Last week brought news of yet another massive data leak. This time the victim company might not gain much sympathy from many people as it was River City Media, an e-mail spam business. Reports claim that RCM itself sends out up to a billion spam e-mails a day and that details of a staggering 1.37 billion e-mail accounts have been leaked.
The company might not elicit much sympathy, but the real victims here are, of course, those billions of people whose personal data is now out there on the internet, being sold to cyber criminals. That sounds like a sizeable chunk of all the people on the planet who have e-mail accounts. If that doesn’t worry you then it should, because it probably includes you.
Reports suggest that the company was not actually hacked, but it failed to properly configure its rsync backups, allowing access to the data in question, which included names, locations and IP addresses as well as e-mail details.
The company did not reveal this data breach themselves. It was a so-called “data breach hunter” who did it for them. This flags up the reluctance of businesses to admit to data breaches. And who can blame them because there are now so many reasons for them not to, including loss of customers, damage to reputation and regulatory fines.
With the EU GDPR coming into force in May 2018, the limit on how much businesses can be fined for data breaches has rocketed to up to 4% of their entire turnover or €20 million, whichever if the higher. This puts business in an ever increasing dilemma. Regulators want them to admit to data breaches, but at the same time they seem to be doing everything in their power to make this as painful as possible for businesses.
Put together the scale of data breaches coming to light, along with the fact that many companies are not reporting others, and you come to the conclusion that if you are not taking your own cyber security very seriously then you can blame no-one but yourself if your data turns up in places you would rather it didn’t.
And by the way. If you are running a company that involves handling of storing personal data then don’t ignore your data breach reporting obligations. You can get fined for that as well.
Check out our new simple guide to GDPR, for use by businesses worried about whether they will be impacted by the new legislation.
For further information abut how to comply with the GDPR, monitor and notify data breaches contact firstname.lastname@example.org
Head of Cyber Security