2019 - the year of the AI breach

24 January 2019

2018 was the year that data privacy hit the front pages. The European Union’s ‘General Data Protection Regulation’ (GDPR) arrived in May with its obligation to notify almost all data breaches to the regulator and the individuals whose data had been lost or compromised. As a consequence, an increasing number of breaches came to light in 2018.

In March, 860,000 passport numbers and other passenger details were unlawfully accessed from Cathay Pacific. In July, 29 million Facebook users were hacked including personal data around location, contact, relationship details and search histories. In August, 380,000 British Airways passengers had their credit cards details taken. In the same month, hackers accessed T-Mobile’s servers and obtained two million peoples’ encrypted passwords and billing information. December saw the second biggest hack of all time with an estimated 500 million Marriott Hotel customers affected.

2018 also saw the biggest scandal associated with data privacy when it emerged that between 2007 and 2014, Facebook allowed application developers access to the information of its users without sufficiently clear and informed consent, and had allowed access even where users had not downloaded the app but were simply ‘friends’ with people who had. Facebook also failed to make suitable checks on apps and developers using its platform which led to one developer harvesting the Facebook data of up to 87 million people worldwide, without their knowledge. The Information Commissioners’ Office investigated and found that even after the misuse of the data was discovered in 2015, Facebook did not do enough to ensure those who continued to hold the data had deleted it. The ICO found that the personal information of at least one million UK users was among the harvested data and fined Facebook the maximum penalty under the previous legislation which was £500,000.

The Information Commissioner commented, “The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.” That sentiment was echoed by Giovanni Buttarelli, the European Data Protection Supervisor in October 2018 when he said that we can expect, “to see the first GDPR fines for some cases by the end of the year. Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban or to give them an ultimatum…The fine is relevant for the company and important for public opinion and for consumer trust.” The impact of public opinion and consumer trust was felt by Facebook in the estimated $119 billion it lost in market capitalisation in the wake of the scandal because of users’ concerns over privacy.

As part of the drive for meaningful change the French regulator CNIL has just imposed a €50m penalty on Google LLC which has its EU headquarters in Ireland. The sanction concerned Google’s targeted advertising of Android users. The CNIL found that Google had failed to provide users with adequate transparency information, and that the consent relied upon by Google was not ‘informed’. Transparency and consent are fundamental principles of the GDPR.

Privacy laws and regulations emulating the GDPR will continue to roll out across the globe in 2019. Canada and Brazil have both recently passed similar legislation. Singapore and India are also consulting to adopt comparable breach notification regimes. Many countries are negotiating GDPR adequacy to facilitate the transfer of data from their states to the EU. California’s equivalent of the GDPR - its consumer privacy law is set to come into effect at the end of the year which will force companies to disclose how they collect data from users and what they do with it. Given how many of the largest tech companies are based in California, the new law could have consequences that reach far beyond the State.

If 2018 was the year of data privacy, 2019 will be the year of data security. The two concepts are often conflated but it is helpful to understand the distinction. Privacy is the term we use when considering the appropriate use of data. When companies use information that is provided or entrusted to them, that data should be used or processed according to the purposes that have been agreed and consented to beforehand. Security is the term we use when considering the confidentiality of the information – who can or cannot access it. Data security is concerned with the procedures in place to make sure that information is neither used nor accessed by unauthorised individuals. The purpose of data security is to ensure the information people need to work is accurate and available when they need it.

Artificial intelligence is likely to play an increasingly significant role in data security for a variety of reasons. First, the substantial data sets required for AI are prime targets for attack. Second, AI powered systems will be used to probe networks and systems to search for exploitable vulnerabilities at a much faster rate including brute force attacks on passwords. Third, AI is also likely to be used to harvest information to both speed up and improve the quality of social engineering attacks designed to trick individuals. Automating the creation of sophisticated, personalised attacks that would have been costly and labour-intensive in the past is going to make us all more vulnerable in the year to come.

Receive our monthly newsletter

About the Authors

Paul Price

Senior Associate, Cyber

Paul is a passionate and trusted cyber security professional specialising in advising some of the world's most influential people, protecting their businesses and reputations from the latest cyber threats.

+1 646 934 6219

Magnus Boyd


Magnus protects individual and corporate reputations by helping clients to manage unwanted media attention. He also advises on information security and helps clients manage the risks to reputation that arise in the event of data loss.

+1 646 934 6219
Our 24 hour number
+1 646 934 6219
Legal information

© 2020 Schillings International LLP. SCHILLINGS is a trading name of Schillings International LLP and Schillings International (USA) LLP.

Schillings International LLP is a limited liability partnership registered in England and Wales with registration number OC398731. A list of members of Schillings International LLP is available for inspection at our registered office 12 Arthur Street, London, EC4R 9AB. Schillings International LLP is an Alternative Business Structure regulated and authorised by the Solicitors Regulation Authority.

Schillings International (USA) LLP is a registered limited liability partnership organised and existing under the laws of the State of Delaware, United States of America, whose principal place of business is at One World Trade Center, Suite 8500, New York, NY 10007. Our New York based attorneys are registered as a foreign legal consultant in the State of New York.