Introduction
At the beginning of the year, Moncler made the headlines after a ransomware attack was successful against its systems. The leaked data included information about employees, suppliers, business partners and customers. Guess was also on the receiving end of a hack in the summer of 2021. In this case, criminals were able to obtain social security numbers, ID numbers (driving licenses and passports) and financial account numbers. Chanel suffered a similar fate with its South Korean operation, which resulted in the leak of names, personal information and shopping histories. But cyber attacks and hacking generally is not a surprise. A recent Office for National Statistics report showed that whilst most forms of crimes in the UK are seeing a downtrend, crimes involving computers and hacking are experiencing a noticeable uptick.
When hacks occur the Information Commissioner’s Office expects companies to deal with them proactively and ensure that serious breaches are resolved effectively. Guidance on how this can be achieved is set out below.
What do hackers want and how do they get it?
Fashion brands are a gold mine for data that can be exploited. Hackers target:
This is all readily available, especially when brands have online shops.
Hackers can do this through:
What actions should you take if a breach occurs?
In the UK, the ICO will expect a brand to do the following if it finds itself the victim of a cyberattack.
When providing details to affected individuals, a brand needs to inform them, in clear language, of the nature of the breach and what personal data was affected. They should also be provided with details of the relevant contact point or the details of the brand’s data protection officer (DPO).
It is recommended that individuals are provided with information on how the brand will assist them going forward and any actions they can take to protect themselves. ICO guidance outlines that this may include:
If after a risk assessment, the brand has decided that a notification to the ICO is not necessary, it is still highly advisable that the company records information about the breach and actions taken in response. If the ICO decides that an investigation is necessary, the company may be asked to justify the decisions it made.
Reporting the data breach
If a report to the ICO is necessary, then it is important that the following information is captured:
Take home points
If you find yourself on the receiving end of a cyberattack, it is important to be as prepared as possible. Planning in advance is ideal, and is likely to include contingency measures. However, as it may be difficult to plan for all eventualities, the following best practices will also limit what can be hacked: