Security Breach Update
1 February 2019

GDPRSince the widely anticipated installation of the EU privacy law known as the General Data Protection Regulation (GDPR), regulators have received over 95,000 complaints of possible data breaches within an eight month period.

As you may already know, GDPR enables privacy enforcers to levy fines of up to 4 percent of global revenue or 20 million euros ($32 million AUD), whichever amounts to a higher number. So far, most complaints have been related to telemarketing, promotional emails and video surveillance by closed-circuit televisions.

Recent Breaches

New Zealand – Cryptopia – Online cryptocurrency exchange.
Exploit: Payment fraud.
Risk to Small Business: Severe: The breach initially occurred on January 13 and 14, yet little was known regarding the method of compromise. Hackers were able to extract cryptocurrency amounting to anywhere from $3 to $16 million in USD (NZ $4.4M-23.5M) over 5 days. Aside from likely having to reimburse customers, the exchange will have to contract with expensive financial forensics teams and likely face a decline in users.

Risk to Exploited Individuals: Severe: User wallets were depleted over 5 days, resulting in heavy financial losses among individuals. It remains to be seen if they will recover any of it, with the only silver lining being that personal information was most likely not compromised.
Customers Impacted: Unknown.

United States- Graeter’s Ice Cream – Regional ice cream brand based in Cincinnati.
Exploit: Malware on website checkout page.
Risk to Small Business: Severe: After discovering the potential breach, the ice cream chain was forced to notify approximately 12,000 customers, informing them that their personal and payment information may have been compromised.

Malicious code was inserted into the company website’s checkout page between June 28, 2018 and December 18, 2018, but the investigation has still not definitively revealed if anyone was actually breached. Nevertheless, customers are upset due to uncertainty surrounding the breach and the brand will reluctantly undergo security process improvements that will cost additional time and money.

Risk to Exploited Individuals: Severe: The malware was capable of copying any data entered during the checkout process, including personal details (names, addresses, phone numbers, fax numbers) and financial information (card types, numbers, expiration dates, and card verification codes). With this in hand, hackers are able to conduct payment fraud or build data profiles that can be sold on the Dark Web.
Customers Impacted: Approximately 12,000

United Kingdom – B&Q – Home improvement retailer.
Exploit: Database leak.
Risk to Small Business: Severe: Security researchers discovered that B&Q exposed the information of 70,000 people who were allegedly involved in criminal activity related to their stores. This can be classified as sensitive data under new GDPR requirements. However, what’s worse is that the company failed to report the incident or take the database offline after being notified.

Risk to Exploited Individuals: Moderate: Since the nature of the data includes criminal activity, along with associated names and vehicle details, this could be specifically damaging for those accused. If received in the wrong hands, it can be leveraged for data breaches, or even cause reputational harm to individuals
Customers Impacted: 70,000

Being proactive in developing a cybersecurity plan can be the difference in successfully defending a breach or losing millions to a harmful attack. Protect your data, privacy and reputation, talk to a TCT sales team member today.

Robert Brown
01/02/2019

Follow us on LinkedIn:

Related Articles:
The Cost of a Breach – are you Protected?
Ransomware Evolution

Written by