A number of major breaches have hit the news recently – including the 500-million-data-record Marriott Hotels breach, and the Sotheby’s Home Magecart hack. I’ll probably go on about over-retention of ID data in another post, but right now I was wondering…
Is it attractive for hacked organisations to exaggerate how long a “just-discovered” breach has been going on? Apparently the Sotheby’s Home breach goes back “at least” to March 2017, the Marriott one all the way to 2014. Both of which are before the introduction of GDPR. So the potential fines are somewhat lower. I direct no specific accusation at either party – and have no reason to – but I do ask myself how much work the ICO will put into identifying the start date for breaches.
Would I rather publicly state that my cyber-security has been rubbish for simply ages, or be exposed to a potentially bankrupting fine? Let’s hope that’s not a calculation anyone has actually made.
A bigger picture 