Fine for Carphone Warehouse stark reminder of change to come
If anybody wanted reminding of the approaching menace of GDPR and the implications for businesses, then the £400,000 fine handed out to Carphone Warehouse, earlier this week, would have been a bit of a wake-up call.
While the fine wasn’t part of any GDPR arrangement – that doesn’t come into effect until May – the size of it was a bit of an eye-opener. “It’s the size of the fine, that was a bit unexpected,” said Lewis Henderson of security company Glasswall, pointing out that the three million customer accounts greatly exceeded the 157,000 customer records in the Talk Talk breach: an incident that also warranted the £400,000 “You do wonder what a company has to do to be hit by the maximum,” Henderson mused.
The size of the fine is significant because in May, the now-dizzying amount could well be dwarfed by the penalties handed out for breaching GDPR. So, while the £400,000 is, as Henderson points out, below the maximum, it’s large enough to serve as a warning shot.
Telcs and mobile operators will, by virtue of their large customer bases, be tempting targets for cyber criminals and, given the size of their turnovers, they will be tempting targets too for information commissioners looking to make an example of shoddy data protection practice.
It’s fair to say that there won’t be heavy fines handed out in the first few weeks that GDPR is in operation but, it’s almost inevitable that within a year some company will be hammered. There does seem to be a belief floating around the industry that the size of the fines (at 4% of global turnover) is just so much talk. But given the sloppy practice that rather too many companies are indulging in, we can expect to see at least one hapless firm hit by a huge penalty, pour encourager les autres.
Henderson said that the world has moved on since GDPR had got closer. “I made a quick calculation, and estimated that if the ICO fined Carphone Warehouse the maximum it could under GDPR guidelines, it would have been hit with a £190m fine.”
And it’s the realisation that fines could be that big that will concentrate minds of the operators, ensuring that their systems are as robust as possible. But, as Henderson said, three years after the Talk Talk data breach, companies are still being hit – just in November, it was reported that Three suffered a data breach of its own.
But the nature of the attack has changed, said Henderson. “Three years ago, attackers were knocking on the door of websites, I’d say that these days 60% of attacks use file attachments – they’re the biggest threat.”
The fact that criminals are still threatening customer records – whatever the attack methods is scary enough – but one of the biggest counter balances against this used to be the reputational damage, but it doesn’t look like that’s the case any longer.”
“People are being desensitised,” said Henderson. “When Talk Talk was hit in 2015, the share price took such a beating that it took months to recover the situation.” That’s a contrast to what happened this week, he said, pointing out that when Carphone Warehouse got hit by its fine, the share price briefly went down … by a whole percentage point. And given that the news of the fine was announced on the same day that the group finance director left, the penalty may not have been the only reason for that fall in share price.
There does seem to be acceptance now that customer records are going to be hacked and, while embarrassing, it’s no big deal. Ten years ago, perhaps, it could cause immense damage to a company’s reputation: these days, such news causes just a ripple in the share price.
It’s precisely this sort of belief that GDPR has been designed to change.
So, how prepared are operators for the new reality of GDPR? According to a Clearswift survey from last September, organizations are not fully prepared for the changes in regulation. The research showed that only about a quarter of European businesses are GDPR-ready and, while technology and telecoms companies are better prepared than most, only 32% of this sector was fully engaged.
That, of course, was four months ago, there have been rapid changes since then as companies have woken up to the realities of GDPR. The Clearswift survey found that 44% of companies were well advanced in their plans, expecting to be compliant by the May deadline. One of the factors that has driven that change is the realization that despite Brexit, the changes are coming and the UK being out of the EU will have no impact on the adoption of GDPR.
But even including the companies formulating a plan, about a third of all organizations won’t be ready and that will include a number of telecoms firms (Clearswift survey didn’t go into too much detail). Even if it’s only a handful, that’s a worrying sign.
The big boys will be fully aware of the issues and will have spent months tightening up their systems but, sooner or later, there’s going to a data breach and this time, someone’s going to be hit with a big fine.
It would be nice to think that the operators’ systems are tightly secure but the use of attacks focused on attachments mean that it becomes harder to tie things up tightly. As Glasswall’s Henderson said: “It’s the gift that keeps giving.”