Cyberattacks do not recognise national boundaries, as the latest breach concerning the US credit rating firm Equifax proves. So although the company has now reported the breach of 143 million customer records to US law enforcement agencies, albeit five weeks after the event, individuals in the UK and Canada are also affected. In these countries data regulations are different. Consequently UK and Canadian regulators are also becoming involved to manage the next steps in their respective countries.
Although Equifax’s core consumer and commercial credit databases were not accessed, it is apparent that the names, social security numbers, birth dates and addresses of over 143 million customers have been obtained. It is also believed that 209,000 customers had driving license numbers and credit card details illegally obtained by hackers. This is not simply an American problem because the breach is not limited to the company’s US operations. It affects British customers too, including those who have accounts with BT and British Gas. The exact number of British customers at risk has not been established but the Information Commissioner’s Office (ICO) is investigating and has requested that Equifax contacts all UK customers as soon as possible.
James Dipple-Johnstone, ICO Deputy Commissioner says: ‘Reports of a significant data loss at US-based Equifax and the potential impact on some UK citizens gives us cause for concern’. The ICO also states that,‘In cyberattack cases that cross borders the ICO is committed to working with relevant overseas authorities on behalf of UK citizens’.
Thought to have been accessed through a website application vulnerability, the Equifax breach is one of the largest ever reported in the United States. Another massive global data breach which originated in the US was the attack on Yahoo which exposed 1 billion records. This also affected its UK customers.
In a world where global brands are constantly under threat it is worth noting that the American data protection law is very different to our own. It is becoming more permissive, with President Trump signing a new law on 3rd April making more personal data legally available. Meanwhile in Europe organisations are facing even stricter data protection procedures under the forthcoming General Data Protection Regulation (GDPR) which comes into force on 25th May 2018.
GDPR requires UK companies to observe new procedures and take even greater responsibility for how they collect, share, use and store customers’ data. Embracing the stringent rules of GDPR need not be onerous. With the right advice and guidance they can be met in a way that actually enhances a business. GDPR may also present British companies with a competitive advantage because data held in countries adhering to the requirements of GDPR will inevitably be safer.