European consumer electronics retailer Dixons Carphone’s apologetic admission yesterday that a 2017 data breach was in fact considerably worse than it first reported suggests disclosures of major breaches could get a bit more messy — at least under the early reign of the region’s tough new data protection framework, GDPR — as organizations scramble to comply with requirements to communicate serious breaches “without undue delay”. Although, to be clear, it’s not the regulation that’s the problem. Dixons’ handling of this particular security incident has come in for sharp criticism — and is most certainly not a textbook example of how to proceed. Dixons Carphone disclosed a breach of 5.9M payment cards and 1.2M customer records in mid June , saying it had discovered the unauthorized access to its systems during a security review. However this week the company revised upwards the number of customer records affected — to around 10M. The breach itself occurred sometime last year. “They are clearly concerned about regulatory enforcement but they seem completely unprepared to handle customer reactions. With privacy and security awareness increasing exponentially, it will not be long before we see customer churn, reputational damage, and further decrease in the value of the business as a result of such a poor response to a very large breach,” says Enza Iannopollo, a security expert at the analyst Forrester, responding to Dixon’s revised report of the security incident in a statement yesterday. The ballooning size of the Dixons breach is interesting in light of Europe’s strict new data protection regulation, which put the onus on data controllers to disclose breaches rapidly. Rather than — as has all-too-often been the case — sitting like broody hens waiting for the most opportune corporate moment to hatch a confession, yet leaving their users in the dark in the meanwhile, unwittingly shouldering all the risk. In the case of this Dixons 2017 breach (NB: it’s not the only breach the Group has suffered ), it’s not yet clear whether the EU’s new regulation will apply (given the incident was publicly disclosed after GDPR had come into force); or whether it will fall under the UK’s prior data protection regime — given the hack itself occurred prior to May 25, when GDPR came into force. A spokesperson for the UK’s Information Commissioner’s Office (ICO) told us: “Our investigation has not yet concluded which data protection law applies in this case — DPA98 or the GDPR.” While the UK’s Data Protection Act 1998 encouraged data controllers to disclose serious data breaches, the EU’s General Data Protection Regulation (transposed into national law in the UK via the DPA 2018 ) goes much further, putting in place a universal obligation to report serious breaches of personal data within 72 hours of becoming aware of an incident. And of course this means not just personal data that’s been actually confirmed as lost or stolen but also when a security incident entails the risk of unauthorized access to customer data. The exception to ‘undue delay within 72 hours’ is where a personal data breach is “unlikely to result in a risk to the rights and freedoms of natural persons”. Which, while it’s clear that not every breach will require disclosure (say for example if personal data was robustly encrypted a company may deem it unnecessary to disclose a breach), is a caveat that still sets a pretty low disclosure bar. At least where a breach entails a risk of personal information being extracted from compromised data. (Which is yet another reason why strong encryption is good for everyone.) Certainly, any companies discovering a breach that puts their customers at risk, and which took place on or after May 25, 2018, but which then decide to ‘do an Uber’ — i.e. sit on it for the best part of a year before ‘fessing up — will put themselves squarely in EU regulators’ crosshairs for an equally major penalty.
Home / Tech News & Announcements old / What can we learn from the Dixons data breach that blew up after disclosure
**Sponsored Content** Digital Lifestyle Expert, Mario Armstrong, partnered with OtterBox to share the perfect gift …