Introduction
At the beginning of the year, Moncler made the headlines after a ransomware attack was successful against its systems. The leaked data included information about employees, suppliers, business partners and customers. Guess was also on the receiving end of a hack in the summer of 2021. In this case, criminals were able to obtain social security numbers, ID numbers (driving licenses and passports) and financial account numbers. Chanel suffered a similar fate with its South Korean operation, which resulted in the leak of names, personal information and shopping histories. But cyber attacks and hacking generally is not a surprise. A recent Office for National Statistics report showed that whilst most forms of crimes in the UK are seeing a downtrend, crimes involving computers and hacking are experiencing a noticeable uptick.
When hacks occur the Information Commissioner’s Office expects companies to deal with them proactively and ensure that serious breaches are resolved effectively. Guidance on how this can be achieved is set out below.
What do hackers want and how do they get it?
Fashion brands are a gold mine for data that can be exploited. Hackers target:
- clients’ personal information.
- financial information.
- operations and systems.
This is all readily available, especially when brands have online shops.
Hackers can do this through:
- data breach – targeted attacks into secure log ins, where they obtain information
- ransomware – where access to files or systems are blocked until a ransom fee is paid
- denial of service attacks – where a system or server is flooded with targeted requests, preventing legitimate requests from being fulfilled.
What actions should you take if a breach occurs?
In the UK, the ICO will expect a brand to do the following if it finds itself the victim of a cyberattack.
- Carry out a data breach risk assessment – is there a risk that data subjects will be seriously affected by the breach?
- Inform individuals who have been affected by a high-risk data breach without delay.
- Inform the regulator as soon as practically possible and in any event within 72 hours.
When providing details to affected individuals, a brand needs to inform them, in clear language, of the nature of the breach and what personal data was affected. They should also be provided with details of the relevant contact point or the details of the brand’s data protection officer (DPO).
It is recommended that individuals are provided with information on how the brand will assist them going forward and any actions they can take to protect themselves. ICO guidance outlines that this may include:
- forcing a password reset;
- advising individuals to use strong, unique passwords; and
- telling them to look out for phishing emails or fraudulent activity on their accounts.
If after a risk assessment, the brand has decided that a notification to the ICO is not necessary, it is still highly advisable that the company records information about the breach and actions taken in response. If the ICO decides that an investigation is necessary, the company may be asked to justify the decisions it made.
Reporting the data breach
If a report to the ICO is necessary, then it is important that the following information is captured:
- the approximate number of affected individuals
- how many personal data records were affected
- the name of the DPO or contact point details
- the effects of the breach, and
- actions taken in response.
Take home points
If you find yourself on the receiving end of a cyberattack, it is important to be as prepared as possible. Planning in advance is ideal, and is likely to include contingency measures. However, as it may be difficult to plan for all eventualities, the following best practices will also limit what can be hacked:
- do not store sensitive data in clear text – pseudonymise or encrypt.
- ensure access is on a strict basis.
- don’t hold onto incomplete or old data, whilst it may not be relevant to your business, it can expose the data subjects to malicious actions from hackers.
- ensure the company carries out appropriate security policy and regular cyber security training for staff.
- carry out regular information risk assessments.
- maintain a response and recovery plan.
