"This data breach reminds consumers once again that their personal data is always at risk when in the possession of the companies they share it with, due to the threats that companies face on a daily basis from malware, hackers and criminals. Consumers would be wise to think about the risks before sharing data. There are steps that they can take to protect themselves better, such as using strong passwords when they register for online services and refreshing them regularly, providing ‘dummy’ data in non-essential situations, looking for indications of reasonable security at the company’s side, such as the use of https in the browser and, of course, having up to date security software on their personal devices.
"In this case, while the organisation involved advises its customers not to change their passwords, it still might be wise for them to do so while the facts of the case are still unclear. The people affected may also want to keep an eye out for statements or advice from the Information Commissioner and of course, they should be wary of their emails being used for fraudulent purposes, such as phishing attacks. They should also think about monitoring their bank accounts for unusual activity."
What does this mean for businesses?
Stewart said, "Businesses cannot avoid all cyber security risks, but there are many steps that they can take to reduce their vulnerability and to mitigate damage after an incident. Undertaking a security and threat vulnerability assessment is a key first step to understanding risks. Where customer data includes personal identifiers, its use should be minimised and encrypted. A serious compromise of security is not just an operational challenge, but it also damages customer trust and confidence and can lead to very serious legal and regulatory consequences.
"Acting quickly once an incident is detected is vital. Undertaking a proper investigation into what has happened, is key as this will enable the causes to be properly understood and addressed, enabling appropriate containment and then strategies deployed to be deployed. Understandably, access to the vulnerable data needs to be restricted as soon as possible and notifying the people affected, the regulator and the authorities must be on the agenda from the moment of incident detection."
"In this case, while the organisation involved advises its customers not to change their passwords, it still might be wise for them to do so while the facts of the case are still unclear. The people affected may also want to keep an eye out for statements or advice from the Information Commissioner and of course, they should be wary of their emails being used for fraudulent purposes, such as phishing attacks. They should also think about monitoring their bank accounts for unusual activity."
What does this mean for businesses?
Stewart said, "Businesses cannot avoid all cyber security risks, but there are many steps that they can take to reduce their vulnerability and to mitigate damage after an incident. Undertaking a security and threat vulnerability assessment is a key first step to understanding risks. Where customer data includes personal identifiers, its use should be minimised and encrypted. A serious compromise of security is not just an operational challenge, but it also damages customer trust and confidence and can lead to very serious legal and regulatory consequences.
"Acting quickly once an incident is detected is vital. Undertaking a proper investigation into what has happened, is key as this will enable the causes to be properly understood and addressed, enabling appropriate containment and then strategies deployed to be deployed. Understandably, access to the vulnerable data needs to be restricted as soon as possible and notifying the people affected, the regulator and the authorities must be on the agenda from the moment of incident detection."