Data breach risk: dangers of the dark web

In recent weeks, there have been reports of customer details held by various companies being spotted on the dark web, suggesting a need for many companies to take greater steps to prevent data breaches from occurring and the potentially increasing litigation and reputational risk involved when one does.

According to a Which? investigation, details of thousands of Tesco Clubcard account holders, as well as customers of Deliveroo and McDonalds, are available on the dark web. Clubcard data including an individual's username, passwords and loyalty card balances could be purchased for as little as 42p. Tesco reported an incident last year where a database of usernames and passwords (reportedly stolen from other websites) had been used to try to access Clubcard accounts, but had maintained at the time, and has reiterated since, that no customer financial data had been hacked. In response to the investigation's findings, Deliveroo commented that it takes online security extremely seriously and is working with customers to help prevent unauthorised logins by cyber criminals. McDonalds also confirmed it had measures in place to mitigate any breaches, including bot protection, device identification and additional fraud detection software.

Foxtons estate agency is the latest company to reportedly have had certain customer details end up on the dark web. ITPro reports that 16,000 card details, addresses and private correspondence including details of paid fees prior to 2010 are available on the dark web. Foxtons have commented to ITPro that the stolen data is old, incomplete, unusable by a third party and unable to cause financial loss or harm to affected customers (arguing the data is, therefore, not sensitive data for the purposes of the GDPR or Data Protection Act 2018).

Foxtons reportedly informed the Information Commissioner's Office ("ICO") of a data breach attack that occurred in or around October 2020, but some are alleging Foxtons did not inform affected customers and that the ICO may be considering a fine. Only time will tell whether the ICO is reviewing the Foxtons incident and what the regulator may determine, but numerous reports of hacked customer data ending up on the dark web highlight the ever-increasing data breach risk for companies holding large volumes of customer data - and especially when that data is sensitive.

Once a data breach has occurred, it is extremely difficult to prevent the stolen data from being used in unsavoury ways. Which? has warned that companies need to "take more robust action to prevent data breaches happening in the first place". Companies holding customer data need to ensure they are taking steps both to prevent a data breach from occurring and to deal with any that unfortunately does occur quickly and appropriately - or potentially face large fines from the ICO and reputational damage in the wake of backlash from customers.

We can assist companies to take reasonable steps to prevent a data breach from occurring and to plan for a timely and effective response in the event one unfortunately does.

If you found this interesting, there's a lot more comment you may find helpful on UpData, which provides regular updates on contentious, criminal and insurance risks relating to data, from cyber-attacks to regulatory enforcement.