As ransomware-related personal data breaches from the ICO’s caseload continually increase in quantity and severity, Natasha King, Data Protection Consultant at Xcina Consulting, examines the most recent developments in connection to cyber security breaches in this week’s issue of In Perspective, along with an in-principle agreement to enable the free flow of personal data between the UK and the Republic of Korea. Find out the details of these and other key emerging themes as events unfold. Our analysis looks at what happened and why it matters, read our complete review below.
Marriott confirms yet another data breach, raising further concerns over its Cyber Security practices
- Marriott International is under scrutiny once again after it was confirmed to have suffered another personal data breach.
- The breach, which reportedly took place in early June, is said to have resulted in a total of 20GB worth of data being stolen, which allegedly included credit card information, confidential business documents, and employee information.
- The hacking group responsible for the breach claimed they used social engineering to trick an employee at a single Marriott hotel in the U.S. into giving them access to their computer.
- It is claimed that the hotel chain had already identified, and was investigating, the incident before the cybercriminals contacted the chain to demand a ransom payment to keep their stolen data from being released, which Marriott said it did not pay.
- Marriott said it is preparing to inform 300-400 people who had personal information exposed in the incident, and that it has already notified relevant law enforcement agencies.
- This is not the first time Marriott has suffered a significant data breach. In 2020 it was fined £18.4m by the UK Information Commissioner’s Office (ICO) in relation to an ongoing personal data breach that extended from 2014 to 2018 and compromised 339 million guest records.
- In January 2020, Marriott was hacked again in a separate incident that affected around 5.2 million guests.
- In addition to Marriott’s string of data breaches, MGM Resorts International, The Ritz London and Choice Hotels International have experienced high-profile data breaches in the last five years.
Why it matters
- Marriott’s most recent data breach serves as an important reminder on the dangers posed by social engineering attacks and the damage that a lack of security awareness can cause to an organisation.
- Xcina Consulting invite you to join us for our breakfast seminar on combatting cyber security threats, with Marcus Willett CB OBE – the former Deputy Head of GCHQ. Senior technology executives will also be among our panellists who will take your questions and discuss:
- What are the biggest cybersecurity threats and challenges right now for your organisation
- Budget vs Risk – how to maintain a mature information security and compliance posture
- Are your information security and business priorities in alignment?
- Does your organisation know how to respond in a cyber security emergency?
- We tapped into the knowledge of cyber security industry experts, at our event, which took place during the summer in July. Follow this link Information Security Event to find out what was discussed.
ICO and NCSC stand together against ransomware payments being made
- In a joint letter, the National Cyber Security Centre (NCSC) and the ICO have encouraged the Law Society to remind its members that, if a client is the target of a cyberattack, they should not advise them to pay ransomware demands.
- The ICO stated that paying ransoms to unlock encrypted data does not lower the risk to individuals, is not required by data protection law, and is not regarded as a reasonable measure to safeguard data.
- The ICO has made it clear that when deciding on the kind or severity of enforcement action, it would not consider this to be a mitigating factor. However, it will take into consideration early involvement and cooperation with the NCSC favourably when determining its response.
- John Edwards, UK Information Commissioner, said “we’ve seen cyber-crime costing UK firms billions over the last five years. The response to that must be vigilance, good cyber hygiene, including keeping appropriate back up files, and proper staff training to identify and stop attacks. Organisations will get more credit from those arrangements than by paying off the criminals”.
Why it matters
- Ransomware-related personal data breaches from the ICO’s caseload during 2020–2021 steadily increased in quantity and severity.
- If individuals are put at high risk because of a ransomware attack, there is a legal duty to notify the ICO, the data regulator, while NCSC, the technical authority on cyber security, offers help and incident response to lessen harm and broaden knowledge on cyber security.
- The ICO will acknowledge where organisations have acted to fully understand what has happened and learn from it, and, where appropriate, they have discussed their issue with NCSC and can demonstrate that they have followed appropriate NCSC guidance and support or have received advice from it.
- The NCSC has a wide range of guidance on mitigating the ransomware threat, for example advising companies to keep offline back-ups. All of its advice can be found on its ransomware portal.
- The ICO recently updated ransomware guidance, which can be found on its website.
UK signs ‘in principle’ data adequacy agreement with South Korea
- The UK and South Korea have reached an “in principle” data adequacy agreement to allow the unrestricted flow of personal data between the two countries.
- The UK Information Commissioner’s Office (ICO), which is responsible for supporting and assisting the UK government with the adequacy assessment process, said it welcomes the announcement.
- The in-principle agreement is the UK’s first since leaving the EU and comes shortly after the EU finalised its own adequacy agreement with South Korea in December 2021.
- Alongside the agreement, the ICO and the South Korean Personal Information Protection Commission (PIPC) have signed a memorandum of understanding (MoU), recognising their shared mission to uphold information rights, while supporting digital innovation and economic development.
- The MoU sets out how the two authorities will exchange knowledge and best practices, collaborate on worthwhile projects, and share information or intelligence to assist in their regulatory work.
Why it matters
- The UK government announced South Korea as a priority country for data adequacy back in August 2021 – alongside Australia; Brazil; Colombia; the Dubai International Financial Centre; India; Indonesia; Kenya; Singapore; and the U.S.
- UK-based companies looking to sustain or grow their operations in South Korea such as AstraZeneca and the bank Standard Chartered stand to gain from the in-principle data adequacy agreement, in addition to Korean-headquartered companies with operations in the UK, such as Samsung and LG Electronics.
- It is important to note that the data adequacy decision has only been agreed in principle, which means it is yet to be finalised at this stage.
- The effect of such a decision being finalised is that personal data can flow freely from the UK to the third country without any further safeguards being necessary, such as the requirement to complete transfer risk assessments and enter into international data transfer agreements.