Deloitte, Hailed as the top IT security consultancy in the world was breached. The news came out in September 2017. There is a great deal of fear and worry about GDPR but what if it had been in law during this breach?
Login details on public websites
Members of their staff left login details to their IT systems on websites available to anyone to find. To put it bluntly, this is the same as putting up a giant poster outside your business saying “The doors are unlocked and this is the alarm code”
The attack started October 2016, only discovered March 2017
It is believed Deloitte only discovered the breach in March 2017 and then immediately commissioned a law firm in April, given the seriousness of the breach they may have been under serious damage control to avoid potential law suits given their high profile clients in government, military and corporate sectors.
When a company that provides security services does not notice it has been breached for 6 months, serious questions need to be asked about their capabilities.
Every single email at risk
Deloitte’s 244,000 staff use a centralised email system. One of the items compromised was a master administrator account which would give an attacker the ability to read every single email from all their staff.
Given the sheer size of the data available, tracking down exactly what was breached could be impossible as the attackers had 6 months to peruse and download items.
A lucky escape
Given the sheer level of data available to the hackers, a large amount of personal data on EU citizens are likely to have been stored on their servers, The maximum fine imposed on them would have been 4% of their global turnover, in 2017 this would have been one hundred and sixty million dollars.
There is also compensation to be paid out to those whose data was compromised in the breach. Making the total hard to calculate.
The past two years have shown countless large organisations breached in surprisingly simple ways. Have they learnt from their mistakes and adopted basic practices to address this?
The difficulty for larger companies with thousands of staff is any change is costly and difficult to implement. For smaller companies they have a distinct advantage as they are more agile and can adapt to change much faster.
If you are a small to medium business, you can effectively double your level of cyber-security at a fraction of the cost compared to a large enterprise. With so much bad advice and guidance out there, it is essential that businesses find the right ally to guide them through the maze that is GDPR. Beware of the sharks who have just become "GDPR certified" offering solutions. Watch out for new companies who solely specialise in GDPR. GDPR much like the health and safety act is here to stay and a business built solely on a short term trend, will not be around for very long. You need a long lasting partner.