While data protection & privacy are well-worn concerns for organisations and individuals alike, GDPR implementation remained a challenge. If there was ever any doubt that regulators would enforce GDPR, the Information Commissioner’s Office’s decision to fine British Airways £183 million ($230 million) following the 2018 data breach will surely put that to rest.
This was not necessarily a sophisticated attack – rather, a welcome challenge for hackers to exploit a well-known application security vulnerability within a poorly governed IT infrastructure. “Actual expenditure on technical solutions and staff time to implement the right security to prevent this will not have been near a nine-figure sum like the fine,” Eerke Boiten, professor of cybersecurity at DeMontfort University says.
But not all data breaches are created equal. When Marriott failed to conduct sufficient technical due diligence when acquiring Starwood Hotels and Resorts in 2016, it unknowingly incurred a data breach which had been undetected in Starwood’s database since 2014. Starwood’s guest database was compromised by bad actors duplicating, encrypting, and working to erase personal data of guests. Hotel chain Marriott is now facing a £99.2 million ($120 million) fine from the ICO for GDPR violations.
With so many moving parts of an acquisition, completing rigorous technical due diligence is often taken for granted. While a company’s financials are easy to objectively evaluate, IT assets and risks are more cumbersome to assess. “I don’t think there is an ideal process, and maybe that’s part of the problem,” says Jeff Pollard, VP and principal analyst at Forrester. Acquirers can typically only make guesses as to what IT risks and opportunities they’re inheriting, but as software is ever more a key factor in a company’s valuation, buyers should insist on more objective technical due diligence. The same concept applies to technology assets received from third-party suppliers. After all, you are what you eat.
It’s worth nothing that neither British Airways nor Marriott were actively involved in any wrongdoing. They did not overtly breach any rules – rather, they fell victim to their own substandard application security & GDPR arrangements. Keeping on top of data protection and GDPR is no small task – especially when businesses are continually evolving the services offered to customers. But the consequences of adopting a reactive rather than a proactive approach to application security and the integrity of IT infrastructure can be in the millions. High time for these organizations to proactively leverage Software Intelligence to ensure application security and data protections are built-in their software.