The theft of personal data has a real impact on the economy and can hit a company’s finances hard, not to mention the damage that can be done to its reputation. Lately, many businesses including banks have paid the cost of attacks like these.
American bank Morgan Stanley fell victim to the theft of the personal data of tens of millions of its customers. The reason? Poor internal security, according to a press release in June 2016 from the Securities Exchange Commission (SEC), the US government agency responsible for regulating financial markets.
$1 million fine
From 2011 to 2014, one of the bank’s employees was able to access the data of 730,000 bank accounts without permission and download it onto a personal server, which was ultimately hacked. Some of the confidential information was then « offered for sale online« , the SEC explained, with the bank announcing that 10% of its asset management customers were affected by the hack.
« Morgan Stanley failed to adopt written policies and procedures reasonably designed to protect customer data, » the US authority concluded in its press release. Rather than face prosecution for breaching regulations, the bank instead agreed to pay a fine of $1 million, although without admitting responsibility.
History repeats itself
The American bank is far from the only organization to experience this. Since 2014, hackers have managed to break into the systems of major financial institutions and private firms alike, taking prized customer data as a reward. One of the biggest attacks affected JPMorgan Chase – the largest bank in the United States by total assets – whose listings containing the data of 76 million households and 7 million SMEs were hacked in summer 2014.
Then came the theft of the data of 2 million subscribers to French media group TF1, the hacking of Sony Pictures Entertainment’s database, the system breaches at Snapchat, Orange, Target… the list goes on. More recently, the small classified ad website Vivastreet.com was targeted by hackers, who stole the data of 28 million users.
Protecting their greatest asset
The fact that companies are being subjected to attack after attack just goes to show that data has become an object of desire. So it’s up to businesses themselves to protect such an asset and appreciate its true value. Especially since data doesn’t just concern the company and its employees, who have access to a certain amount of information (much of it confidential) on the company’s customers, suppliers and partners.
Lawmakers are trying to keep up with these new challenges by forcing businesses to put procedures in place to protect themselves and, in turn, their customers too. In April 2016, the European Parliament adopted several pieces of legislation, including the General Data Protection Regulation, which comes into force in 2018. The text – which also applies to companies outside the European Union that sell to consumers within the EU – lays down the minimum set of rights and obligations when handling personal data, particularly online.
IT security: failures that cost businesses dearly
To avoid losing their most valuable asset, it’s in the interest of all companies to take measures internally to protect themselves as much as possible against these kinds of attacks. According to a report by Allianz Global Corporate, attacks cost the global economy €445 billion each year. To manage this, there is always new legislation to support them, but companies can also draw on innovative technical solutions.
As for data controllers, companies need to be putting appropriate security measures in place to safeguard data concerning their customers and prospects. Every employee in a position of responsibility must comply with these management and risk anticipation measures. New EU legislation lays down penalties of up to 4% of a company’s global turnover for breaching the right to data protection.