The GDPR was introduced to provide EU citizens with greater protections and control over their personal data. It achieved this by introducing new rights for individuals and by imposing stricter data protection requirements on organisations. The GDPR also introduced harsher penalties for the misuse of personal data. Before the GDPR, the maximum possible fine that the UK’s information commissioner’s office (ICO) could issue was £500,000. This led to controversy during the Cambridge Analytica scandal, where Facebook (who reported $70.7 billion in turnover in 2018) were essentially unaffected the ICO’s maximum fine. Under current GDPR legislation, Facebook would have faced a maximum fine of $2.8 billion – a figure that is no longer pocket change for Mr Zuckerburg. The purpose of these fines is to ensure that all companies, no matter their size, take data protection seriously. It encourages organisations to adopt suitable technical and organisational security measures to protect citizens personal data and prevent these damaging data breaches.
But what happens if your personal data was part of a data breach before the GDPR was introduced? Unfortunately, you will probably be unaware of it. Before the GDPR was introduced, the UK was governed by the 1998 data protection act. Under this act, organisations were under no obligation to inform their data subjects of a potential data breach. It is likely that many millions of citizens in the UK had personal data maliciously stolen and used without their knowledge. It is only the high profile cases, such as the Yahoo data breaches in 2013 and 2014 where an estimated 3 billion accounts were impacted, which you are likely to have heard about.
So what can you do about this? If you were affected by the Yahoo data breach, you may be able to claim compensation as part of a class action lawsuit. In 2019, Yahoo agreed to a pay out a total $117.5 million to affected customers. For the lesser known data breaches that occurred pre-GDPR, you are unlikely to be able to claim compensation; however, you can determine if your email address was part of a data breach using the following website:
The term ‘pwned’ is rumoured to originate as far back as the chess community in the 1930s, but it rose to prominence in the 2000s where it was extensively used in player-to-player messaging in online gaming communities. The term was used when one player would show dominance over another, leading to taunts of being ‘owned’ or ‘pwned’.
In the context of ‘Have I Been Pwned’, the website is simply a database of major data breaches (443 breaches with close to 10 billion accounts affected according to the website). You simply type in your email address and the website will inform you if your email was part of any of the 443 data breaches.
Is the website safe? Despite the unprofessional sounding name, yes. The credentials for the creator of ‘Have I Been Pwned’ are substantial. Troy Hunt is a Microsoft Regional Director, winner of ‘most valuable professional’ (a Microsoft award), an author of several popular security courses on Pluralsight, a frequent keynote speaker at top security conferences and has even testified in front of the US congress discussing the impact of data breaches.
Tacita recommends that you search your email address in the ‘Have I Been Pwned’ database. If you discover that your email address has been compromised, the first step is to change any existing passwords associated with this email address. We also recommend that where possible, you employ two-factor authentication. Today, this is the go-to standard in account security. Two factor authentication sends an authentication code to your mobile phone, whenever you (or someone else) tries to log in to an account from an unknown IP address. You then use this code to log into your account. For a would-be malicious hacker, this requires your email address, your password, and a duplicate sim card with your phone number on it. This is much harder to achieve than using just a database of emails and passwords.
Unfortunately, data breaches are likely to continue to occur. Whilst it is the duty of the data controller to provide suitable security for the data which they hold, users can not be complacent. The old advice of frequently changing passwords and using different passwords for different accounts still holds true. So stay informed and stay safe.