Let the games begin!
It is the time that we have all been waiting for. Nooooooo….not the World Cup (editors note – it starts today). I am talking about the first significant data breach after the GDPR go-live date!
Remember in The Matrix when Neo was dodging bullets in slow motion? In the movie, Neo was played by Keanu Reeves. Today, the role of Neo was reprised by Dixons Carphone (Dix for short).
Bad guys accessed the records of 5.9 million debit and credit cards held by Dix, as well as 1.2 million personal records of customers. Good news though! Only about 105,000 of those cards were not chip and pin, so there doesn’t seem to be any imminent fraud on the entire amount, just for a few unlucky people (dodged the first bullet).
This breach happened about a year ago in the pre-GDPR world (barrage of bullets dodged). Given that Dix had 2017 revenues of £10.58 billion, the fine avoided was in the range of £432 million (an even bigger barrage of bullets dodged). This compares to the fine levied on Carphone Warehouse for their data breach in 2015, which was…ahem….£400k.
This GDPR thing gets talked about a lot. What do the markets think about it? Well, the share price for Dix was down close to 6% at one point today, before rebounding to close down 2.75% (DOH – got nicked by that bullet, but don’t worry – it’s just a flesh wound).
Hold on a second. Did you say that the breach happened a year ago? Why are we just hearing about it today (THUMP – that bullet is square in the shoulder).
Hold on another second. Did you also mention that they had a breach just a few years ago? And it happened again? (THUMP – took that one in the thigh. Damn that hurts).
Who is looking into this? Quite a few people actually. First, there is the National Cyber Security Centre. Then there is the FCA. Lastly, the Information Commissioners Office (ICO) is also participating in the investigation.
The ICO? Aren’t they the ones who enforce GDPR in the UK? Why yes, they are !
What is the ICO saying about this? Hmmm…..they said “We will look at when the incident happened and when it was discovered as part of our work, and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts.”
Didn’t you say above that this wasn’t covered under GDPR, as it happened a year ago? I did ! But this is the beauty of a new Regulation. You do not know how it will be interpreted until something happens and it is actually interpreted. It’s great, isn’t it !!
It is not like GDPR has snuck up on us
There has been a two-year phase in period and it is pretty much all that people have been talking about (in Regulation world, not real life) for the past 6-9 months. Why haven’t people prepared? Why are people still not preparing? Why aren’t they protecting data at rest, in transit and in memory, like the GDPR recommends? I’m not gonna lie – it is pretty straight forward if you have the right partner working with you.
The moral of the story?
Don’t be a Dix. Speak to Exate and let them help you.
Exate Technology: Protect the data. Avoid the bullets!