cybersecurity awareness training – e.g., learning how to spot a phishing email and not sharing any personal or confidential information with third parties.” 

GDPR and the Great Resignation – Is there an impact? 

Jason revealed that the pandemic created pathways for significant people changes in organisations of all sizes, thanks to the Great Resignation.  

“With this in mind, organisations must remember to do their due diligence and ensure newer team members are provided with GDPR training to ensure compliance. It’s worrying how many organisations fail to consider this within the onboarding process, especially with many employees now joining companies on a remote working or hybrid basis – ensuring they can learn this from home will be vital.” 

If you’re looking to reduce GDPR training gaps within the onboarding process or improve GDPR compliance overall in employees, then take a look at our data protection courses and get in touch with us today for a free demo

Hybrid Working – Reducing the Risks of Cyber Attacks

Since the start of the COVID19 pandemic, it is estimated that cybercrime has skyrocketed by 300%. A major factor contributing to the increase in cybercrime is the rise of remote working.

Currently, many businesses continue to work remotely with one in three UK workers currently based exclusively at home. It is a trend expected to continue this year with hybrid working expected to become the norm. With the changing world of work, cybercriminals will continue to exploit human error and target vulnerabilities in systems – no matter where your employees work from.

Red Flags to Look Out For

Cybercriminals use sophisticated tricks and techniques to target and illegally access businesses’ confidential data. Be it phishing, ransomware or social engineering. To beat cybercriminals and ensure cyber safety and information security in the hybrid workplace, let’s look at some of the common red flags of modern social engineering and cyber attacks:

  • Suspicious links or downloads: Avoid clicking on links in emails that you receive from people you don’t know. Take the time to inspect the sender information and whether the email source is genuine. If in doubt, always best to not click or download.
  • Signs of urgency: Many attacks are designed to force the user into taking action promptly. For instance, it could be an email on an outstanding invoice yet to be paid or taking action on an external account to prevent disruption to service.
  • Requesting sensitive information: Such as bank details or national insurance number for tax purposes. Any legitimate organisation will always call you directly if they gather sensitive information.
  • Posing as public or government bodies: Many individuals and businesses report being contacted by public or government bodies. Such as tax refunds from the HMRC, email attachments from the World Health Organisation (WHO) and even bitcoin donations to help fight the coronavirus. These are scare tactics aimed at giving up work or personal email details.

Reducing the Risks

We are strong believers in prevention is better than cure. The best way to reduce the risks of cyberattacks is to invest time and resource in keeping your systems secure and ensuring that your employees are aware of the cyber threats facing your business. The level of threat remains the same irrespective of whether they work from the home or from the office. But in a hybrid working set up, the chances of human error can go up as seen during the COVID19 pandemic. It’s vital for businesses to recognise the risks and take proactive measures to keep their business prepared as they move to a hybrid working model.

Keeping Systems Secure

Most cyber-attacks aim to target organisations with outdated computers and systems which haven’t had the critical security updates or patches installed in a long time. With a lack of security, hackers can easily gain access to business networks and systems. They may also use ransomware to resort to blackmail to hand-back control of systems and databases.

Keeping systems up to date, especially when working remotely, is the first line of defence against cyber-attacks. Make sure you have invested in a reliable IT team and systems which can protect your devices and networks from viruses and hackers. Antivirus software is a cybersecurity cornerstone that can protect against various malware by providing security features such as firewall, spam filters, real-time scanning and security reports, among other things.

Implementing a Cybersecurity Policy

An efficient, company-wide cybersecurity policy can help organisations outline the best practice for their employees to follow while hybrid working and ensure they are taking the necessary steps to keep business information secure. A comprehensive cybersecurity policy is essential for driving the message from the top and raising awareness amongst your employees. Make sure the cybersecurity policy covers:

  • The importance of cybersecurity
  • Recognising cyber threats such as phishing and ransomware
  • Installing security updates and patches
  • Keeping computers and devices secure when not in use
  • Effective password management
  • Using email and the Internet securely

Investing in Awareness Training

Many experts recognise cybersecurity awareness training as a key priority in a hybrid working world. Many cyberattacks are often attributed to employees inadvertently creating an entry-point to the systems that cybercriminals could take advantage of. It all comes down to a lack of awareness which can put your employees at risk of making errors in judgement, resulting in information security breaches, company downtime, or financial loss. Educating staff reduces the likelihood of successful cyber and social engineering attacks. Make sure your awareness training program is capable of rolling out effective learning interventions over a number of years – after all learner engagement and knowledge retention are the key ingredients in ensuring effective awareness training and return on investment.

As specialists in awareness training, we can support your business with our online training solutions for cybersecurity and information security. Visit our Information Security collection page to find out more.

Introducing Our New Information Security Collection

We are excited to launch the second of our Compliance Collections for Information Security – a unique approach to keeping awareness training programmes fresh, year on year. Keep your workforce cognizant no matter where they work.

Keeping Business Information Secure

Cyberattacks continue to be a concern for many organisations. A study by Accenture indicates that the most expensive component of a cyber-attack is information loss at $5.9M. Information breaches from cyberattacks can have devastating consequences on businesses – from significant financial losses to damage to reputation and job losses.

With remote working becoming the norm, in light of the COVID19 pandemic, information security is more important than ever. Employees are now spread across different locations – be it in the office or at home. It is therefore paramount to keep your workforce aware and informed on how to keep business information secure. Awareness training is vital for educating employees on the threats facing businesses, spotting the signs of cyberattacks and mitigating the risks of breaches.

One Size Does Not Fit All

When it comes to online training programs, one size does not fit all. With this in mind, we designed our Collections to help organisations create a cost-effective bespoke training solution using our off-the-shelf products. With Collections, organisations can roll out effective learning interventions over a number of years – promoting learner engagement and knowledge retention.

New Information Security Collection

Our Information Security Collection is packed with courses in a variety of learning styles – combining immersive learning, microlearning and toolbox talks to keep learners engaged. Also included are free communications resources which can be printed out or displayed in the workplace digitally to reinforce key messaging.

With novel learning experiences and targeted messaging, our Collection can help boost engagement and retention while embedding a culture of compliance.

What’s New?

Apart from a complete refresh of our existing courses, our Information Security Collection includes the following new courses.

Immersive Learning

Our immersive learning courses are scenario-based and highly interactive – placing the learner at the heart of the experience and testing them on their ability to make the right decisions.

With the new immersive-learning course on Introduction to Information Security, educate members of your staff on their responsibilities in ensuring that your organisation is protected against cyberattacks and breaches. It is a highly gamified course, using multiple gamification elements and the latest techniques in high-quality 3D styling.

Diagnostic Assessment

The new Diagnostic Assessment is a short quiz to measure the learner’s understanding of information security and automatically create enrolments onto relevant microlearning courses. The assessment is useful for assessing individual training needs, offering valuable insight into common training gaps with targeted interventions tailored for each employee.

The Diagnostic Assessment requires all the microlearning courses in the collection. It is exclusively available for xAPI courses, utilising the auto-enrol functionality powered by our Astute LXP’s AI engine.

Microlearning

In addition to our existing microlearning courses, following are the new additions to the Collection:

Toolbox Talks

Three new Toolbox Talks designed as blended training courses for small groups. Each Toolbox Talk includes downloadable facilitation notes.

Get a sneak peek at all the new courses on our Information Security topic page. Or download the brochure below for Information Security Collection.

Improving the Education Around Online Scams

Online safety is something we’re constantly telling kids – don’t speak to people you don’t know, don’t open any dodgy looking emails, and don’t give out personal details. This is all well and good, but online scammers are still finding victims to get money out of every day.

Whilst the younger generation are growing up with internet security being drilling into them to create a tech-savvy attitude, the older generations seem to be have been forgotten, and because of this they become the ones that are more regularly the victims of online crime.

Anyone can be a victim of online crime, with it being estimated that around £10 billion is lost every year in the UK alone because of cyber scams. Age UK reported that 43% of older people believe they have been a target for scammers.

The very fact that older people are more likely to live alone is a point that fraudsters look out for because it is a potentially lonely and vulnerable victim that they can take advantage of.

Scams can come through a number of sources: face-to-face doorstep conversations, over the phone, through the post, and on the internet – so now more than ever we need to know how to protect ourselves.

Angela Ramsay is a perfect example of how fraudsters targeted someone out of touch with technology and unaware scamming techniques.

“I was a 57-year-old lady living alone and was very happy in my new home. I loved my job and was financially secure after being left some money in a will from a lifelong friend. I had a lovely new man in my life, all was perfect. Then I was scammed.”

What happened

Angela was called at work from a number claiming to be Nationwide’s fraud team, when she checked the number that had rung, it matched up with a number listed online as Nationwide, so she thought everything was fine.

When they rung her back later on, they told her someone was attacking her account in the West Midlands. When she questioned their legitimacy, they reassured her that they were the number listed on the back of her bank card. She then got an email which began the process of them taking her money. They told her they were moving it to safe accounts.

The next morning, she rung the number that had called her, which put her through to Nationwide, she wanted to check everything was okay. They didn’t know what she was talking about.

“I broke down and screamed. I didn’t know what to do. I was feeling sick, a fool, ashamed and very depressed.”

After 3 months of persistent phone calls and questions, Angela managed to retrieve £53,000, leaving scammers with £14,000.

“I know I was very lucky to get that back, but I had to fight for it.”

Improving education on scamming

Angela admitted that she knew nothing about scammers and the techniques they used, and this is where the problem lies.

Education around scamming and online fraud needs improving, because although there is plenty of material online, not everyone has internet access, and as a result, it tends to be those people that are the easiest targets.

Increasing the production of physical material in branches to educate people on scams means that more people can be aware of the warning signs and stop things like this happening.

What are the warning signs?

It can be hard to spot a scam but following these steps could prevent you becoming the next victim of this modern crime.

It is out of the blue?

If a company calls you randomly, make sure you verify who you are talking to before giving them any information. Ask them to give you details that only that company would know. If you’re not convinced, then hang up and call the company directly. It is always better to be over cautious.

Too good to be true?

This is very simple, if it sounds too good to be true, it probably is

Personal details

Phone scammers work by getting personal information from you. No matter how small the detail is, it could be exactly what they need to steal your identity and go on to steal your money. Never share personal details with someone that can’t verify who they are.

Feeling hurried?

If a company is putting a time pressure on you to make a decision, that is when alarm bells need to be ringing. Anyone that tries to rush you should not be trusted.

Being the victim of a scam has a massive effect on your life, financially and emotionally. Following these simple steps and improving the education around scamming can stop people becoming victims of these cyber criminals.

This article is written by guest author India Wentworth [email protected]

Four Tips For Keeping Safe Online When Remote Working

With the spread of the COVID-19 coronavirus globally, a majority of businesses are following up on the official advice of social distancing, encouraging employees to work remotely and ensuring business continuity. While remote working has its benefits, it could also lead to potential cybersecurity risks for employers and employees.

Here are some helpful tips for ensuring cyber safety and information security when working remotely.

Work on Secure Network

The first and most important step to working remotely is making sure you are connected to the Internet, ready to connect with your workplace, communicate with colleagues and access business information online. Failing to work on a secure network can make you vulnerable to a cyber-attack, compromising your systems and business information in such a critical time.

Top Tip:

Make sure you are using a virtual private network (VPN) or a secure home network with strong end-to-end encryption, for example, Office 365 SSL session. Using an unsecured network such as public WiFi could inadvertently create an access point for hackers and cybercriminals to exploit and make your systems susceptible to cyberattacks.

Secure Your Personal Devices

With so many employees working remotely, many organisations have authorised the use of personal devices when working from home. Using your personal device for work is fine as long as you are keeping it secure and have the most up-to-date software and settings running on it.

Top Tip:

It is very important to make sure that you are running the most up-to-date anti-virus software on your device. Anti-virus software carries out regular scans of your computer and removes any malware detected. Make sure you are combining the anti-virus software with a robust firewall – software that monitors incoming and outgoing network traffic on your machine. This will ensure that you are significantly reducing the risks of cybercriminals successfully infiltrating your machine.

Beware of Phishing Attacks

Beware of cybercriminals looking to exploit the current situation on the coronavirus pandemic. Phishing attacks are designed to gain unauthorised access to confidential information through email.

Security experts are reporting a substantial rise in phishing email scams related to the coronavirus – the worst they have seen in years. The BBC has followed up on reports of individuals and businesses being targeted with phishing emails. The campaigns include tax refunds from the HMRC, email attachments from the World Health Organisation (WHO), bitcoin donations to help fight the coronavirus and scare tactics aimed at giving up work or personal email details.

Top Tips:

  • Never click on links in emails that you receive from people you don’t know.
  • If you’re not expecting an email, always examine the content of the email thoroughly and look out for grammar or spelling of the email – these are the tell-tale signs of a phishing scam.
  • If the email is claiming to be from public bodies such as the HMRC or the WHO, don’t open these emails as these are well-known phishing scams circulating currently.
  • If in doubt, always forward the email to your IT team first and get help in verifying if the email is legitimate.

Keep Business Information Secure

Any business information you access from home will be protected by secure login and password. Be it your work email, online business applications and communications tools. Weak credentials are easily exploited by cybercriminals and setting secure passwords is your first line of defence against hackers trying to gain unauthorised access to businesses’ systems.

Top Tip:

Use strong and unique passwords each time and make sure they are a combination of letters, numbers and characters. Apart from setting up secure passwords, try using multi-factor authentication for your organisation’s systems. Multi-factor authentications work by verifying user identity by multiple credentials, normally a password and a code sent to the user’s phone by text or an additional security question.

Effective information security is key to optimising business information while remote working. Keeping information security risks under control will not only protect your own interests, but also those of your organisation, your customers and all other individuals or organisations that you hold information about.

Helpful Resources

Here are some more helpful tips and resources to help you while remote working:

Remote Working awareness course

Try our Remote Working awareness course to stay safe and healthy away from the office.

Information Security awareness training

With the flexibility to work from home in the current climate, it’s a great time to refresh your knowledge of keeping business information secure and working safely online. Try our awareness training courses on key information security topics to working safely and securely away from the office.

Business Contingency Plan (BCP) for Infection Outbreaks

blog post with helpful tips for businesses on drawing up a business contingency plan and ensuring business continuity.

Mental Health While Working Remotely

blog post with helpful tips on how to care for your mental health while working from home for longer periods.

Data Privacy Day 2020 – Tips on Keeping Your Data Safe and Secure

Happy Data Privacy Day! Created by the Council of Europe in 2006, Data Protection Day is celebrated every year to promote data protection best practices and raise awareness on the importance of data privacy. Globally, it is recognized as Data Privacy Day.

For businesses, data is a valuable entity and it is therefore vital to protect it for ensuring business continuity and compliance with the regulation. In the spirit of data privacy and all things data protection, we share with you some useful tips for keeping your business data safe and secure this year.

Ensuring Compliance in Artificial Intelligence (AI)

Nearly all AI-based products and services rely on the collection of large amounts of data, including personal data, to understand user behaviour and make intelligent decisions. Data is therefore vital in powering AI, but it also poses new challenges for data privacy. In December 2018, an Amazon customer in Germany was mistakenly sent about 1,700 audio files from someone else’s Amazon Echo device – a mistake attributed to human error. In July last year, it was reported that Amazon responded to a letter sent by a US Senator confirming that it maintained Alexa recordings indefinitely (unless a user manually comes in and deletes them).

Incidents such as this highlight the importance of data protection and ensuring compliance in AI.

Legislation in Europe and the US is picking up momentum with the European Commission looking to implement an “appropriate” ethical and legal framework for the development of AI aimed at boosting innovation while making individuals’ rights a priority.

A piloting phase which ran until December 2019 was based on draft Ethics guidelines describing trustworthy AI as:

  • lawful – respecting all applicable laws and regulations
  • ethical – respecting ethical principles and values
  • robust – both from a technical perspective while taking into account its social environment

The General Data Protection Regulation (GDPR) includes ‘privacy by design’, encouraging businesses to develop products with built-in privacy standards from the start. This will certainly hold for AI-driven technology and products which will need to factor in privacy and consent.

Recognizing GDPR as an Opportunity

Speaking of the GDPR, it has been over a year and a half since the regulation came into force and it continues to drive the way businesses collect and use customer data. More customers are also becoming wary about how their personal data is collected and used for business purposes.

For businesses, GDPR is no longer just about compliance, there is also a tremendous business opportunity in a data-driven economy. In a world brimming with data, businesses can stand out by leveraging GDPR best practice to maintain up-to-date data lists and boost their reputation as a responsible, reliable partner and committed to deepening digital trust with its customer base.

Remember to:

  • Audit your data periodically – Ensure that your customer data is up-to-date and your customers are engaged with your business.
  • Implement a strict retention policy – If you are holding data on customers who haven’t engaged with you in a while, maybe it’s time to review if you need that data. You can erase or anonymize the data you no longer need.
  • Aim for ‘privacy by design’ – Make sure you have performed a Data Protection Impact Assessment (DPIA) to identify and reduce the data protection risks your business could face and allow members of staff to fix any problems before a breach occurs.
  • Review your privacy policy – Ensure that your privacy policy clearly states your business identity, how long you intend to use your customer data, your legal basis for processing data, any data retention periods and the customers the right to complain to the ICO.

Evaluating Your Password Policy

2019 survey by the National Cyber Security Centre (NCSC) found that “12345” and “password” remain amongst the top five common passwords accessed in global breaches. Liverpool was the most common Premier League football team used in passwords, with Superman the most popular fictional character.

Making good password choices is vital for protecting individual and professional business data. For businesses, this means continually reviewing and enforcing robust password policy.

Key ingredients of a comprehensive password policy:

  • Reset Password – Passwords must be reset every set number of days to ensure users are changing passwords periodically.
  • Password history – Discourage users from recycling the same password again with a minimum of 10 previous passwords remembered.
  • Maximum password age – Determine how long users can keep their password before they have to change it, forcing users to change their passwords regularly.
  • Password complexity – Rules to ensure users aren’t using their first or last name as password, as well as using a mix of character types such as lower case, upper case, numbers, and symbols.

Staying Safe Online

Social engineering continues to pose one of the biggest security risks to businesses. Cybercriminals often target employees using deception with the intent of gaining confidential information for fraudulent purposes. These techniques include phishing and baiting and could also include links to fake website pages, emails from doctored addresses, or communications that appear to come from government or official sources.

Social engineering also works on manipulation in the digital world, profiling, and misuse of personal information.

Steps to take to protect your business from social engineering:

  • Regularly update your company antivirus software.
  • Secure your business network with a robust firewall.
  • Make sure employees are aware of responding to an email from unknown persons especially those containing links or attachments.
  • Train employees to recognize doctored email addresses from fraudulent sources.
  • Make sure employees never give out financial or sensitive information over the phone or electronically without encryption.

Mitigating the Risks of Human Error

report by Kaspersky Lab revealed that about 90% of data breaches are caused by human error.

Many businesses suffer data breaches because their employees inadvertently created an entry-point to the systems, whether it is from opening unsafe email attachments or clicking on suspicious website links to downloading unsafe files.

Cybercriminals count on human flaws to circumvent the most robust security software. It all comes down to a lack of awareness which can put your employees at risk of making errors in judgment, resulting in data and security breaches, company downtime, or financial loss.

Invest in Awareness Training

Investing in a thorough employee training program is a vital ingredient in any organization’s data protection policy. Raising awareness ensures that employees understand the regulatory obligations for businesses and understand the implications of non-compliance. Realizing the value of sensitive information if breached can also help employees to act with caution and make the right decisions to keep business data safe and protected.

Make sure your employee training program includes a comprehensive overview of key topics such as data protection, GDPR, and information security. We also recommend keeping employees up to date with microlearning courses for refreshing and reinforcing key learning messages over time.

How Can We Help?

At DeltaNet International, we are firm believers in leveraging the power of awareness training to reduce the impact of human error. Without raising awareness, you may be putting your business at risk of non-compliance with data protection and privacy laws. Don’t get caught out by the regulators, invest in awareness training for your staff. Find out how we can help with our range of Data Protection Online Training.

Tackling the Threat of Cybercrime within the Legal Sector

Cybercrime is a widespread phenomenon across the world. It can affect firms and organisations of any size, belonging to any industry or sector. Through carefully coordinated attacks, cybercriminals tend to target vulnerabilities in technology or cause poorly trained staff to make mistakes – both approaches are designed to put businesses at risk.

This has shown to be true for the legal sector too. The National Cyber Security Centre’s Legal Threat Report found that 60% of law firms in the UK reported experiencing an attack in 2017; up from 42% in 2013. Cybersecurity concerns amongst legal sector firms are therefore significant and steadily rising.

Cyberattacks on Legal Firms

Recent research by Crowe UK into the cybersecurity risks impacting the top 200 UK law firms indicates that most of the firms surveyed have ‘significant unaddressed cyber risks’.

Legal firms tend to be an easy target due to the money and sensitive client data they hold. According to the Risk Outlook 2018/19 report by Solicitors Regulation Authority (SRA), the amount of money law firms are losing to cybercrime is on the rise – with £9.4 million of client money lost in 2016, increasing to £10.7 million in 2017.

With financial loss and reputational damage at risk, it is more important than ever for legal firms to consider and prepare for the threat of cyberattacks.

Key Areas of Concerns

Based on the reported cybercrimes and scams, some of the key areas of concerns that have been identified are:

Email fraud

The Risk Outlook report identifies email modification fraud as the most common type of cybercrime against legal sector firms. 91% of the firms surveyed by Crowe UK have had their website address ‘spoofed’ and used to send a fraudulent email to obtain confidential information, such as passwords and personal details. Email spoofing increases the risks of exposure to malware and ransomware, and phishing of employees and clients.

Vulnerable technology

The Crowe UK report states that 80.5% of the firms surveyed were running at least one service with a well-known vulnerability. Cybercriminals target these vulnerabilities which could result in data theft, loss of control of the website, and viruses and ransomware programs which encrypt files and demand a ransom in exchange for restoring access.

Data breaches

With many firms reporting a cyberattack in the last two years, firms are also concerned about how to respond to a cyberattack and ensure compliance with regulations. This is particularly true about data breaches and the General Data Protection Regulation (GDPR) which came into force on 25 May 2018. A data breach could cost a legal firm thousands of pounds in fines for failure to comply with the GDPR – before and after an attack.

Mitigating the Risks

Prevention is key to ensuring that firms are mitigating the risks and protecting their organisation and employees from the threat of cyberattacks. The two main areas to focus on are:

Securing Systems

Investing in technology and securing your firm’s IT systems will help you avoid heavy financial loss from the fallout of a cyberattack. Keeping your systems up to date is one of the most effective weapons against cyberattacks. Make sure you have robust and reliable security measures in place and develop information security policies to protect your firm from known and newly discovered vulnerabilities.

Raising Awareness

Human error is becoming a common factor in cyberattacks on firms and organisations. Whether it is from opening unsafe email attachments, clicking on suspicious website links to downloading unsafe files, employees are often responsible for enabling access to systems. It is down to lack of awareness which often puts employees at risk of making errors in judgement. Educate your workforce on the cybersecurity threats they face and the risks to look out for. By driving a culture of awareness and training employees on the risks they face and how to respond, firms can protect both their employees and their businesses from cyber threats.

Cyber Security Awareness Training

At DeltaNet International, we are firm believers in leveraging the power of awareness training to reduce the impact of cyberattacks. Find out how we can support your firm with a wide range of eLearning solutions dedicated to raising awareness on cybersecurity and information security risks. Visit our website for more information.

British Airways and Marriott Facing Record GDPR Fines

British Airways and Marriott Facing Record GDPR Fines

The ‘world’s favourite airline’ and the largest hotel chain both reported huge data breaches in recent times, affecting millions of records. After investigations by the Information Commissioner’s Office (ICO), British Airways and Marriott International are both facing record fines for data breaches under the General Data Protection Regulation (GDPR).

Marriott

In November 2018, the Marriott International group of hotels reported a massive breach to the ICO. It relates to a cyber incident involving the unauthorised access of the Starwood hotels group systems in 2014. Marriott subsequently acquired the Starwood Group, however, the breach wasn’t discovered or reported until 2018.

As a result, the personal data of approximately 339 million guests globally was compromised. Of which around 30 million related to residents of 31 countries in the European Economic Area (EEA); around seven million related to UK residents.

After an extensive investigation, on 9 July 2019, the ICO issued a notice of its intention to fine Marriott in excess of £99M under the GDPR. While Marriott International has co-operated with the ICO investigation and since the data breach was reported, have made improvements to its security arrangements. However, the ICO’s contention is that Marriott had failed to perform due diligence when it acquired the Starwood Group and should have made sufficient checks to ensure their IT systems were secure.

In a statement, Marriott have revealed that they intend to appeal the fine and defend their position.

British Airways

The ‘world’s favourite airline’, on the other hand, is facing a record fine of £183M for breaches of data protection law. The proposed fine relates to a cyber incident in June 2018 when 500,000 customers browsing the British Airways website and booking tickets online were being directed to a fraudulent website. Their personal data, including name, address, login, payment card and travel booking details, were then harvested by the cyber attackers.

As per the investigation by the ICO, personal data of approximately 500,000 customers were compromised in this cyber incident, including login, payment card, and travel booking details as well name and address information.

In a statement, British Airways apologised to customers, expressed disappointment and revealed the intention to appeal.

Fines Issued in 2018

The ICO are simply reaffirming their commitment to the GDPR by disclosing the details of its fines and investigations to the public. Since the GDPR came into effect on 25 May 2018, a number of high-profile data breaches have come to light. The ICO issued some of the biggest fines last year including fines for the Crown Prosecution Service (CPS), Equifax UK, Uber, Facebook and Bounty.

With the ICO adopting a tough stance and walking the talk, businesses must bear in mind the very expensive consequences as a result of data breaches.

Is Your Business Prepared?

What we have learnt from these recent breaches is that the GDPR goes beyond ‘consent’ and data privacy issues. Both the breaches at British Airways and Marriott were a result of IT or web systems failures and hackers gaining unauthorised access.

A quick recap of what any form of data breach under GDPR could cost your business: the ICO can issue a fine of up to 4% of a company’s global annual revenue for a breach under the GDPR. For British Airways, the ICO fine comes up to 1.5% of global turnover for the year, while for Marriott, it’s 3% of the company’s global revenue.

Mitigate the risks of a hefty fine and ensure that your business is prepared to combat the lapses in cyber security. Investing in cyber security and information security is key to keeping the hackers out. Keeping your systems secure and up to date is the first step and one of the most effective weapons against cyber-attacks.

Not forgetting the importance of awareness training for your workforce. Are your staff engaged to spot the signs of an intended cyber-attack and understand the implications? By training your employees on the various aspects of cyber security and GDPR, and the risks they face, businesses can keep the hackers out and prevent costly breaches under the GDPR.

How Can We Help

Our FREE download on Handling a Data Breach offers practical tips for reducing the risk of a breach, including a checklist for managing and reporting data breaches should your data be compromised.

We can also support your business with a wide range of eLearning solutions dedicated to cyber security and GDPR. Our eLearning can be delivered as off-the-shelf packages, or we can customise the content to suit your organisation. To find out more, check out our great value Compliance package.

Free Download: Handling a Data Breach

Could your organisation handle a data breach?

Whilst it’s imperative for organisations to do all they can to prevent a data breach and protect the rights of individuals, many are unprepared to manage a personal data breach should the worst happen. This can cause further damage to finances and reputation and even lead to further breaches.

To help get the conversation started, download our FREE eGuide, Handling a Data Breach.

As well practical tips for reducing the risk of a breach, this handy booklet also includes a checklist for managing and reporting data breaches should your data be compromised.

DOWNLOAD YOUR PDF COPY BY CLICKING THE LINK BELOW.

(For media enquiries or to share this eGuide on your website please contact [email protected])