Data is power – unless you lose it
Paddy Power recently took the opportunity to inform customers of a data breach affecting 649,055 customers which occurred in 2010. In light of several large-scale data breaches (for example, Ebay and the Heartblead virus), this latest incident serves as a reminder to customers and business that cyber security should not be underestimated.
Included within the datasets stolen from Paddy Power in 2010 were each individual customer’s name, email address, residential address, phone number, date of birth and security prompted question and answer data. Such data is undoubtedly personal data and is subject to the utmost care under UK law. Financial information and customer passwords were not included in the stolen information and Paddy Power has confirmed that the customer accounts were not affected by the attack.
Paddy Power was aware of a data breach in 2010, although the extent of the breach was not evident until May this year. Following a report to Paddy Power that a Canadian resident was in possession of the stolen data, Paddy Power launched an investigation aided by the Ontario Provincial Police. With the aid of asset seizure warrants, Paddy Power was able to secure the removal of its customers personal data from the hacker’s computers.
The Information Commissioner’s Office (ICO) is responsible for regulating and overseeing data protection in the UK. Useful guidance has been published by the ICO which outlines four steps which should be taken in response to a data breach:
- Containment and recovery, including use of a recovery plan and damage limitation procedures.
- Assessment of the risks associated with the breach; the seriousness and likelihood of these risks occurring.
- Notification of relevant persons. For example, in certain circumstances a number of the following parties may need to be informed: the ICO; the individuals whose data has been compromised; regulatory bodies; banks; the police; and the media.
- Evaluation and response. The causes of the breach should be investigated and any policies and procedures updated accordingly.
The ICO guidance can be accessed here.
It is more important than ever that companies cultivate trust in their customers and arm themselves against cybercrime. A key concern in relation to Paddy Power’s handling of the 2010 data breach is the four-year delay in informing customers and the ICO. Paddy Power has asserted that the extent of the breach in 2010 was not clear; however, there were suspicions at the time that some non-financial customer information had been accessed and, accordingly, Paddy Power undertook extensive reviews of its security systems.
Limiting a breach and the resultant risks is always the number one concern upon discovery of a data breach. After having dealt with the immediate damage and danger, the next priority should be notification of the relevant individuals and organisations. Such transparency allows individuals to understand what is going on and take action where necessary to protect themselves. For example, in the Paddy Power situation the relevant individuals would want to know that their security question had been compromised, thereby allowing them to change this information on the Paddy Power site and any other site where it may be used.
There are two lessons to be learned from the recent data breaches. Firstly, the internet is not a platform to be taken lightly; internet users have a duty to make themselves aware of the risks and guard against them. Secondly, organisations of every size handling personal data must be prepared to take cyber security seriously and give high consideration to their customers’ interests.
MacRoberts can advise on data protection law, particularly the obligations on organisations in relation to personal data and security measures.