Last night I witnessed a data breach in action. It really annoyed me. This is how it happened.
We live in a super connected world. I can buy some electronics from a start up in China and within a couple of days it can be delivered to my door. Isn’t that amazing?
Of course in a super connected world, our data can be viewed almost as a free commodity when “privacy by design” is way down the list to get that new gadget a small team have pitched on Kickstarter to market. Throw in a scum bag employee let’s call her Enya because that is her name, and you have a recipe for disaster and a data breach to deal with.
I’ve dealt with a small electronics company for a while. I’ve bought a few of their gadgets. Packaging is great and the service is terrific. One Kickstarter didn’t work out and they did the right thing and refunded the money plus gave a little freebie as an apology. They even sent me a gadget free to review on Amazon. I like it when that happens. So this company seems ethical and I like the cut of their jib.
So last night I get this email entitled “One last try”:
I find this a bit odd because the only Enya I know is a throat warbler from the 80’s telling me to “sail away”. Good advice granted. I try my best to respond to everyone promptly and communicate. Sure I fail but I couldn’t remember anything about Enya. So for fear I may have offended someone I replied:
See that robot? Well, I think I’m the only guy who has an email sig for his private account. And my “logo” is a robot. Sorry. Anyway, remember the robot because the next email would show that Enya, in fact, doesn’t know me at all:
Well, first I never got the first email. Second, this isn’t sent to my company and third I don’t want anything to do with a business that has allowed a new employee to come in and start using a stolen database to contact them about an IoT doorbell!
This is a data breach and it was one of the most common in the world. Not some criminal mastermind. Not some “insert name of scary country” hacking. Just a good old fashioned sense of entitlement from an ex-employee who has no ethics. So my reply was pretty abrupt:
I have contacted both companies to let them know what has gone on and I thought I would post this up as a warning. Many SMB/ SME, especially in certain verticals (hi guys in recruitment), seem to run on dodgy spreadsheets and easy to copy and disseminate data. Sure almost everyone has ignored the DPA but that isn’t going to fly anymore under the GDPR (I hope). This is a data breach and imagine the resources needed to report this data breach to the DPA.
Even if the courts decide that the bar for “damage” is high so the PPI lawyers can’t jump on a feeding frenzy of compensation claims. Even if the ICO doesn’t turn into some revenue generating monster that feeds off fining companies. Consider the reputational damage. I still like the electronics guys but I wonder how bad the systems they run. I certainly won’t buy from Enya’s new employer even though I love gadgets. I wonder where else my personal data will end up.
It is time to change. You cannot avoid people acting unethically. That is just the world we live in. However, you can make it much harder for them. You can still lower the risk of risk significantly. If you haven’t started your GDPR journey yet perhaps today is the day you pick up the phone for some advice.