By Paul Day, technical director of specialist document management company Filestream. Paul is an expert in GDPR and supports his document management clients around cyber-security and keeping their data safe. Filestream works with companies including Anglia Farmers, University of Hull, Kingsley Health Care, Carnival UK, Scania and BNP Paribas.
As 2024 arrives, the threat around cyber attacks, ransomware and hackers grows ever greater. Understanding the risks and legal responsibilities around personal data will become even more important.
It is predicted that there will be increasing threats in 2024 around the increased use of AI by criminals – and also the increased use of AI to defend against criminal attacks.
It is believed that ransomware attacks will become more prevalent in the SME sector, moving away from larger corporates and that hackers will go for weak links in supply chains to cause havoc. There is also worry in the world of IT globally about skills shortages and recruitment of talent to keep ahead of the criminal curve.
Here are just some thoughts around the reality of the situation we now face in our ever-connected world. As AI and technology advances – so do the criminals who wish to exploit it.
Can hackers still sell your data?
Billions of ‘pieces’ of personal information is stolen every year because of data breaches. Hackers bundle personal information with other stolen data and sell it en masse to other criminals on the dark web.
A social security number may sell for as little as 78p. Credit card, debit card and banking info can go for as much as £86. Usernames and passwords for non-financial institution logins are around 78p, but it can range from £15 to £156 for login info for online payment platforms.
How might that data be used?
Just two examples are: identity theft – a victim’s personal information can be used to gain benefits for a criminal at the expense of a victim. This might include taking out credit cards and/or loans in their victims’ names and another is account takeover. Here criminals steal login credentials to break into accounts that store payment details such as shopping accounts. They then change the password so that the victim cannot get into the account and then they shop at a victim’s expense.
Then there are the big hack attacks such as the MoveIt attack earlier in the year which hit many big companies. The impact of this one attack is still coming to light.
Is phishing still a thing?
The answer is yes. A phishing scam occurs when a victim is tricked into handing over data and some are extremely sophisticated now. It can be done over the phone, via a social media message or emails. Increasingly these can appear legitimate as they are from known contacts or via platforms a victim uses regularly.
According to a recent consumer study by Nat West, 37 per cent of scams in the year to 23 October were phishing scams. The bank’s fraud team interviewed 2,000 people to gather the data. Phishing scams came top followed by friend and family scams (urgent texts or messages asking for money in an emergency posing as a family member) and the third is get-rich-quick scams, usually offering a wonderful (but phoney) investment opportunity.
What are the penalties for companies and organisations which suffer a data breach?
In the UK they can be large – though the enforcement body The Office of the Information Commissioner or ICO – does prefer to work with an organisation to resolve issues if possible.
It can enforce various penalties including assessment notices, warnings, reprimands and it can issue fines of up to £17.5 million or four per cent of annual world wide turnover – whichever is the higher.
Recent reprimands for disclosing people’s information inappropriately were issued to organisations including University Hospitals Dorset Foundation NHS Trust, Ministry of Justice and Thames Valley Police (between April and June 2023).
In recent years some of the biggest fines have been:
- British Airways – £20 million
- Marriott Hotels – £18.4 million
- TikTok – £12.7 million
- Clearview AI – £7.5 million
- Ticketmaster – £1.5 million
How can a company avoid this?
Being cyber aware, knowing the requirements of GDPR, working with trusted IT providers with good knowledge around these matters to minimise and mitigate an ever-increasing risk. This is an ever-evolving landscape and the key is to work oin an ongoing way with a trusted partner. Strong management of online data and ‘paperwork’ is needed and often free services are not as secure as business owners ‘hope’ they are.