31 July 2019

Bulgaria’s massive hack and record fine…

Data Blast; Bulgaria’s massive hack and record fine, UK cookie advice, Maryland breach notice changed, French fine over retention period and Capital One hacked…

Capital One: Hacker stole personal data of over 100m North Americans      

Over 100 million applications for credit with Capital One have been hacked. The hacker got information including credit scores and balances plus the social security numbers of about 140,000 customers. However, over 100 million Americans and over 6 million Canadians may have been affected.  Capital One is the seventh largest bank in the USA, and discovered the hack on July 19th, and worked with law enforcement, resulting in an arrest this week of the alleged hacker. This breach is in the top ten of the largest hacks to have occurred, and is expected to result in further regulatory enquiry. The US attorney’s office in Washington said: “The intrusion occurred through a misconfigured web application firewall that enabled access to the data.” This serves as another reminder of the need to have adequate security precautions for web based access.

Bulgarian tax service targeted by hackers

June saw a cyber-attack on Bulgaria’s tax service which resulted in the theft of more than 5 million Bulgarians’ personal data, almost all of the country’s adult population. The data, including names, addresses and personal income details, were sent by hackers to local media outlets on July 15th 2019. Bulgarian authorities have arrested a 20-year-old cybersecurity expert in connection with the hack, although it is unclear whether he was in fact the one responsible. A spokesperson for the Bulgarian Commission for Personal Data Protection has announced that the tax service now faces a fine of up to €20million, the maximum under GDPR.

UK ICO outlines requirements for cookies

Earlier this month, the ICO published guidance on the use of cookies. Cookies are downloaded onto a user’s device when they access a website, and store data pertaining to that user’s preferences and past activity on that site. ICO guidance states that consent is mandatory for cookies that are not strictly necessary for the provision of services; ‘strictly necessary’ is to be construed narrowly and from the point of view of the user, not the service provider. Simply put, storage of and access to cookie information should be essential as opposed to merely important. The guidance also raises the requirement for the obtaining of consent to the GDPR standard – that it be freely and expressly given, specific, informed and unambiguous.  The communication exemption, which relates to cookie-enabled transmission of a communication over a network, is also discussed in the guidance. The ICO has made available an online tool (found here) intended to help determine when consent is likely to be required for the use of cookies.

Maryland amends state data breach notification law

House Bill 1154, recently signed into law requires businesses to take further steps after becoming aware of a data breach. Under the current notification regime, when a business involved in collecting or processing personal data becomes aware of a breach, it must undertake a reasonable and prompt investigation into whether the data has or will be misused as a result of the beach. The bill expands this investigatory requirement to businesses that simply maintain or store the personal data of Maryland residents, and requires owners or licensors to notify of affected individuals if there is a risk of harm. It also restricts the use by the owner or licensee of the breached personal data, and prohibits a business that has suffered a breach from charging for information necessary in carrying out their enhanced notification obligation. These amendments take effect on October 1st, 2019.

CNIL fines real estate services provider for GDPR violations

On June 6th 2019, French data protection authority CNIL announced that it had fined real estate services provider Sergic €400,000 for failing to adequately secure user data and define data retention periods for that data. CNIL was alerted to the security issue in August 2018, after it received a complaint that users were able to freely access other users’ data without prior authentication. The freely accessible data included ID cards, tax notices, bank account information and family benefits agency certificates. After alerting Sergic to the issue, an on-site inspection by CNIL revealed that Sergic had been aware of the problem since March 2018, but had failed to remedy the situation until September. CNIL found two breaches of the GDPR had occurred: Failure to preserve the security of personal data, in violation of Article 32; and that uploaded documents were kept longer than necessary for the purposes of processing, in violation of Article 5.

For more information please contact Partner, James Tumbridge at