This year in June, Dixons Carphone announced that a major data breach had occurred, estimating that 1.2 million customers were affected by the hack. This number has now risen to 10 million customers’ who may have had their personal information hacked, including their names, addresses, and email addresses.

Dixons Carphone announced that no bank details were taken, however, 5.9 million payment cards were accessed, although the majority were protected by chip and pin.   

The company has expressed regret for any distress caused by the hack, stating they would be apologising to the customers affected in due time. Dixons Carphone chief executive, Alex Baldock advised that they are working with the top cyber security experts, in order to improve security measures, which has involved:

Facebook, the social media giant is set to face a fine of up to £1.25 billion after revealing that 50 million user accounts were compromised on Tuesday 25 September, with affected users being notified via their Facebook accounts.

This recent data breach has been established as the largest security breach Facebook have faced. It is also one of the more severe breaches, as the hackers obtained “access tokens”, which are a form of security key allowing users to browse Facebook on numerous devices without entering a password.

Obtaining these “access tokens” allowed the hackers to gain full access to a user’s account, including third party applications.

Facebook’s CEO, Mark Zuckerberg addressed the security breach, stating:

A media access control (MAC) address of a computer is a unique identifier assigned to network interfaces for communications at the data link layer of a network segment.

On page 11, paragraph 2, the WP29 states "it should be noted that these MAC addresses are personal data, even after security measures such as hashing have been undertaken."

The CJEU's judgment, in C-582/14 Breyer, refers to dynamically assigned IP addresses. Given MAC addresses can be mimicked or changed, it may seem odd that they are considered personal data. However, there are very good reasons WP29 state MAC addresses should be regarded as personal data:

For businesses which rely on B2B marketing, GDPR and the e-Privacy Regulations will certainly give food for thought.

For initial contact, there may be a reliance on Legitimate Interest grounds, on basis that the business is an SME who is only processing basic B2B business information and does not carry out volume email marketing. The ICO’s own helpline for SME businesses has indicated this is acceptable. However after the initial contact, the consent rules will undoubtedly apply.

If economic uncertainty following the Brexit vote created a nest for cyber-fraud, then Thursday’s High Court decision requiring Parliament approval to trigger Article 50 – and thus creating further uncertainty – only enhances the breeding ground.

According to forensic experts, fraudsters concoct scenarios which convince senior managers and owners of companies to hand over monies often in excess of £100k.

The immediate aftermath of June’s Brexit vote had the effect of driving more businesses to try non-traditional methods of raising capital. Particular sectors, such as shipping and off-shore haulage, appear to be ripe for targeting by fraudsters.

UK authorities are currently working on a number of fraud cases valued at more than £100 million each, and they were also carefully watching the healthcare sector where incidents of fraud are rising sharply. Entwined with this, was the recent state-sponsored hacking of medical data belonging to UK athletes which has caused a stir and led to internal soul-searching. This has coincided with the recent announcement by Chancellor Philip Hammond that £2bn will be invested into tackling cyber crime.

But that was before Thursday’s announcement.

Amongst competition that becomes increasingly desperate, it can become much easier for the fraudsters to simply blend in amongst genuine businesses and bide their time. This is nothing new.

It has been said by some experts, that transparent data sharing across the globe between businesses will help to cultivate a system of check to help create accurate patterns to be used by the authorities in tackling the fraud. But what is the commercial reality of this, when businesses are already scrabbling around in a state of Brexit-induced flux? 

While we watch and wait with anticipation at the political ponderings of the establishment, and where we go with Brexit, hard or soft, the fraudsters will continue to have the upper-hand.

Aaron Pearson – 04.11.16

According to the Irish Garda National Cyber Crime Bureau, there has been a recent increase of cyber crime involving criminals utilising social media to hack user data. They are doing so by checking when a customer contacts their banks and then posing as the bank in order to obtain their data.

Detective Superintendent, Michael Gubbins stated the cyber criminals utilising social engineering to hack data is “at the very top”of potential threats. He also discussed how these threats are becoming harder to detect, due to the increase in what is known as “fileless” malware, which is not stored within the hard drive but in RAM, a temporary storage space, and therefore harder to track.

He also discussed how crypto-currency such as Bitcoin has enabled a new wave of cybercrime, as criminals target users in order to obtain their digital currency.

The need for cyber security professionals has increased rapidly this year, which is why the Department for Digital, Culture, Media and Sport (DCMS) has setup a consultation until the 31^st August, which will support the National Cyber Security Strategy (NCSS), in developing the cyber security profession further. The consultation caters to a wide-ranging demographic, including cybersecurity specialists, current UK-based organizations for cybersecurity specialists, law enforcement and academia sectors including students and graduates.

This announcement was made following The Joint Committee for the NCSS’ criticisms regarding the lack of urgency from the government in relation to the critical status of the UK’s cybersecurity infrastructure. As well as critique relating to inequality, with Kamila Hankiewicz, the managing director of Girls In Tech stating that:

As cybercrime continues to rise affecting several large organisations who have had their personal data accessed or stolen, it is now vital that everyone considers and evaluates the best cybersecurity solutions to protect their business.

Recently, both small and medium organisations have been urged by the Business Fraud Prevention Partnership (BFPP) to seriously consider protection against cyber-crime. The founder of the BFPP, Edward Whittingham discussed misconceptions regarding cyber-crime, stating:

Industry group, UK Finance have discovered that customers of UK banks have had more than £500m stolen from their accounts at the start of this year. This consisted of £358m being lost to unauthorised fraud and £145m being obtained through authorised push payment (APP) scams. The difference being banks usually refund unauthorised fraud victims, whereas APP victims are rarely refunded.

At the start of 2017, APP scams hit a total of £101m, and this number has now shown an increase of £44m, since four more banks reported fraud data.

UK Finance’s managing director for economic crime, Katy Worobec discussed how the new figures highlighted fraud as a top “major threat” in the UK. She also stated that the money obtained from bank accounts are used to fund terrorism, people smuggling and drug trafficking.”

According to a recent YouGov poll, almost 2/3^rds of UK businesses are unaware of the sanctions they could face after next year's GDPR comes into place, with fines of up to€20m for the the biggest companies.

A startling 62% of businesses surveyed had not even heard of the GDPR.

Currently, UK businesses can be fined up to £500,000 for a breach of data protection. Next year, from 25 May 2018, this will jump to either€20m or 4% of the company's global turnover. A fifth of those companies surveyed conceded the possible impacts of the fines would push them out of business.

Despite some businesses being aware there were upcoming changes, very few knew the scale of the fines. Unsurprisingly, the majority were smaller businesses, with just 22% having heard of the rules, whereas 43% of medium-sized and 56% large businesses had so.

Staggeringly, nearly half (57%) of financial services companies knew of the changes. Media and marketing came bottom of the list.

While the topic has been very much in the public domain, nearly a quarter of the businesses surveyed said they would probably not even know when a data breach occurred.

They need to learn. And quickly. Last year, the number of fines for data breaches almost doubled, and jumped from £541,000 to an eye-watering £3.2m. These will undoubtedly rise after the implementation of the new rules next Summer.

Businesses need to be clear about how data is collected and stored, and a breach must be reported to the Information Commissioner's Office (ICO) within 3 days.

Finally, it is important that British businesses understand that, while “Brexit means Brexit”, Brexit does not mean the compliance with the Brussels-enforced GDPR can stop. This is happening.

For further advice and guidance contact Aaron Pearson on 0151 659 1070 or This email address is being protected from spambots. You need JavaScript enabled to view it. 

Following Google’s announcement this week (8 October 2018) regarding a data breach in 2015, they have temporarily shut down their social network Google+, where a security bug enabled third party developers to gain access to user data, potentially affecting around 496, 951 Google+ users.

The announcement on Monday was the first time Google discussed the breach, which although occurred three years ago, was not exposed and remedied until March 2018. Google’s reasoning for late exposure was relayed in an internal memo, which discussed the avoidance of “regulatory interest”, and potential comparisons to Facebook’s Cambridge Analytica scandal.

The bug may have allowed third party developers to gain access to usernames, email, gender, data of birth, location, pictures, as well as occupation and relationship status. However, there is no concrete evidence to confirms this (as Google only holds API data for two weeks) therefore they cannot determine how many users were exposed. Google have advised that there was “no evidence that any profile data was misused” as well as there being “no evidence that any developer was aware of this bug, or abusing the API”.

How much Cyber Insurance is enough? If, like us, you think that paying more will guarantee greater safety then you may well be right.

I put an emphasis on may, because cyber coverage is still largely unknown by consumers and difficult to place by underwriters.

If, as an organisation, you do not know how to identify your own threat risks, then can you really trust your insurers?

Broadly-speaking, there are three broad areas most companies would consider cyber insurance for:

In the past year there have been an array of high-profile data breaches from some of the UK’s biggest organisations including: British Airways, Dixons Carphone, and Ticketmaster UK.

It is alarming that such large established organisations have jeopardised not only their company’s data, but also the personal data of their customers, through their lack of cyber security.

Many cybersecurity experts believe that a data breach can occur due to a simple mistake being made possibly when updating systems or when processing the migration of data. Although there has been a substantial amount of investment placed on cybersecurity, there are still gaps in the basic procedures, which must be addressed.

According to the British security company, SureCloud, there have been an influx of Wi-Fi routers hacked in millions of homes across the UK.

SureClouder researcher Elliott Thomson, who discovered the reported Wi-Fi hacks, stated:

“The hacker would be able join the Wi-Fi network, access shared files, access ‘internet of things’ devices which trust the local network”

He also reported that a hacker could access web browsing history:

The UK newspaper industry’s trade body has urged for new ruling to be implemented regarding social media sites, regulation, and their funding contribution to journalism. This could mean sites such as Google and Facebook would take on both financial and legal responsibility in relation to content published on their platforms.

The News Media Association (NMA), which represents the majority of local and national newspapers in the UK, also urged Facebook to fund newspapers who have their stories featured in newsfeeds, regardless of whether the stories are read.

The NMA also urged the government to implement a tax credit system, similar to that of British film industry investment, which enables newspapers to claim cash rebates for investment in ventures such as investigative journalism.

Restaurant owners are stepping up the competition, through the powerful tool of consumer data, which allows them to improve their services by understanding customer preferences and even dietary requirements via mobile apps and online reservation systems.

Starbucks, one of the biggest chains in the world utilises the mobile apps to improve customer satisfaction. At first their mobile app could only be accessed by Starbucks Rewards loyalty members, although they found that this only obtained the data of existing and loyal customers, which is why they opened the app up to everyone in March this year.

The coffee chain also required customers who visited stores during “Happy Hour” to register on the Starbucks app. As well as introducing email sign-up for customers who wished to access in-store Wi-Fi.

Kevin Johnson, the Chief Executive at Starbucks informed investors that Starbucks obtained data from an additional 5 million customers in just 90 days, increasing their “digital relationships”.He also discussed their ongoing growth, stating:

Experts believe that the greatest threat to an organisation is not its lack of cybersecurity, it is actually the employees who tend to cause the most damage.

This comes after 77% of survey respondents indicated that regardless of training and adherence to company policies, it is actually employees that are the main source of cyber-attacks, as they may be unaware of the warning signs. Therefore, it is vital that companies improve cybersecurity training by implementing ways for staff to protect, as well as how to conduct themselves online, especially on social media.

As social media is an integral part of engagement - and with that comes an inherent level of trust - meaning it is vital that everybody is aware of what is safe when positing content. This is particularly the case for employees who are responding to their customers, as they must be aware of online actors who utilise fake accounts in order to pose as customers and purposely target staff and the organisation.

Superdrug have recently announced that they have been the target of a data hack, with a warning to customers that their personal data may have been stolen.

The health and beauty chain admitted that they had been contacted by someone who appears to be a hacker, claiming that they have obtained personal data from approximately 20,000 customers.

A spokeswoman from Superdrug stated:

“The hacker shared a number of details with us to try and prove he had customer information – we were then able to verify they were Superdrug customers from their email and log-in”.

The company also confirmed that 386 accounts had been access, including customers’ names, addresses, data of birth, phone number, and Superdrug balance points, however luckily no card information was obtained.

They sent out an email to their customers, in addition to a confirmation on Twitter stating:

Recently, cyber criminals have become more focused on intellectual property due to its prolonged benefits, resulting in them targeting industries such as the manufacturing sector, which is the third most targeted industry for cyber-crime.

The manufacturing industry is also not obligated to report breaches unlike the healthcare, financial, and retail sectors, therefore it is possible that there are a lot of cyber-attacks that have gone unreported, which potentially increases the risk of cyber-crime

Manufacturing organisations usually receive correspondence containing confidential information such as contracts, patents, drawings and additional private content, which must be protected. The problem is that a lot of manufacturing companies underestimate the threat of cyber-attacks, and therefore do not implement the necessary cyber security and protection that is necessary to safeguard their confidential information.

Before Brexit is finalised, there is a lot of work to be done, with one of the most recent priorities being data transference between the UK and the EU. This is because both the Government and businesses have expressed their reservations regarding personal data traffic post-Brexit, especially in the event of a ‘no deal’ Brexit. 

In order to combat this issue, a new Data Law Committee has been implemented in order to discuss future legislation regarding Data Protection and Privacy law. The City of London Law Society announced the introduction of the Data Law Committee, with Jon Bartley, the chairman of the committee describing it as “pivotal moment” for Privacy law.

The Committee is in place in order to discuss all aspects of Data Privacy and Cybersecurity legislation. However, Jon Bartley, the Committee Chairman and Partner at the Corporate and Insurance law firm Reynolds Porter Chamberlain, announced that Brexit is “our first and most urgent area of interest.”.