October 3, 2015,
EU General Data Protection Regulation, News 
One comment
In the news this week was the much publicised anger of the youthful looking CEO of T-Mobile John Legere at the announcement that Experian, the world’s largest credit rating agency had suffered a sensitive personal data breach affecting 15m T-Mobile customers after its servers were hacked.
Under the forthcoming EU General Data Protection Regulation (GDPR) both data controllers (T-Mobile) and data processors (Experian) are jointly and severally liable in the event of a personal data breach or sensitive personal data breach. So such an incident that took place at Experian will have far reaching consequences for T-Mobile under the new EU Regulation when it comes into force.
Experian are saying that customers affected are those who are in the US who were credit checked in the last 2 years. Given that T-Mobile passed on this personal data to Experian, a company that’s London-listed, this also makes this a potentially European regulatory legal issue where litigants in the US could look to rely on EU data protection laws as well as their own in order to seek compensation for distress and harm caused.
Experian North American CEO Craig Boundy said “We sincerely apologise for the concern and stress that this event may cause.”
Well, that’s an understatement, isn’t it?
Given the very nature of Experian’s vast business in credit checking millions of people who want to take out contracts with a wide range of suppliers, then what’s transpired is more than a lapse of data security and it’s blown up in Experian’s face as an issue of trust.
Just how serious this can be is evidenced by what’s happened to Experian’s share price in the wake of these revelations – falling 4.5% to their lowest level since December 2015.
What’s clear as daylight is that multi-national corporations (MNCs) like Experian are ‘sitting ducks’ and have shown their vulnerability to attacks from hackers determined to steal personal data on their customers. This year, Experian joins the ‘Hall of Shame’ that includes Ashley Madison, Sony Pictures, Facebook, Instagram, Target, Master Card, Visa, Home Depot, eBay, White House and many others.
Whilst insurance against such contingencies is a sensible and necessary precaution, it’s becoming clear that a full data protection impact assessment across the whole enterprise – particularly in light of the business continuity risks that GDPR presents – is something that all MNCs must think about doing as a matter of urgency.
T-Mobile has clearly got the message and is publicly saying it’s reviewing its relationship with Experian and given the nature of its business it’s a near certainty that this will happen again.
Let’s hope that Experian and T-Mobile have learnt their lessons and start to put in place mitigation factors that will help reduce the financial jeopardy they run when this happens again.
Under GDPR, fines for such transgressions are likely to be between 2%-5% of global turnover based on the previous 12 months.
Also in a class action lawsuit filed 17th JULY 2015 in the USA District for the Central District California. Experian accused of negligently violating consumer protection laws when it failed to detect for nearly 10 months after acquiring “Court Ventures”. In the year 2012 a Vietnamese 25 year old man HIEU MINH Ngo ran an ID theft service named “Supergel.info” and “findget.me” He sold packages of consumer Data. This can be found out from KERBS ON SECURITY Data Breach by Experian on the internet (my PC)