Many will have noticed generalist media covering the latest personal data scandals in early December. The hotel chain Marriot realised 500 million accounts of their loyalty program had been compromised (some including sensitive information such as passport and credit card details).
This position Marrion in the top 3 biggest ever data scandals. Only Yahoo managed to do worse with 1 billion email accounts compromised in 2013, and then another 500 million in 2014.
The British Parliament released 250 pages of internal communication from Facebook, showing a certain loose attitude to their user’s personal data. From the email, it shows that FB shared profile information (friendship) with some ‘trusted’ companies, but without the permission of the users.
It also emerges that Facebook used SMS and call logs from Android devices to enrich profiles. Facebook has since replied that it stopped sharing the information in 2015 and that the users had given permission for Facebook to read their call and message history.
Three messages seem clear:
-
Cybersecurity needs to get better: Marriot is a bad example cybersecurity the hack went undetected for 4 years – there should have been plenty of opportunities to detect even a sophisticated attack.
-
Data breaches responses are getting better: Marriot is also a good example of a prompt reaction: offering free credit check to affect users, communication to customers, a hotline and a specific website. The response was quick, if not fully effective given some of the negative feedback from users. Any company working on personal data should have a crisis response drill to put in action.
-
Too much is left open to interpretation: Facebook is perfectly entitled to its response, but it highlights how there is yet not a benchmark on clear permission policies or clear opt-ins.
What next – points for discussion
In light of this – what steps or measures would you suggest to;
- secure personal data?
- respond to data breaches?
- identify best practice in permission and opt-ins?
Leave your thoughts in the comments section below.