Data Breach: A lesson from TICKETMASTER
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
There are many ways a company might mess up their data privacy missions. Ticketmaster, one of United Kingdom’s ticket vendors, was fined by the Information Commissioner Office (U. K.’s data protection authority) 1.5 million pounds for failing to protect customer’s payment details.
What’s worse, over six thousand customers’ bank details leaked. This singular breach caused the company both financial and reputation damage.
Investigations are not complete. The leak happened through Ticketmaster’s online bot, which they use for customer query, onboarding and other miniature tasks. But they don’t pay attention to these machines. After set-up, they assume the security is safe, which is a wrong ideology.
Before using these bots, companies should, at a minimum, employ some principles of privacy-by-design. Privacy-by-design approach in data protection helps to prevent breaches from happening. It enables the company to ask vital questions like what type of information do we need to collect for a customer query or what kind of data do we need to manage for customer complaints.
Last Thursday, I wanted to upgrade a particular software on my computer, but for me to get in contact with the sales team, I needed to drop some personal information via an online bot. It collected name, phone number and address then later passed me on to a sales representative of the same company. The sales rep collected the same data as the bot. I don’t know why that particular company received the same information twice.
Businesses need to merge their business functions with data privacy principles of data minimisation and purpose limitation. My colleague finds it challenging to express the intricacies of data privacy to business owners in Nigeria. He argues that most stakeholders don’t see the essence of data privacy and how it relates to their business functions.
My argument is that those who don’t see privacy as a business function miss the opportunity to play on a global scale. Any modern business that treats data privacy as an afterthought would, in the long run, suffer the consequences.
The Ticketmaster case is another eye-opener. As I have said in this space before, hackers work night and day to break business systems. Why should a company take its data security lightly then?
Companies should develop innovative ways to protect their systems. You can’t think that one special audit, gap analysis or exercise will create a solid, impenetrable wall. It is something that must be audited over and over again. That you have audited a particular system doesn’t mean it is safe from attacks. Consistently checking what has been done is the best approach. It might seem like a little paranoia but creating excellent information security is often characterised by what I often call “good paranoia.”
I don’t think any company, whether in Nigeria or any other place, would want their customers’ data to be exposed. Companies try to sell this story to their customers: “Look, you can trust us with your most critical information, and we would do everything in our might to protect you from harm.”
But, when the customer listens to these words and doesn’t get the right response in action, it usually breaks their heart. You can smell the dissatisfaction and disappointment of Ticketmaster’s customers. Ticketmaster is trying too hard to defend their mistakes.
The lesson to be learnt here boils down on the importance of embedding data privacy into any new product and guaranteeing that every new process or product aligns with data protection principles. This will not only save the company from reputational damage but also save them from paying fines to data protection authorities.