Each of the ‘Privacy Fails’ we discuss in this series of short articles are real. They are based on things we have seen at the The Privacy Compliance Hub. They are based on reports from regulators of the complaints they have received; the data breaches reported to them; and the fines and other enforcement actions they have levied. These things do happen. A lot. Don’t let them happen to you. Don’t be a numpty.
The privacy fail
This ‘Privacy Fail’ is caused by failing to promptly update software or apply security patches. Sometimes software updates are issued to provide users with improved functionality. Often, they also plug a hole which has been discovered in the security of a product. It may be that the hole has been discovered by penetration testing, or as a result of a bug bounty. In which case, the hole may not be widely known. However, by issuing an update, sometimes that hole becomes better known which is why any update should be applied promptly before criminals seek to exploit it.
A privacy statistic
There are no statistics stating exactly how many data breaches or complaints to the regulator are caused by failing to install software updates. In the UK, 2.1% of data breaches have been attributed to what are called “other cyber incident”. Specified cyber incidents include Phishing (10%) and “unauthorised access” (6.7%).
When compared to “other non cyber incidents” (33.2%) you can see where the greatest risks lie (ie not from hackers). However, letting a hacker in can be very expensive.
To see all of the most common ‘Privacy Fails’, take a look at all the articles in our ‘Numpty Nigel’ series.
Real life examples with real life consequences
In January 2018 the UK regulator, the ICO, fined Carphone Warehouse £400,000 for a catalogue of failures related to data security which had led to a data breach in 2015. Intruders gained entry to Carphone Warehouse’s systems by using valid login credentials on out of date WordPress software. The ICO also found that other important elements of the software used by Carphone Warehouse were out of date. This fine was issued under the old Data Protection Act and under the GDPR it is likely that the fine would have been a lot larger. Perhaps we will find out how much larger because in July 2018, Dixons Carphone announced another data breach from 2017 in relation to 10 million records and over one million customers.
How to avoid this privacy fail
Put in place a system to ensure that all staff software and apps are up to date. Activate automatic updates by default. Enforce a policy on use of personal software and apps on company devices.
Train your staff on the risks of not updating software. Create postcards with common ‘Privacy Fails’ such as this one. Discuss the risk at team meetings. Make your staff understand and it is more likely you will make them care. This is all part of creating a culture of continuous privacy compliance which needs to be at the heart of any privacy compliance programme.
You may want to consult the information on updates provided by Apple, Google and Microsoft.
A culture of continuous privacy compliance
At The Privacy Compliance Hub, we help organisations establish and maintain a culture of continuous privacy compliance by making everyone in an organisation understand privacy, care about privacy and do their bit to protect personal information. Our platform contains a structure, a programme, a route map, records, information, reporting and training to enable all organisations to build that culture and comply with privacy rules including the GDPR and the CCPA. It reduces the risk of data breach.