By Christopher Graham, Information Commissioner.
On Wednesday, eBay wrote to us to tell us they believed a cyberattack had compromised a database of customer information. We’re actively looking at this situation, with a view to launching a formal investigation. On the face of it, this is a very serious breach.
Our response is made complicated by the nature of a big multinational internet company like eBay. They’re an American company, so the Federal Trade Commission will look into this. They’ve got a European headquarters in Luxembourg, and so the Luxembourg data protection authority will lead on an investigation in Europe. And there’s millions of UK citizens affected, so clearly we will be involved where we can.
So far our work has been offering assistance to Luxembourg, and providing advice to consumers. We know this is an issue that people here in the UK are concerned about, but we have to be careful: by taking the wrong action at the wrong time, we risk undermining any investigation.
What we can be sure about is that if there has been a breach of the UK Data Protection Act, we’ll act firmly. To give you a similar example, there was a significant data breach from Sony Computer Entertainment Europe and it fell to the ICO in the UK to investigate that as the lead authority. We concluded after a very thorough investigation that Sony had been negligent and that customer data had been compromised. The reputational damage to Sony was surely far greater than the £250,000 fine
This needs to be a wake-up call to all of us. It shows consumers the importance of having different, strong passwords for different online services. It’s a wake-up call to government that the 20-year-old data protection laws are showing their age. But most of all it’s a wake up to businesses. Cyber crime is real. Hacking is real. Responsible companies have got to act to keep their customer information safe, and if they don’t, they’ll find they’re not just in trouble with the Information Commissioner, but they’re in trouble with customers too.
Last updated 23/05/2014 16:20
|Christopher Graham, Information Commissioner, has a range of responsibilities under the Freedom of Information Act 2000, the Data Protection Act 1998 and related laws.|