Last month, two leading companies each received what were then record-setting fines for data breach violations: £183 million for British Airways and then, just two weeks later, $5 billion for Facebook. Regulators sent a clear message to organizations around the world — if you don’t treat your customers’ data with the greatest care, you should expect severe punishment when things go sideways. How did it get to this stage with Facebook and BA? And what lessons can other companies learn?
British Airways — First Major Fine of GDPR Era
On July 8th, the UK’s Information Commissioner’s Office (ICO) announced it would impose a fine of £183 million on British Airways for a 2018 data breach caused by a sophisticated cyberattack. Users of British Airways’ website were diverted to a fraudulent site where personal information including names, addresses, website logins, payment cards, and travel booking details, were harvested. The data breach impacted about 500,000 customers.
The penalty imposed on BA was the first one to be made public since the GDPR became effective in June 2018, making it mandatory for any companies holding customer or other personal data of individuals from the European Union to report data security breaches to their national data protection authority. The £183 million penalty imposed by Britain’s data privacy watchdog was 367 times larger than the £500,000 penalty it had imposed on Facebook in 2018 for violations related to Cambridge Analytica. These both turned out to be a fraction of Facebook’s penalty announced just two weeks later…
Facebook Faces the Music
For the past two years, Facebook has been investigated by multiple regulators due to loss of control over massive troves of personal data, and mishandling of its communications with users. In early 2018, the Facebook–Cambridge Analytica data scandal erupted. Journalists revealed that the then-unknown British political consulting firm had harvested the personal data of millions of individuals’ Facebook profiles without their consent and then sent them targeted political advertising.
In October 2018, Facebook disclosed that hackers had compromised tens of millions of accounts by exploiting a series of software flaws, culminating in their ability to impersonate users and take over their profiles. The following month, Facebook acknowledged that its platform had been abused in Myanmar to “foment division and incite violence,” citing an independent human rights review that the company had commissioned.
On July 24th, the U.S.’s Federal Trade Commission fined Facebook $5 billion for violating an 8-year-old privacy agreement. $5 billion is easily the largest fine ever imposed for violating consumer privacy. It is more than 8,200 times larger than the £500,000 penalty it received from the UK’s ICO in October 2018. It is also 22 times larger than BA’s fine by the ICO announced two weeks earlier.
What Does It All Mean?
First off, organizations must take data privacy requirements much more seriously. This seriousness must flow from the top down, meaning executives should not just be accountable for the company’s data privacy approach — they must lead from the front. Complying with data regulators should be a broader, executive-sponsored business initiative across various functional groups within an organization. Security and data protection leaders can’t tackle it alone. It must involve a multi-disciplinary team in order to translate requirements and prioritize risk mitigation actions.
For proof of the necessity of this approach, look no further than the FTC’s press release announcing its decision on Facebook: “The settlement order announced today also imposes unprecedented new restrictions on Facebook’s business operations and creates multiple channels of compliance. The order requires Facebook to restructure its approach to privacy from the corporate board-level down, and establishes strong new mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy, and that those decisions are subject to meaningful oversight.”
Secondly, organizations must now meet a higher standard of data privacy requirements. In the past, when it came to compliance, people tended to think simply in terms of checking off boxes. Many small and medium-sized businesses didn’t even pay attention to data privacy requirements because they believed they were too small for data regulatory authorities to chase after.
However, times have changed. It’s not just the introduction of new data protection principles such as GDPR. We’re also seeing data security requirements get enforced thoroughly by regulators. Some bodies such as the FTC even claim they have enhanced their audit processes to evaluate the effectiveness of companies’ privacy programs and to identify any security gaps.
Finally, the abuse of data access by privileged users continues to be an issue. In the Facebook-Cambridge Analytica scandal, Cambridge’s former CEO and an app developer misused Facebook user data for political advertising purposes without getting users’ consent. That may have been a legal grey area before. Now under GDPR, it’s crystal clear that organizations have to limit the spread of personal data beyond “need-to-know” and can only collect data for specified legitimate purposes.
However, it’s hard to prevent privileged users from abusing sensitive or personally identifiable data. They have legitimate data access, after all. Hence, the ability to monitor what business-critical data is being accessed, how it is being used, and by whom, becomes crucial. The ability to identify suspicious data activity and prioritize high-risk incidents is key to stopping data breaches.
At Imperva, we’re seeing customers taking advantage of the advanced data risk analytics capabilities within Imperva Data Security to uncover and correct bad behaviors, such as the retrieval of a large amount of data records, or the accessing of a database via a service account that should only be accessed by an application. Our customers also apply data masking to reduce their attack surface by limiting data access to only those “need-to-know”.
With all the recent news and record-breaking fines given out to companies that fail to meet certain compliance and data privacy law, it’s clearer than ever that companies must take extra care of their customer data. Rolling the dice on whether to meet data privacy and data protection requirements is not an option.
To learn how to mitigate against potential fines for not protecting data, please download our free ebook, “Steps for Securing Data to Comply with the GDPR.”
And if you’re in the financial services industry, the risks and penalties for failing to guard your data are even higher. Our free ebook, “Cybersecurity and Compliance Guide for Financial Services” is a good primer for CISOs and other technical and business leaders.