Equifax security breach: What if it happened under GDPR?

The European Union’s General Data Protection Regulation (GDPR) is the most significant shake up of information security for many years.

Despite the toughening of rules and the harsh treatment of companies by regulators and the media, some organisations with big budgets and extensive capability are continuing to exercise scant disregard for safeguarding the personal data of their customers.

News of the Equifax data leak emerged from the US, which saw the data of 143 million US citizens and, potentially, some 400,000 UK citizens compromised.

The US company said an investigation had revealed that a file containing UK consumer information “may potentially have been accessed”. The data includes names, dates of birth, email addresses and telephone numbers, but does not contain postal addresses, passwords or financial information.

The resignations of the chief information officer and chief security officer may have been pretty quick, but it didn’t stop dozens of US authorities at state level launching legal action against the firm.

This latest large-scale, big news information data security breach may have happened in the US, and may only affect a relatively small proportion of UK citizens. With GDPR now in place, here we consider how the breach would be treated under GDPR.

Equifax data security breach key facts

Although the timeline and the company’s reporting around it is questionable, here’s what is currently known:

Equifax is a US firm based in Atlanta with a UK subsidiary

Hacked webserver hosted complaint management software, a portal for online dispute

Server was unpatched against the CVE-2017-5638 Apache Struts vulnerability identified in March

18th September, Bloomberg News reports Equifax had been the victim of a “major breach of its computer systems” in March 2017

Had begun “notifying a small number of outsiders and banking customers” about this attack in early March

Suspicious network traffic at the server identified on 29th July

Forensic review shows hackers had access to Equifax systems from 13th May to 30th July

Relates to a limited amount of UK data being stored in the US between 2011 and 2016

Treatment of the Equifax cyberattack under GDPR

It may well be the longest word in the English language but IF the Equifax cyber security breach had happened under GDPR, then the following rules would apply, shaping the response from the perspective of compliance and regulation.

No reporting delay

Common data breach notification requirement means organisations have to notify the local data protection authority of a data breach within 72 hours

Continual breach monitoring

The GDPR data breach notification rules are designed to ensure organisations constantly monitor for breaches of personal data

Need to prove consent

For all of the information held, the organisation would have to prove that it had clear and affirmative consent from each individual to process their data

Right to be forgotten

The organisations would have to justify long data retention periods because under GDPR they are not to hold data for any longer than necessary, and are not to change the use of the data from the purpose for which it was originally collected

Regulatory action

European data authorities, such as the UK ICO has the power to act against the US company over the breach, even though it has occurred in the US, fines for non-compliance of up to €20m or 4% of group annual global turnover could be enforced

It should also be noted that it is entirely possible, that IF the organisation implemented robust information security procedures and practice in line with GDPR, the breach may have been prevented in the first place…

Ensure GDPR compliance with Paralogic

GDPR entered force on 25th May 2018. All organisations and businesses are in scope and there are no quick fixes to compliance.

The best approach is a thorough assessment of where your business stands currently on its IT security arrangements, and then a plan to get to where it needs to be to meet the GDPR standard.

Take the first step to developing a clear plan of how to get to where you need to be to achieve compliance with the GDPR standard, simply get in touch with us today.

Click here to see more about the Equifax cybersecurity breach at Wikipedia.com