One year after credit reference agency, Equifax, announced that hackers breached the data of millions of users, it was revealed last week that the company was fined £500,000 by the UK’s Information Commissioner’s Office (ICO).
In the ICO’s official news release it stated that Equifax was penalized “for failing to protect the personal information of up to 15 million UK citizens.” Equifax was investigated under the previous Data Protection Act 1998 because the incident happened before GDPR went into effect in May of this year.
It was found during the investigation that several poor security practices prior to the data breach is what gave criminals the ability to break into one of the company’s web applications between 13 May and 30 July 2017 in the US.
An article by Wired Magazine from September 2017 reported that “the vulnerability attackers exploited to access Equifax’s system was in the Apache Struts web-application software.”
This news as well as the recent data breach at British Airways and the allegations to Canadian firm, AggregateIQ, of violating GDPR should wake up companies to the reality that breaking data security laws “post-GDPR” could result in more severe penalties than what Equifax faced.
3 Ways to Prevent Data Breaches in the Post-GDPR Era
There are several security lessons to be realized from a cyber-attack of Equifax’s magnitude but one overarching lesson to take away is clear; companies that aren’t positive that its systems are secure should start taking action NOW rather than later. Waiting only increases the chances that criminals will find a way into your network. To help your company protect itself against data breaches in the post-GDPR era, here are three important steps you can begin with right away:
- Check Web Application Software Updates – The Equifax data breach occurred specifically due to a vulnerability in its web application software (Apache Struts). As we mentioned before in a previous blog on the British Airlines data breach, a top action you can make to prevent unauthorized access to your company’s website and applications is to regularly verify that all software and scripts are up-to-date. In an interview with Wired, René Gielen, the VP of Apache Struts, stated that “most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.”
- Hire a Cybersecurity Expert with a Focus in GDPR – Bringing in a cybersecurity specialist may be the best step for many organizations that do not have enough in-house experts, especially for large companies with complex networks and systems. For companies that are needing to comply with strict regulations like GDPR, find a specialist who has specific expertise in that area and also the proper experience to back it up.
- Secure File Transfer Processes – In July of this year there was a data breach at healthcare software provider, MedEvolve, when files on an in-house FTP server were accidentally exposed to the public online. According to Healthcare IT News, the incident exposed medical data of around 205,000 patients. Some of the data exposed were Social Security numbers, addresses, names, cities, zip codes; everything a criminal needs to steal a person’s identity. To prevent attacks like this, companies can turn to a secure file transfer solution like Thru that has strong security measures put into place like encryption in transit and at rest, forced authentication to access files on the web, antivirus scanning and more. Companies that continue to use outdated, legacy FTP servers are putting themselves at risk since several of these solutions are not up-to-date with the latest security standards.
Companies that choose to improve data security measures later will not get off the hook with a smaller fine as in Equifax’s case. The heavy consequences of breaking GDPR regulations should be a great motivator to start protecting systems and procedures now rather than later. We encourage you to start taking action now before you end up in a negative news headline.