Data breach firms liable despite third party hack – Brian Honan (video)

15 Nov 2013

Brian Honan, BH Consulting

Irish IT security expert Brian Honan has pointed out that the companies caught up in the data breach storm that has seen more than 80,000 customers’ credit-card details fall into the hands of hackers are still responsible for the customers’ data despite the breach happening at a third-party’s operation.

This week, the Irish public learned that the credit-card details of some 65,000 customers of SuperValu’s Getaway and 8,000 customers of Axa’s Leisure Break schemes, as well as 6,700 customers of ESB’s loyalty scheme, were stolen by hackers.

The Loyaltybuild attack forms part of a series of cyberattacks across Europe that have affected 1.1m people.

Honan founded Ireland’s first Computer Emergency Response Team (CERT) in 2008 and was appointed special adviser on internet security to the European Cybercrime Centre (EC3) in October 2013. He lectures on information security at University College Dublin (UCD) and sits on the technical advisory board for a number of information security companies.

Honan said that often companies will try to offer loyalty schemes to customers but will outsource the management of these schemes to third-party specialists.

However, this does not mean they are no longer responsible for the data they collected in the first place by offering loyalty schemes to trusting customers.

“The company still has to make sure that it meets obligations to secure data because you (the customer) have given information to that company.

“That company, under the Data Protection Act, is legally obliged to make sure the company they passed the information to complies with data-protection rules.

“Even though they passed it on, the responsibility still remains with the company.”

A lesson learned?

Honan said these data breaches serve as a wake-up call for Ireland.

“In a way it’s a good thing it has happened. Lots of hacks that have happened in the past, a lot have been abroad. We’ve had this island mentality that it’s not going to happen to us.

“We need to realise that online we are not an island, we are connected to everyone. It was only a matter of time before something like this happened and hopefully it is a wake-up call for businesses around the country to look at security.”

Honan said it’s also important to remember that the companies in the eye of the data breach storm are victims of a crime.

“Regardless of how the crime happened, they are still a victim.”

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years