Mitsubishi Electric Breach, GDPR Update & More!
It is Tuesday, January 21st, 2020 and here are today’s most pressing cyber stories we need to know about.
160,000 data breaches reported already
Over 160,000 data breach notifications have been made to authorities in the 18 months since Europe's new digital privacy regulations came into force, and the number of breaches and other security incidents being reported is on the rise.
Analysis by law firm DLA Piper found that after General Data Protection Regulation (GDPR) came into force on 25 May 2018, the first eight months saw an average of 247 breach notifications per day. In the time since, that has risen to an average of 278 notifications a day.
The GDPR Data Breach Survey also calculates the total cost of GDPR-related fines paid so far to be €114m ($126m/£97m). The largest fine paid so far was one of €50m issued by the French data protection authority, CNIL, to Google over infringements around transparency and consent.
The UK Information Commissioner's Office has issued two larger fines relating to data protection infringements, but currently neither of the organizations involved have come to a final agreement over the payments.
In July last year, British Airways was issued with a £183m ($238m/€213m) fine following cyberattacks against its systems which resulted in personal details of around 500,000 customers being stolen by hackers.
Following what was described as an "extensive investigation", the ICO concluded that information was compromised by "poor security arrangements" at British Airways. At the time, the airline made it clear it wasn't happy with the fine, stating it was "surprised and disappointed".
Then, just a day later, the ICO issued a fine of £99M ($124M/€112M) to Marriott Hotels for a data breach which exposed the personal details of 339 million guests around the world – including 30 million European citizens and seven million UK citizens.
Hackers breached Starwood Hotels in 2014; that hotel chain was subsequently purchased by Marriott in 2016, but the breach wasn't discovered and patched until 2018. A statement from Marriott at the time of the penalty notice said the company was "deeply disappointed" by the proposed fine.
Both Marriott and British Airways are appealing their fines.
Under GDPR, organizations can be fined up to four per cent of their annual turnover if they've been found to be irresponsible with security following a data breach. Despite this, it's believed that just one third of organizations are fully GDPR compliant.
The total amount of fines of €114 million imposed to date is relatively low compared to the potential maximum fines that can be imposed under GDPR,