Through the GRC Lens – Trending Headlines in July 2019

Introduction

An entire nation gets hacked, Marriott and British Airways come under the radar and suffer huge GDPR fines, and Microsoft claims to have warned over 10,000 users of hacks, in the past year. As data governance becomes imperative, data ethics is increasingly becoming a valuable business driver. – Here are trending media stories in July 2019.

5 million taxpayers in Bulgaria get hacked

A hacker broke into Bulgaria’s largest Tax database and accessed records of 5 million tax-payers in the country.

According to Business Insider, “This hack is the country’s biggest-ever data breach and the government is fining the NRA 20 million Euros.” The hacker looted customers of their personal and financial data that included retirement pension information, addresses, incomes, photographs, names and more.

The hack happened in June this year but remained undetected until a message from a Russian email address was sent to Bulgarian news outlets claiming responsibility for the attack in July.

BIA, Bulgarian Industrial Association, had warned about possible flaws in the tax agency’s data protection system a year ago. Stanislav Popdonchev, Deputy Head, BIA now demands that detailed information about the leak should be sent to every person and company affected.

British Airways and Marriott face GDPR fines equaling £300M

Last year, around the same time when the GDPR came into force, the UK enacted the Data Protection Act 2018 (DPA).

The EU-wide regulation enforced laws around the use of consumer data, and a mandatory upgrade of weaker national data protection laws for the internet. According to the Guardian, “To ensure companies take the new data protection rules seriously, GDPR gave data regulators the power to fine up to €20m, or 4% of annual global turnover, whichever was greater.”

Early this month, British Airways and Marriott suffered huge GDPR fines from the Information Commissioner’s Office (ICO). The ICO imposed a £183.39 million fine on BA and £99 million on Marriott, for ‘infringements of the GDPR’.

ICO officials claim that, in the 2018 incident, BA was involved in diverting user traffic data from the British Airways website to a fraudulent site, where cyber attackers were harvesting personal data of approximately 500,000 customers.

In 2016 when Marriott acquired Starwood, they failed to undertake sufficient due diligence and secure their systems, in spite of the 2014 incident when Starwood’s systems were compromised, said ICO.

Choosing the Ethical Road

Big businesses are mass-mining data around the clock. Bulgaria’s extraordinary attack highlights the fact that with the help of hacking tools available on the dark web, it is possible for amateur hackers to create enormous damage, easily.

Recently, Microsoft said that they have warned nearly 10,000 people, in the past year that hackers have targeted or breached their accounts. The British Airways and Marriott fine incidents are examples of how even large organizations can be held culpable for non-compliance to the GDPR.

With the rise of cyber vulnerabilities, organizations are investing more time and resources in ensuring regulatory compliance. According to Forbes, “The reason why data privacy and protection have become important political issues and generated widespread support for stricter regulations, is because, at heart, companies’ misuse of data is a profound ethical issue.”

Data is an asset that has recently gained attention. Organizations are focusing on strengthening data risk management and security by leveraging the right governance tools to streamline data collection and classification and ensure compliance. Failing to govern data can minimize the value of data assets.

The interlinkage between corporate governance, risk and compliance, is underpinned by data. Investing in a good data governance program can offer substantial benefits like positive brand perception, database error reduction, accurate metrics and informed decision-making capabilities.

An ethical approach to data governance will help organizations better manage regulatory compliance to current and future regulations on data privacy, safeguard shareholder and employee trust, and promote business continuity.