European authorities have been cracking down on firm’s improperly securing customer data long before GRPR went into effect with two separate companies being fined £250,000 and €250,000 respectively in the past week.
The French Data Protection Authority (the CNIL) imposed a €250,000 fine on Optical Center for insufficiently securing personal data of its customers and the Information Commissioner’s Office (ICO) issued Yahoo a £250,000 fine after an investigation into the company’s 2014 breach.
The CNIL was notified about the incident in July 2017 and when it learned that the firm’s customers could access the more than 300,000 documents, mainly invoices, belonging to other customers simply by entering URL’s in the browser address bar, according to a June 7 statement from the agency.
An investigation was conducted into the incident and found the site didn’t have the functionality to verify that a customer is only connected to their personal account before displaying the invoices of others.
The European Union’s General Data Protection Regulation was not in effect at the time of the incident that the data breach did violate applicable French law.
Ilia Kolochenko CEO of the web security company High-Tech Bridge said he thinks GDPR would likely impose a less severe punishment for a first incident, but for repetitive ignorance and ensured data breaches, GDPR has much more freedom to impose harsh financial penalties.
“Despite the sad context, it is rather a good news and a strong signal to other companies that cybersecurity is not something they can continuously disregard,” Kolochenko “Many European medium-sized companies substantially underestimate the importance of data protection, let alone their application and website security. The world, however, changes, and so must their attitude too.”
He went on to say one should keep in mind that victims can make civil claims for damages suffered as a result of the breach which could lead to breach costs skyrocketing.
Optical Center isn’t the only firm penalized for its lack of securing the data of its European customers. Yahoo was also handed a fine of £250,000.
It was found that Yahoo’s UK Services had failed to secure the data of 515,121 customers against exfiltration by unauthorized persons, as well as failed to ensure appropriate monitoring was in place to protect the credentials of Yahoo! employees with access to Yahoo! customer data, according to Tech Crunch.
BioCatch’s VP Frances Zelazny said the announcement highlights the growing call for transparency and accountability from companies.
“Governments are more likely to step in and regulate the use of personal data to protect their citizens, as we see with the newly implemented data protection law in Europe,” Zelazny said. “Companies will be held to a higher standard moving forward, and be forced to recognize the enormous responsibility that they have in ensuring proper data/digital identity management.”
She added we can’t escape the reality that the notion of convenience, social media and transacting online may clash with the need for security and that data breaches have become so frequent that consumers have lost sight of the impact that having all their personal information can have.