By Yinka Kuponiyi, Data Protection Specialists, Creative Computing Solutions.
When you hear these words “Data Protection”, “Data Breach”, the first thing that comes to mind is British Airways and the Information Commissioner’s Office announcement that it intends to fine British Airways £183.39 million pounds over last year’s data breach. The ICO found in its investigation the breach occurred due to poor security practices. The ICO also announced its intention to fine the Marriott International £99.2 million after IT systems belonging to its subsidiary company, Starwood Hotels, were breached and data was compromised for 339 million guests (7 million of which were in the UK).
But let’s take a step away from the fines levied at these Dinosaurs and look at how another organisation fared with its own data breach, which has inadvertently gone under the radar. Or maybe it was simply deemed not newsworthy enough.
On Tuesday 2 July 2019 at approximately 9am, St John’s Ambulance a volunteer-led, charitable non-governmental organisation, which specialises in first aid delivery and training, suffered a ransomware attack which temporarily blocked their staff from accessing its systems. What is impressive however, is within half an hour the attack was detected and resolved. The reason why they were able to respond so quickly was because they had the right data and GDPR policies and procedures as well as the technical systems in place to handle such an attack.
A Ransomware attack is a serious threat to an organisation’s operational activities. Cybercriminals often use ransomware to deny access to a system or data until a ransom is paid. Just like other online viruses, ransomware can be spread through clicking links on phishing emails or by visiting an infected website. The Department of Health and Social Care (DHSC) estimated that WannaCry cost the NHS £92 million in direct costs and lost output. Many organisations would rather pay out, due to the huge costs involved in restoring their system and recovering data.
Despite the attack, St John’s Ambulance didn’t pay anything to get rid of the cybercriminals. Neither did they incur any penalties from the ICO. According to a statement published on the charity’s website, the breach affected data related “to our training course delivery”, and assured everyone on their website that no passwords or credit card details had been stolen. Yes, the data of some people may have been affected by the hack, but due to their quick response it could have been a lot worse. Especially when you factor in that St John’s Ambulance revenues are estimated to be in the region of £91.4 million per annum.
Data Privacy Professionals and Information Security experts have praised St John’s ambulance for their response to this attack. According to Computer Weekly magazine, St John’s Ambulance demonstrated strong incident response procedures, with a transparent and timely response notifying the Public, the Police, the ICO and the Charity Commission.
My question is why this story wasn’t given a much wider coverage, to show what can be achieved through swift response actions? Could it be because it doesn’t make for a good headline story. Apart from those in the Privacy and Security industry, this now “old news” has gone largely unnoticed by the wider public.
Incidents of Data breaches cannot be stopped or eradicated, it is just a matter of time. Large organisations have the resources to deal with these incidents, but still fall foul of Data Protection regulation. Smaller organisations lack the resources and the funds and it has been estimated that over 50,000 UK small and medium sized enterprises could collapse following a Cyber-Attack. Security incidents can be very expensive to resolve, then there’s the regulatory fines, GDPR and also the organisations reputational damage.
When an organisation triumphs like this over a ransomware attack, it should be shouted from the rooftops! The likelihood of a data breach occurring is high, especially with the advances in technology. And the likelihood of an attack is even higher if you are a small or medium size business owner. Check you have the right data privacy policies, procedures and information security management systems. It pays to be prepared.