Continuous Transformation Blog

Equifax Credit Hack: How GDPR Principles Could Have Saved the Data of 143 Million People

Written by Laura Mauersberger | September 9, 2017

If America had their own version of GDPR, the Experian hack would look totally different. One of the largest security breaches in history has just been revealed. Between May and July 29th of this year, a team of hackers infiltrated a major US credit bureau and accessed the personal data of 143 million US citizens.

The names, addresses, birth dates, social security numbers, and driver's license numbers of 44% of the American population has been compromised. An unspecified number of UK and Canadian residents were also affected by this security breach, the credit card numbers for 209,000 people and certain credit dispute documents for 182,000 people in the US were also illegally accessed.

 

What would happen if the EU GDPR was in place for Americans?


Under article 33 of the European General Data Protection Regulation, all organizations would be required by law to notify the supervisory authority within 72 hours.

Article 33 goes on to say:

The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

The notification shall at least:

  1. Describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

  2. Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
  3. Describe the likely consequences of the personal data breach;
  4. Describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.”

A quick data breach notification is required under the GDPR.



Data Protection by Design

Equifax reported that the attackers gained access to the company’s systems by exploiting an application vulnerability to gain access to sensitive files.

Under Article 25 of the GDPR, the regulation calls for data protection by design and by default, and recital 78 outlines the importance of adopting internal policies and implementing measures which meet in particular the principles of data protection by design.

These measures include pseudonymisation personal data, enabling the data subject to monitor the data processing, and enabling the controller to create and improve security features.


“When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.”

The GDPR calls for the appointment of a Data Protection Officer for any organization that processes or stores large amounts of personal data, whether for employees, individuals outside the organization, or both. Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.

As outlined in the GDPR Article 39, the DPO’s responsibilities include, but are not limited to, the following:

    • Educating the company and employees on important compliance requirements
    • Training staff involved in data processing
    • Conducting audits to ensure compliance and address potential issues proactively
    • Monitoring performance and providing advice on the impact of data protection efforts
    • Maintaining comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities, which must be made public on request
    • Interfacing with data subjects to inform them about how their data is being used, their rights to have their personal data erased, and what measures the company has put in place to protect their personal information

Under GDPR, the DPO would have taken the preemptive steps to gauge the security efforts, would've taken close notice of applications that require patches or any second looks.

GDPR should be looked at as a tool gain control over the IT landscape, to combat costly breaches, and strengthen the overall security of organizations. Will your company be required to hire a DPO? Use our quick decision tree to find out.