Which? is calling for enforcement of tough penalties for firms that fail to prevent data breaches, as new research from the consumer champion reveals the shocking scale of data theft following cyber attacks. When data breaches occur, opportunistic fraudsters can then go on to buy stolen information such as passwords or credit card and bank details, as well as using other personal details to pose more convincingly as victims’ banks and other trusted organisations.
Now worryingly a new Which? survey suggests that these problems are rampant – revealing that almost half (46%) of people whose data was stolen by hackers then went on to experience fraud. For companies, there is the loss of brand reputation to consider, and then the costs involved in dealing with data breaches in time, letters, phone calls, follow-up admin etc – as well as a potential fine.
This was out of around a quarter (23%) of 1,369 Which? members who said they’d had their data compromised following a breach involving a company or organisation.
Which? also heard from people who said that they’d not only lost money but seen their mental health impacted in the aftermath of being involved in a data breach. These victims have also struggled to get any form of redress from the companies that failed to protect their personal data.
This year has seen some huge data breaches take place. EasyJet told around 9 million customers that their data had been compromised in a breach. Marriott also hit the headlines for losing around 5.2 million people’s contact and personal information – announcing its second data breach in three years. And more recently the cyberattack on software company Blackbaud has left students and charity donors concerned their records have fallen into the hands of criminals.
As part of its investigation, Which? also asked its members to submit their email addresses to haveibeenpwned.com, a website that tells you if your email address has been involved in a data breach. Which? had 515 members take part, submitting a total of 610 email addresses. It was revealed that 79 per cent had experienced at least one breach. Of those, the average number of breaches per email address was 3.7. One address had been in 19 breaches.
Despite all of this, the ramifications for firms that fail to protect their customers’ data are limited. The ICO announced its intention to fine BA £183 million for its 2018 breach and Marriott just under £100 million for losing around 339 million guest records. However, the deadlines to issue the fines were extended and both companies are expected to appeal. The IAG Group, which owns BA, released a report in June, estimating the fine would be €22 million.
Currently victims have limited options to seek redress when data breaches occur. Although under GDPR consumers have a right to claim compensation if they have suffered damage as a result of an organisation breaking data protection law, doing so isn’t always easy. The ICO advises victims to take independent legal advice and to try to settle with the organisation first. If this fails, victims may be able to make a court claim – either independently or through a group action claim, where claimants join together to seek redress.
Which? is calling for the ICO to actually issue intended fines when organisations breach data protection law, otherwise firms may continue to treat customers, and their sensitive personal data, with disregard.
Which? also wants the government to implement provisions in the GDPR to allow not-for-profit organisations to bring collective redress action on behalf of consumers for breaches of data protection rules – without them having to opt-in to a group case or bring the case themselves. This would help to support and enforce the rights of consumers, making it easier for victims of data breaches to secure adequate redress, and create further incentives for businesses to improve their data processing mechanisms.
Jenny Ross, Which? Money Editor, said:
“Whether we’re shopping online, booking a holiday or signing up to a new mobile phone contract, we have to trust the companies we deal with to protect our details – and if things go wrong we need to know that businesses are held to account.
“We need the ICO to be a regulator with teeth that is prepared to step in and issue fines in the event of companies breaking data protection laws, to ensure more businesses better protect consumers from data breaches.
“Consumers should also have a much clearer route to redress when they suffer the financial and emotional toll of data breaches – and that’s why the government must allow for an opt-out collective redress regime that deals with mass data breaches.”
Further details on opt-out collective redress action
The government has the power to facilitate better redress by implementing Article 80(2) GDPR in its upcoming review of the Data Protection Act 2018. This would then allow not-for-profit organisations such as Which? to bring collective redress actions on behalf of people on an ‘opt- out’ basis, without those consumers each having to bring – or to appoint a representative body to bring – an individual case against the company involved.
A properly implemented redress system would ensure that people could trust that harm suffered as a result of data breaches would be remedied and would simultaneously act as an incentive for companies to improve their data handling processes – resulting in fewer breaches.
DCMS is consulting on the operation of the ‘representative’ action provisions of the Data Protection Act 2018.
Which? advice to consumers on protecting their data
Passwords – Always set strong passwords for your accounts: https://computing.which.co.uk/
hc/en-gb/articles/ 360000818025-How-to-create- secure-passwords
Password manager – Many services now alert you if your passwords have been compromised. As services such as Lastpass and Dashlane can be used for free, there’s no reason not to use a password manager.
Two factor/multi-factor authentication (2FA/MFA) – Wherever possible turn on 2FA/MFA to increase security, particularly if your account holds your financial information. Don’t use SMS but use an authenticator app or even a hardware token if possible.
Credit card details – Don’t save your credit card details if you aren’t going to use the service regularly. Although it’s a faff to resubmit them, that’s better than having your financial information unnecessarily stored in a database that could be compromised.
Guest checkout – Similarly to the above, just checkout as a guest if you aren’t going to use the service that often. Only create an account if you really need to.