Equifax security breach: What IF… it happened under GDPR?
The European Union’s General Data Protection Regulation (GDPR) comes into force next May.
It’s the most significant shake up of information security for a considerable time. Despite the toughening of rules and the harsh treatment of companies by regulators and the media, large organisations with big budgets and extensive capability are continuing to exercise scant disregard for safeguarding the personal data of customers.
This month news of the Equifax data leak has emerged from the US, which has seen the data of 143 million US citizens and, potentially, some 400,000 UK citizens compromised, however it still remains unclear.
The US company said an investigation had revealed that a file containing UK consumer information “may potentially have been accessed”. The data includes names, dates of birth, email addresses and telephone numbers, but does not contain postal addresses, passwords or financial information.
The resignations of the chief information officer and chief security officer may have been pretty quick, but it hasn’t stopped dozens of US authorities at state level launching legal action against the firm.
This latest large-scale, big news information data security breach may have happened in the US, and may only affect a relatively small proportion of UK citizens. With GDPR now only months away, here we consider how the breach would be treated under GDPR.
Equifax data security breach key facts
Although the timeline and the company’s reporting around it is highly questionable, here’s what is currently known:
- Equifax is a US firm based in Atlanta with a UK subsidiary
- Hacked webserver hosted complaint management software, a portal for online dispute
- Server was unpatched against the CVE-2017-5638 Apache Struts vulnerability identified in March
- 18th September, Bloomberg News reports Equifax had been the victim of a “major breach of its computer systems” in March 2017
- Had begun “notifying a small number of outsiders and banking customers” about this attack in early March
- Suspicious network traffic at the server identified on 29th July
- Forensic review shows hackers had access to Equifax systems from 13th May to 30th July
- Relates to a limited amount of UK data being stored in the US between 2011 and 2016
Treatment of the Equifax cyberattack under GDPR
It may well be the longest word in the English language but IF the Equifax cyber security breach had happened under GDPR, then the following rules would apply, shaping the response from the perspective of compliance and regulation.
No reporting delay
- Common data breach notification requirement means organisations have to notify the local data protection authority of a data breach within 72 hours
Continual breach monitoring
- The GDPR data breach notification rules are designed to ensure organisations constantly monitor for breaches of personal data
Need to prove consent
- For all of the information held, the organisation would have to prove that it had clear and affirmative consent from each individual to process their data
Right to be forgotten
- The organisations would have to justify long data retention periods because under GDPR they are not to hold data for any longer than necessary, and are not to change the use of the data from the purpose for which it was originally collected
- European data authorities, such as the UK ICO has the power to act against the US company over the breach, even though it has occurred in the US, fines for non-compliance of up to €20m or 4% of group annual global turnover could be enforced
It should also be noted that it is entirely possible, that IF the organisation implemented robust information security procedures and practice in line with GDPR, the breach may have been prevented in the first place…
Take the first step to GDPR compliance with Paralogic
GDPR is set to enter force on 25th May 2018. All organisations and businesses are in scope. Everyone needs to understand that there are no quick fixes to compliance.
The best approach is a thorough assessment of where a business currently stands on its IT security arrangements and then following a process to work out how it is going to get where it needs to be to meet the GDPR standard.
Take the first step to developing a clear plan of how to get to where you need to be to achieve compliance with the GDPR standard, simply get in touch today.
Do you want some free, Strategic IT support?
Get started with a free one hour IT consultation. Discover the latest technology and discuss your current and future IT requirements.Talk to us ›