GDPR claims first corporate victims
Written by Peter Walker
The General Data Protection Regulation (GDPR) has been in force for less than two months, and already some well-known brands have fallen foul due to data breaches.
Luxury retailer Fortnum & Mason admitted the loss of some 23,000 customer records - which included emails, telephone numbers and delivery addresses of customers who filled out a survey - due to the use of a third-party survey provider.
In a similar breach to that of digital-only bank Monzo, which also used Typeform, an unknown hacker gained access to its server and downloaded the data contained in survey forms.
Meanwhile, Travelodge was also forced to announce that 180,000 personal details of its clients were taken, including date of birth, passport numbers and billing information.
Under the new regulations - which require disclosure within 72 hours of a breach - both companies have had to contact each person whose data has been lost.
Colin Tankard, managing director of data security firm Digital Pathways, commented that if these brands had encrypted their data, they would not need to contact each customer as, under GDPR, if the data is encrypted, it is only the Information Commissioners Office which needs to be advised.
“Already, it seems that many companies are being ‘hit’ with requests regarding the use of personal information, putting huge strain on company resources,” he said. “It’s hard to believe that after months of pre-GDPR consultancy work and reports on what needs to be done, companies have not installed technology that would solve these problems.”
Tankard continued that companies must, automatically, move any personally identifiable data to a secure location, where encryption is applied.
“It seems a ‘no brainer’ to do this, rather than face a huge fine, high costs of managing and notifying thousands of people, as well as handling their subsequent questions, the public disclosure and the bad press.”