GDPR: Three Months, Three Case Studies

It is just over three months since the General Data Protection Regulation (GDPR) came into force. In that time there has been a substantial rise in the notification of breaches to the Information Commissioner’s Office as well as reporting to individuals whose data was lost or affected by the breach. 

The increased transparency around data breaches established by the GDPR has fed the media with a steady stream of stories with an increased capacity to damage goodwill. 

There have been three data breaches in the last few months that have attracted attention and speculation with lessons to be learnt from each. 

Typeform

Travelodge, the hotel chain, hit the headlines in June when a third-party company called Typeform that managed Travelodge’s customer surveys and competitions discovered unauthorised access to its server data which included files related to Travelodge. The breach was thought to have been via a phishing attack. 

In a press statement, Travelodge said: “We were notified by Typeform of the incident on Friday 29 June 2018. Details that could have been stolen include customer names, email addresses, mobile phone numbers, date of birth and/or gender. Payment details and passwords have not been affected.” 

A letter to customers, by Travelodge’s chief executive Guy Parsons, warned users of its online service to be on the lookout for spam e-mails and included details of a specific spam e-mail that some customers had received. The letter also assured customers that the company had not sold users’ personal data to anyone else and informed them that the incident has been reported to the Information Commissioner.

Four lessons emerged from the reporting of the breach:

1. Third party or supplier breaches will always be identified with a higher profile company that attracts the attention of more readers. Even though it was Typeform that suffered the breach all the reporting focused on Travelodge. A company can very quickly suffer damage to its reputation by virtue of a data breach suffered by one of its data processors. 
2. Journalists will always want to invite comment from the Information Commissioner on the breach, whether the scale of the breach obliges the business to notify Commissioner or not. Many of the reports of the Typeform breach included a statement from the Information Commissioner’s Office that it, ‘was looking into the Travelodge reports,’ and that it, “will be making enquiries into the circumstances of the alleged breach before deciding what action, if any, needs to be taken.” There is nowhere to hide, even for those that manage to avoid a breach. Any company can be audited by the Information Commissioner’s Office to check they are compliant and, in the event that they are not, and remedial action is not taken, fines could apply. 
3. Travelodge was criticised for the limited information that it was able to provide at the time it notified customers who may have been affected. Companies that have been breached cannot expect any leniency in public opinion. The public will not sympathise with companies targeted by cyber-criminals. While the public perceives companies as having identities and the ability to think, it does not perceive corporations as having the ability to feel. Corporations can elicit anger but not sympathy.  
4. Once a company has been tarnished by association with a data breach it can be difficult to shake off. Administrative mishaps can be labelled and elevated to the status of a data breach where they might not have been otherwise. Five weeks after the headlines about Travelodge suffering a data breach, a complaint was posted on TripAdvisor about another data breach by Travelodge. A customer posted that they had been given a printed invoice for their stay and on the reverse of the document was a room list for the hotel which included the full names of the other guests staying, the amount of adults and children and the rates paid for each night. 

Butlins

On 10th August, Butlins announced that 34,000 customer records may have been accessed by hackers. The source of the breach was blamed on a phishing attack. The holiday camp firm said the data at risk included names, home addresses, email addresses and telephone numbers, but that payment details were secure. 

Butlins also stated that the incident had been reported to the Information Commissioner’s Office and that the company was contacting people who may have been affected to inform them and tell them what they should do. A statement from the managing director, Dermot King, said, “Butlins take the security of our guests’ data very seriously and have improved a number of our security processes. I would like to apologise for any upset or inconvenience this incident might cause… A dedicated team has been set up to contact all guests who may be affected directly. I would like to personally reassure guests that no financial data has been compromised.”

Three lessons materialized from the Butlins breach: 

1. Journalists are alive to the 72-hour notification obligation in the event of a data breach and, in this case, were quick to raise queries as to whether the Information Commissioner’s Office and the affected individuals were told about the breach within the 72-hour time limit. Butlins adopted a staged-notification strategy (which is supported by the ICO) of providing information as it became available. 
2. Journalists sought comment from the Information Commissioner’s Office, as they did in the Typeform breach, and asked whether it would be investigating. This forced the ICO to respond in the same way that, “it would be making enquiries,” which immediately lends an air of conflict to the notification process that is unlikely to exist in reality. 
3. Many of the reports into the Butlins breach mentioned the fact that, “a number of large companies in Britain have been targeted by hackers in recent years,” and went on to refer to the fact that Carphone Warehouse was fined £400,000 by the ICO in January for a series of “systemic failures” uncovered after a data breach in 2015 as well as the fact that the same fine was given to TalkTalk in 2016 after a hacker managed to access the personal data of more than 3 million customers and 1,000 employees. Such contextualization is common journalistic practice but the implications for TalkTalk, Carphone Warehouse and others is that the breaches they suffered continue to cast a dark shadow on their reputations through being revisited every time a data breach is reported.

Superdrug

On 22nd August, Superdrug was reported to have suffered a potential data breach. Names, addresses and “in some cases” date of births and phone numbers “may have been accessed”, Superdrug said. The company issued a statement that there was no evidence its systems had been compromised, however, it believed criminals had got customers’ email addresses and passwords from other websites “and then used those credentials to access accounts on our website”. 

Superdrug said it had notified directly all customers which it believed had been affected and went on to state that criminals had tried to extort a ransom from the company.

Three lessons came out of the Superdrug breach:

1. The familiar references to  Carphone Warehouse and TalkTalk were repeated for context along with the fines they attracted. 
2. Some customers reacted with anger to the company’s notification tweet, saying the chain should have apologized. 
3. Most significant was the use of social media to tell the story of the breach. Many reports followed a similar pattern that simply tracked and collated the reaction to the breach on Twitter including all the outrage and indignation that the platform seems to attract. Such stories are quick, easy and formulaic for a journalist which probably incentivized more of them to report the breach than might otherwise have been the case. As Jeremy Paxman said in his MacTaggart lecture, “news is determined not by its importance but by its availability.”

Another journalistic device that was used in the reporting of all three data breaches was to invite speculation about the potential holes that still exist in the cyber-security of businesses after three months of the GDPR coming into force. 

In conclusion, there remain some obvious areas of risk for many organisations:

• A lack of awareness of the data being collected and processed – mapping all personally identifiable information remains a priority for many. 
• A lack of encryption is another common risk – despite the direct obligation to pseudonymize set out in Article 32 of the GDPR. 
• The importance of employee training cannot be over-emphasised – all workers should have an appreciation of the importance of the data they process and their role in keeping it safe. The human firewall is always more effective than any technical alternative.

As with other crises, it is not necessarily the data breach that damages goodwill but the way in which that breach was managed that can tarnish the reputation long after the facts of the story have been forgotten.