Earlier this week, a serious data breach at UK-based payment processing company GoCardless came to light… well, sort of!
It’s common place now when a large business suffers a data breach, for them to post a public statement on their website and on social media, and also send out a notification to all their customers via email.
However, in the recent GoCardless incident, none of this happened! No statement has appeared on their website, no mention of the incident was made on any of their various social media channels, and no blanket emailing of all their customers took place.
That said, some of their customers have been notified via emailed, but to varying degrees…
For example, one GoCardless customer was sent the following:
All of our payment processing systems are secure, remain uncompromised and were unaffected by the burglary. There has been no impact on our day to day business and we continue to process payments as normal.
We have already informed the police, the Financial Conduct Authority and the Information Commissioner’s Office of this burglary. We have also conducted an exhaustive internal investigation so that we can communicate to you any potential risks from this burglary.
Our investigation has concluded that none of your data or your customers’ data was affected by this theft. However we believe in transparency and so wanted to inform you of this burglary anyway.
We apologise for any concern or uncertainty this may cause. If we can provide any further information, please get in touch by emailing [email protected].
The GoCardless Team
…whereas another GoCardless customer was sent the following:
All of our payment processing systems are secure, remain uncompromised and were unaffected by the burglary. There has been no impact on our day to day business and we continue to process payments as normal.
We have already informed the police, the Financial Conduct Authority and the Information Commissioner’s Office of this burglary. We have also conducted an exhaustive internal investigation so that we can communicate to you any potential risks from this burglary.
Our investigation has concluded that the stolen laptops may contain a file with personal data provided when setting up an account with us. This information is stored by GoCardless to ensure we can evidence checks we needed to perform on you when you signed up with us. The file contains the following personal details of the person that verified your GoCardless account: email address, passport number, driving licence number, date of birth, and name.
There is a very low risk that this burglary will affect you as none of your financial data was involved, all the laptops were password protected, there is no firm evidence that any of the data was available on any stolen laptop, and the burglars appear to have been targeting high value electronics rather than our data. However, we believe in transparency and so wanted to inform you of this burglary anyway.
Despite the above, we take even this small risk seriously. We are therefore offering to organise and pay for a web alert monitoring service from Experian for a period of 12 months. If you would like to take up this offer please email [redacted]@gocardless.com with “Accept” in the subject line.
We apologise for any concern or uncertainty this may cause. If we can provide any further information, please get in touch by emailing [email protected].
The GoCardless Team
Notice the differences in the respective “Our investigation has concluded…” sections of these two emails?
The incident appears significantly more serious for the second customer than it does for the first!
I’ve also heard from other GoCardless customers who haven’t received ANY email notification of this incident from GoCardless whatsoever.
Whilst there are lots of questions surrounding the particulars of this breach (i.e. how/why such data was stored on laptops in the first place). In this post, I want to focus instead on how customers have been (or not as the case may be!) notified.
It appears that GoCardless have taken a rather different approach to most other companies when it comes to notifying customers of a data breach. Instead of making the news public and notifying ALL customers with a statement on their website and generic email to all customers, they appear to have “selectively” notified only those specific individual customers who they believe are affected/at risk, and indicated the extent to which each customer may be affected.
From a PR perspective, this probably makes some sense – keep it as quiet as possible so that the fewer people who know about the breach, the less damage it does to their reputation. This would also explain why there’s no mention of this incident on their website/social media channels.
The other reason for this “selective” notification approach may be so as to not unnecessarily worry/concern those existing customers whose data wasn’t involved in the breach and who are therefore nor directly affected.
Is this really the best approach?
If a business that you’re a customer of suffers a data breach – even if your own data wasn’t specifically involved in the breach – wouldn’t you still want to know about it?!
I certainly would! …and it may well make me re-evaluate whether I want to continue to be their customer.
I believe that if a business suffers a data breach, they should notify ALL their customers, not just those directly affected by the specific incident.
Had I been a GoCardless customer and I’d only just found out about this breach by reading this blog post – I’d take a pretty dim view of the company’s lack of openness in notifying me themselves.
It also makes me wonder how many other businesses who hold personal/financial data on me have suffered data breaches that they haven’t informed me about?
Sadly, current UK regulation around these issues is weak. In the UK, under the Data Protection Act (DPA), there is no legal obligation on businesses to report breaches of security, they are merely “encouraged” to do so to the Information Commissioners Office (ICO).
The ICO’s guidance on what organizations should do in the event of a data breach, notes:
“Informing people about an information security breach can be an important part of managing the incident, but it is not an end in itself. You should be clear about who needs to be notified and why. You should, for example, consider notifying the individuals concerned; the ICO; other regulatory bodies; other third parties such as the police and the banks; or the media.“
Note the phrase “consider notifying the individuals concerned” – which is technically what GoCardless have done; only notified the sub-set of customers they believe to be directly affected.
But isn’t it time that UK regulations regarding reporting and notification of data breaches were reviewed and tightened up?
In the event of a data/security breach:
- Should it not be a legal obligation for the businesses to report the breach to the ICO?
- Should it not be a legal obligation for the businesses to directly inform ALL their customers (and not just to “consider” notifying those “individuals concerned”)?
- Should it not be a legal obligation for the businesses to make a public statement on their website/in the media (so that any perspective future customers are aware of past incidents and how the businesses has responded and dealt with them)?
It’s about time businesses were more open and transparent about their data breaches, and if they’re not prepared to do that, there should be suitable legal regulation to enforce that.