The ICO found Cathay Pacific’s systems were entered via a server connected to the internet and malware was installed to harvest data. A catalogue of errors were found during the ICO’s investigation including: back-up files that were not password protected; unpatched internet-facing servers; use of operating systems that were no longer supported by the developer and inadequate anti-virus protection.
Privacy laws, like any other infosecurity control, have exploitable vulnerabilities. For social engineering purposes, GDPR has a number of real benefits. Firstly, companies only have a month to reply to requests and face fines of up to 4 per cent of revenues if they don't comply, so fear of failure and time are strong motivating factors.
Loss of privacy is not a fair cost for the use of digital health services. Several companies, including Alphabet, Facebook, and Oracle, occupied central positions within the network with the ability to aggregate and re-identify user data.
The UK's data protection regulator has failed to follow its own advice, admitting a privacy notice for its own staffers – one of its key recommendations for GDPR compliance – remains "under construction".
2019 will see more fines for tens and potentially even hundreds of millions of euros as regulators deal with the backlog of GDPR data breach notifications.
Facebook’s plan to merge WhatsApp, Instagram and Facebook Messenger could raise significant data protection concerns, according to the Irish commission that regulates the social network in the EU.
A serious breach could result in two fines for organizations in energy, health, transport, water and “digital infrastructure” sectors — i.e. providers of certain cloud and search, services and online marketplaces.
When it comes to health data breaches, hospitals, doctors offices and even insurance companies are oftentimes the culprits.