NewsThe sky is the limit for serious data breaches


    The sky is the limit when it comes to the latest financial penalties for serious data breaches

    19th July 2019: It's shaping up to be a fine, fine summer. And I'm not talking about the weather. I mean the two whopping fines proposed in July for infringements of the General Data Protection Regulation (GDPR) by Marriott Hotels and British Airways. The thing is, it doesn't have to be that way.

  • A few years ago, a short comic strip became the Internet meme "This is fine". You may know it. If not, look it up. It features an anthropomorphic dog wearing a hat sitting a table. The room is gradually burning to the ground. But the dog says "This is fine" and then "I'm okay with the events currently unfolding" and so on, until the inevitable.

    I'm not suggesting that some parts of IT, mainframers included, are in self-denial about data protection and/or the state of their security. I'm stating it as fact. I'll come back to this in a future blog, focusing on interesting research by Forrester into "security complacency". But for now, let's consider the proposed fines by the UK Information Commissioner's Office ICO in a more detail.

    In early July 2019, after an extensive investigation, the ICO announced its intention to fine Marriott International, Inc. almost one hundred million pounds sterling - around US125m - for GDPR infringements. I don't care how big your organization is, £100m isn't exactly small change.

    The ICO said the proposed fine related to a cyber incident that Marriott notified to them in November 2018. "A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area EEA. Seven million related to UK residents." You probably read about it at the time.

    It seems the vulnerabilities began when the systems of another hotel group, later purchased by Marriott, were compromised. Marriott co-operated with the ICO's investigation and has since improved its security arrangements. I really feel for these IT folk, and for the many people whose personal data was compromised.

    The same week, it was reported that British Airways faced an even bigger penalty of £183m US227m for a data breach in 2018. At the time, BA said hackers had carried out a "sophisticated, malicious criminal attack" on its website. Website users were diverted to a fraudulent site where the details of around half-a-million customers were harvested. The root cause was third party related and, as such, all third parties will now be under greater scrutiny.

    The BA fine is the biggest penalty to be handed down by the ICO. Indeed, the BBC reported that the proposed fine was "roughly 367 times as high as the previous record fine, the £500,000 imposed on Facebook over the Cambridge Analytica scandal."

    Both BA and Marriott can appeal. Arguably the most concerning aspect of these two cases is that, as I said earlier, it didn't have to be this way.

    Now, I should make it clear that I don't know the deep detail of these breaches, or if they in fact relate to mainframe systems. But I do know that both companies have mainframes. And that, despite the GDPR and constant warnings about the cyber threats out there, some quarters of industry still aren't taking their vulnerabilities seriously enough. So, is your mainframe at risk?

    The fact is, the skills and technology already exist to identify vulnerabilities and reduce the risks, in mainframes or any other area. To the bad actor, mainframes are "just another system" to be hacked anyway. And many organizations do "get it", which is why my team at RSM Partners is so busy, fighting the good fight.

    For instance, a mainframe security assessment takes a good look at security controls so you can understand what's working, what isn't, and where the gaps are. One problem is that these assessments are quite often carried out by organizations or people with little to no detailed mainframe and/or security knowledge, using a simple checklist or tick-list audit. This is worse than "not good enough" as it can give companies and teams a false sense of security.

    And of course, there's penetration testing to identify clear risks and help plan remediation work to plug gaps, strengthen your existing defences and protect precious data - and so comply with the GDPR and other laws and standards.

    If you want to go further, there's the fully managed 'Security as a Service' route to security engineering and threat prevention, helping ensure your ongoing protective measures and proactive responses to cyber attacks are as robust, focused and up-to-date as they need to be.

    We have been warned repeatedly. And GDPR penalties shouldn't come as a shock to us. There are now more than a hundred million reasons why we should be doing more, as an industry. My overall message is simple: the current situation is not fine. It's not fine at all.

    An international speaker in mainframe security and technology, and a passionate advocate of all things Z, Mark Wilson heads RSM Partners' Technical and Security teams.

    For more information email: info@rsmpartners.com