The 5 most notable data breach stories from 2019

In the world of cyber security, every year seems pretty long.

Days are filled by dealing with threats like ransomware and Magecart, helping employees dodge phishing attacks or patching enterprise servers. Companies also have to deal with the prospect of data breaches.

There are a number of high-profile data breaches every year, from social media giants to international hotel chains. But there are also a fair amount of important news stories that follow with them. These articles dictate how we view, react and move on from data breaches.

Here are the five stories that you might have missed in 2019 if you aren’t reading our quarterly Risk Radar report. They show what the ramifications for businesses are of data breaches – and serve as extra incentive to take the possibility of a cyber security incident happening to your company in 2020 a bit more seriously.

1. British Airways and Marriott face massive GDPR fines

British Airways faced the largest GDPR fine to date for its 2018 data breach. The UK’s Information Commissioner’s Office (ICO) has issued a notice of intent to levy a £183 million penalty against the air carrier, which equates to roughly 1.5 percent of its global turnover in 2017.

Just like BA, Marriott International was issued a notice of intent to fine the company £99 million from the UK’s ICO shortly thereafter. The penalty was handed down due to the data breach it revealed in 2018, in which 383 million customer records were compromised. Both companies have yet to receive the Monetary Penalty Notice.

European companies now find themselves more than a year into GDPR and the watchdogs tasked with enforcing it aren’t giving any leeway. The British Airways and Marriott International data breaches were massive incidents that earned comparable fines.

Where most GDPR fines were previously kept under £500,000, larger enterprises should take this as a signal that the gloves are off. Ensure that privacy practices are in place and any gaps are addressed via follow-up checks.

Via Cyber Security Risk Radar Q4

2. Equifax settles; to pay $700 million in damages

Equifax, a US-based credit reporting agency, came to a settlement agreement with the U.S. government in response to the 2017 data breach that compromised sensitive data for 150 million people.

The deal, worth $700 million total, will see up to $425 million made available for people affected by the breach. The compensation will take the form of free credit monitoring or a cash payoff if the victim has already paid for that service.

Equifax’s 2017 data breach continues to plague the company years after the fact. The settlement is just the latest in a string of events that have adversely impacted the business, including a downgrade on its outlook that made it the first to suffer one due, in part, to a data breach.

While many companies remain focused on the short-term financial implications of a data breach, it’s the long-term ramifications that could end up costing them the most. Equifax, as well as earlier settlements from Eddie Bauer and Yahoo, proves that a data breach can follow a business for years.

Via Cyber Security Risk Radar Q4

3. Economic downgrade, bankruptcy tied to data breaches

Credit rating firm Moddy’s downgraded the rating outlook of Equifax due to its 2017 data breach. Equifax became the first company ever to see its rating outlook downgraded over a breach. Moody’s cited mounting expenses from the breach and significant infrastructural investments in security needed in the future as reasons for the downgrade.

Elsewhere, the American Medical Collection Agency filed for bankruptcy after a data breach that exposed data on roughly 20 million Americans. The company cited its four largest clients ceasing business with it as the main reason behind the bankruptcy filing.

These two events serve as a reminder that although confined to the digital space, data breaches can have very real consequences. A single breach carries enough influence to result in a rating’s downgrade – a significant sign for investors – or a company shuttering altogether.

Avoiding a data breach and the fallout that comes with it has earned itself a seat at the table of the board of directors. Without making investments into the digital security of the business, an enterprise could soon find itself left with a very long bill.

Via Cyber Security Risk Radar Q3

4. DPC releases first annual report on GDPR compliance

Ireland’s DPC released its first annual GDPR report, covering events from its introduction in May 2018 to the end of 2018. Since the introduction of GDPR, 2,864 complaints were filed and companies notified the DPC of 3,542 data breaches.

Across Europe, 60,000 data breaches were reported over the first seven months that the law was in effect. Google received the largest GDPR fine at the time, totalling €50 million, for not giving users enough information about ad personalisation and not gaining legitimate consent.

Digital privacy and data security are chief concerns among companies and consumers in the GDPR era. Multiple fines have already been issued and tens of thousands of instances reported, showing that the law is already functioning effectively in some capacity.

Companies should actively be working with Cyber Risk and Assurance teams, and specifically data protection consultants, to ensure they’re following best practices. Ensure that mechanisms are in place to quickly detect, investigate and report any security incidents that fall under GDPR notification laws.

Via Cyber Security Risk Radar Q2

5. Three-quarters of data breaches tied to privileged credential abuse

Researchers found that the majority of data breaches can be tied to abuse of privileged credentials taking place at some point in the campaign. Nearly three in every four IT managers could link a data breach at their companies to privileged credential abuse, a Centrify study found.

Of the businesses that were breached, only 21 percent had multi-factor authentication in place. Another 65 percent were allowing near regular access to system root privileges, rather than creating a new account for the user.

While many people’s thoughts initially turn to a hooded hacker in front of a screen with green numbers and letters when they think of a data breach, Centrify’s study shows it’s often much more simple. People have access to systems they shouldn’t, for one reason or another.

Privileged Access Management (PAM) is a valuable part of any overarching cyber security strategy as it compartmentalises system access and ensures only those who need it have it. Investing in PAM tools is a sure-fire way to mitigate credential abuse.