Back in 2017, Forever 21, Hyatt Hotels, Uber, and eBay all had their fair share of cybersecurity incidents. And now Octoly, a Paris-based influencer agency, is facing their own security vulnerability. Octoly recently confirmed that it has experienced a data leak, putting more than 12,000 prominent social media influencers from YouTube, Instagram, and Twitter at risk.
What happened?
According to cyber resilience company UpGuard’s blog, on January 4, 2018 Chris Vickery, director of cyber risk research at UpGuard, discovered a publicly-accessible Amazon Web Services S3 cloud storage bucket at Octoly’s subdomain. This bucket was a repository of internal files critical to Octoly’s operations, including a backup of Octoly’s operational database, which contained the details of Octoly’s customer data across Europe and North America. UpGuard immediately notified Octoly after discovering the vulnerability, but the data has only been secured since February 1st, nearly a month later.
What does this mean?
When an influencer joins a marketplace like Octoly, they expect to learn from other influencers and earn income for their work. They’re also expecting all their personal data—including their date of birth, address, phone number, email, hashed password, and details of brands they have ties to—to be secure (not accessible to any user who knows the path to Octoly’s repository in Amazon).
For these influencers, it’s disturbing to consider the possibility of being bullied in both the real world and the cyberworld. Now that hackers have access to these influencers’ addresses and phone numbers, there’s a chance that they may be harassed. In terms of cybersecurity, the leaked hashed passwords from the Octoly breach also make victims likely targets for a password reuse attack. If a user uses the same password for multiple accounts, those accounts are also at risk.
The need for the GDPR
This incident with Octoly serves as a reminder that the General Data Protection Regulation (GDPR) is more essential now than ever. The GDPR contains a set of strict requirements for security and privacy that will come into effect on May 25, 2018.
With the GDPR, all personal data is treated with the same level of importance. The GDPR is all about giving data subjects rights, including control of how their personal data is processed.
What if this data leak happened after the GDPR?
According to Article 33 of the GDPR, after receiving notification of the data leak, Octoly would have been required to conduct a thorough forensic investigation and provide an incident report to the supervising authority and all affected users. Octoly would need to also explain the possible consequences of the personal data leak and describe the measures taken to address the leak, including appropriate measures to mitigate the consequences. All this would have had to happen within 72 hours of the leak being noticed.
If Octoly failed to do any of the above, it would have faced penalties of up to €20 million or four percent of its global annual turnover, whichever is greater. But, the reality is that even after Octoly was notified about the leak, it took them almost 25 days to react and secure their S3 storage bucket, which means they would have had to pay a hefty fine under the GDPR.
Apart from financial losses from fines, breached enterprises are likely to lose their customers’ trust as well. This is why it’s important to review the security systems and data leak mitigation and reaction methods currently in place to determine whether they need to be improved.
How to be GDPR-ready
If you’re wondering where you can find solutions to help you become GDPR-compliant, check out our free GDPR resources website here.