COVID-19: Distinguishing crime
Yesterday credit-check company, Experian, reported that over 12 million pieces of personal information, mainly passwords, were sold over the internet in the first four months of 2012. This is a huge increase – in the whole of 2010 the figure stood at 9.5 million.
This news should prompt businesses, particularly online retailers, to think carefully about the security of their password databases. Although Experian reported that the increase was partly due to UK consumers holding a growing number of online accounts, an underlying message is that businesses need to think about encrypting password databases and taking other steps to secure databases.
This is a message the Information Commissioners Office (ICO) may repeat more strongly in the future. The Data Protection Act 1998 (the DPA 1998) makes it a requirement for businesses to put in place security measures to prevent unlawful use of personal information. Companies should be aware that the Information Commissioner has not shied away from imposing hefty fines on organisations for failing to have adequate security in place, particularly following thefts of unencrypted laptops or tapes containing personal information.
Only two weeks ago, Welcome Financial Services was fined £150,000 by the ICO after it lost two unencrypted tapes containing back-up data which were in transit to its office from an off-site location. The tapes contained the bank account details, dates of birth and National Insurance numbers of 28,000 employees and agents and held approximately 1.94 million customer records.
It might be expected that a company which loses customers’ passwords through a cyber-attack, having not encrypted or secured its password database, may too be subject to a substantial financial penalty. But in fact, this has not been the approach adopted by the ICO to date.
In August 2011 cosmetics firm Lush found that the security of its website had been compromised for four months and hackers had accessed the payment details of 5,000 customers, 95 of whom became the victims of credit card fraud. Perhaps surprisingly, the ICO did not fine Lush and instead required it to sign an undertaking to ensure credit card information was processed in line with industry standards. At the time many commentators in the IT security industry felt the lack of financial penalty sent the wrong message to online retailers. The sharp rise in the online theft of personal information reported by Experian suggests the commentators might just be right.
What does the future hold? It seems likely that as more information about the extent and impact of online data theft emerges, the ICO will be pressured into taking a harder line in future cases. Companies may have a stark and expensive choice ahead of them: pay for enhanced online security or risk a financial penalty from the ICO.
Looking further into the future, ensuring that online databases and information are adequately protected from cyber-crime will be more crucial than ever. Proposed EU data protection legislation, which when implemented in the UK will replace the DPA 1998, is set to make it compulsory for a company which suffers a data security breach to notify the Information Commissioner and any person adversely affected. The reputational cost of having to notify thousands of customers or potential customers of a breach will be severe and a cost companies will be very keen to avoid.
Skip to content Home About Us Insights Services Contact Accessibility