Facebook, the social media giant is set to face a fine of up to £1.25 billion after revealing that 50 million user accounts were compromised on Tuesday 25 September, with affected users being notified via their Facebook accounts.

This recent data breach has been established as the largest security breach Facebook have faced. It is also one of the more severe breaches, as the hackers obtained “access tokens”, which are a form of security key allowing users to browse Facebook on numerous devices without entering a password.

Obtaining these “access tokens” allowed the hackers to gain full access to a user’s account, including third party applications.

Facebook’s CEO, Mark Zuckerberg addressed the security breach, stating:

A media access control (MAC) address of a computer is a unique identifier assigned to network interfaces for communications at the data link layer of a network segment.

On page 11, paragraph 2, the WP29 states "it should be noted that these MAC addresses are personal data, even after security measures such as hashing have been undertaken."

The CJEU's judgment, in C-582/14 Breyer, refers to dynamically assigned IP addresses. Given MAC addresses can be mimicked or changed, it may seem odd that they are considered personal data. However, there are very good reasons WP29 state MAC addresses should be regarded as personal data:

According to the Irish Garda National Cyber Crime Bureau, there has been a recent increase of cyber crime involving criminals utilising social media to hack user data. They are doing so by checking when a customer contacts their banks and then posing as the bank in order to obtain their data.

Detective Superintendent, Michael Gubbins stated the cyber criminals utilising social engineering to hack data is “at the very top”of potential threats. He also discussed how these threats are becoming harder to detect, due to the increase in what is known as “fileless” malware, which is not stored within the hard drive but in RAM, a temporary storage space, and therefore harder to track.

He also discussed how crypto-currency such as Bitcoin has enabled a new wave of cybercrime, as criminals target users in order to obtain their digital currency.

How much Cyber Insurance is enough? If, like us, you think that paying more will guarantee greater safety then you may well be right.

I put an emphasis on may, because cyber coverage is still largely unknown by consumers and difficult to place by underwriters.

If, as an organisation, you do not know how to identify your own threat risks, then can you really trust your insurers?

Broadly-speaking, there are three broad areas most companies would consider cyber insurance for:

According to a study from the Information Commissioners Office (ICO), data breaches have shown a 75% increase in the past two years.

The report was conducted by Kroll, one of the top corporate investigations and risk consulting firms, based out of the US. Kroll compiled data breach reports which were submitted to the ICO, regarding breaches of personal data, including financial and health details. Some of the data contained in the reports were of public knowledge, whilst other forms of data were accessed under the Freedom of Information Act.

The final report established that over 2,000 reports submitted to the ICO were due to human error in the past year, with the most common grounds for a data breach being: data being sent by email or fax to the wrong recipients and the loss or theft of paperwork.

In the past year there have been an array of high-profile data breaches from some of the UK’s biggest organisations including: British Airways, Dixons Carphone, and Ticketmaster UK.

It is alarming that such large established organisations have jeopardised not only their company’s data, but also the personal data of their customers, through their lack of cyber security.

Many cybersecurity experts believe that a data breach can occur due to a simple mistake being made possibly when updating systems or when processing the migration of data. Although there has been a substantial amount of investment placed on cybersecurity, there are still gaps in the basic procedures, which must be addressed.

October is Cyber Security Awareness Month, which means organisations should be considering their current cybersecurity measures in an effort to prevent data breaches and cyber threats. The need to improve cybersecurity has also been amplified since results from the Cyber Security Breach Survey 2018 established that 43% of businesses have suffered a data breach in the last 12 months.

Small businesses especially should be evaluating their cybersecurity measures, as according to research from security firm Sitelock, smaller organisations are actually more at risk of a website hack, mainly due to their lack of cybersecurity and website maintenance.

Laura Dodge, Marketing Manager at Pedalo, the web development agency discussed the indispensability of implementing cybersecurity and website maintenance, stating:

Superdrug have recently announced that they have been the target of a data hack, with a warning to customers that their personal data may have been stolen.

The health and beauty chain admitted that they had been contacted by someone who appears to be a hacker, claiming that they have obtained personal data from approximately 20,000 customers.

A spokeswoman from Superdrug stated:

“The hacker shared a number of details with us to try and prove he had customer information – we were then able to verify they were Superdrug customers from their email and log-in”.

The company also confirmed that 386 accounts had been access, including customers’ names, addresses, data of birth, phone number, and Superdrug balance points, however luckily no card information was obtained.

They sent out an email to their customers, in addition to a confirmation on Twitter stating:

In an effort to improve internet regulations, the government’s Home Office and the Department for Digital, Culture, Media and Sport (DCMS) are currently drafting legislation in order to regulate “social harms” online.

The proposed regulator has been labelled as the internet equivalent to Ofcom – the regulator of broadcasting, telecommunications and postal infrastructures. As similar to Ofcom, the regulation intends to include a mandatory code of practice for social media and websites. The Home Secretary, Sajid Javid and Culture Secretary, Jeremy Wright, are currently considering the terms of the Code of Practice. The terms are set to include age verification on social media sites, as well as a rule enforcing all sites to remove any harmful content within a specific time frame or instead face fines.

The Head of Ofcom, Sharon White, recently announced a call to action regarding the regulation of tech companies: