Essay On Butlins Data Breach: Risks And Consequences Of A Serious Data Breach

Choose an organization that has recently been reported to have suffered a serious data breach and:
a)Provide a description of the company

b)Explain the nature of the breach of the regulations using research and examples

c)Analyse the risks and consequences of that breach for that organization

Background of the company

Cases of Privacy data breach are being very common with the development of technology. It has been seen that as much government is being concerned about the issue, the same is increasing with even more speed. Data breach is a condition where confidential information get a release from unauthorized sources. After 4 years of long discussion and debate, EU Parliament has finally approved the much-awaited regulations on the subject of data protection, which is known as General Data Protection Regulation (hereinafter referred as GDPR) (eugdpr.org, 2018). As the name implies, the subjective regulations have developed to prevent the issues of data breach and to regulate the business practices (Bhatia, 2018). The regulations would provide security from data breach issues to EU citizens. Data breach cases are being a concern and a danger for the good corporate governance.

As earlier stated that the cyber-crimes are increasing, hence in such a scenario, it becomes necessary to have a glance on this topic. The presented report includes one recent case study in which one of the most famous seaside resort of the UK named Butlins (Butlins Skyline Limited) failed to provide security to the data of its customers. Further, the consequences of the breach to the company will also be discussed in order to understand the significance of compliance with GDPR provisions. After the study of the report, one will be able to know that how dangerous a data breach case can prove for the organization and how an organization can prevent happening of such further issues.

Butlins is not a single resort but a chain of larges seaside resorts in the UK. Billy Butlin founded the same in the year 1936 with the purpose to provide affordable holidays to British families. In order to meet out the issue of different taste and budget, Butlins provides various types of accommodations to its clients. The resort is popularly known for its Chalet accommodation. Butlins also arranges the entertainment for its customer guests. From the very beginning, the company is focusing on the development of business activities. During a period of the year 1936 to 1966, the company has built 10 camps out of which one was built in Ireland and one in the Bahamas (Revolvy.com, 2018).

( Butlins.com, 2018)

Cause of competition and high administrative cost, company was forced to shut off many of its business operations. Three original camps remained to continue under the brand name of Butlins. All these three are now regulated and owned by Butlins Skyline Limited, which is a subsidiary company of another company named Bourne Leisure Ltd.

Butlins carry out many activities related to fun and entertainment for families, the cost of which remain includes in the price of a holiday package. In addition to this, the company also provides many attractive offers and discount to customers as promotional activities. Headquarter of the company is situated in Hemel Hempstead, UK (Owler.com, 2018).

Recently, a news has just come out in which Butlin’s failure to secure the data of 34000 of it is guest has been reported (Ashford, 2018). The company confirmed the issue and stated that private data of around 34000 guests is in danger, and can be accessed by the hackers. The subjective data consisted personal details of customers such as their name, home address, and schedule of their holidays. The holiday camp chain i.e. Butlins said that the stolen data has not included any payment details of the customers related to their bookings with the resort. The company has reported the incident to Information Commissioner’s Office (hereinafter referred as ICO). In the investigation process, ICO has discovered 11 additional issues with the data protection policies and practices, which had the potential to breach the provisions of Data protection, Act itself (Badshah, 2018).

Data Breach: - What exactly happened?

All the aforementioned issue has just happened in the month of August 2018. The company has suffered this data breach cause of a phishing attack (tech.newstatesman.com, 2018). The issue has first come into knowledge when on 9^th August, the company has placed a detailed statement on their website in which they have informed the visitors of the resort about data breach incident (Hashim, 2018). The company stated that the same has discovered that a third party has unauthorized access of the private data of their resort’s visitors and the same is a result of phishing attack that happened through an unauthorized e-mail. Butlins revealed that the data was stolen from it is networks. The company was on fault but was not on guilty as the same has not done with a wrongful intention. It was a case of a data breach, irrespective of the fact that payment details of the customers were secure.

Managing director of the company presented the apologized to affected customers on behalf of the company. If talk about the laws and regulations, this is to be stated that the company has somewhere breached the provisions of new data protection law of the territory. GDPR is not an act but a set of regulations. Data Protection Act 2018 is also there in addition to GDPR and therefore the companies are required to comply with the provision of DPO 2018. According to the provisions of this act, a company is required to inform the authority about data breach incident within 72 hours of the moment when the same become aware of such breach (News.sky.com, 2018). Butlins has notified the incident to authority within the specified period; however, the company has not complied with other provisions of GDPR. Further, Section 2 of the act states that this act and GDPR, both requires a person to secure and proceed with the personal data of others very carefully and lawfully. Butlins has not complied with the provisions of this section as the data of the customer went leaked.

The company faced adverse consequences of the subjective breach as the same brought many issues to the same. This Data breach incident was serious in nature because it consisted the holiday schedule of guest, which could be used to plan a thief when the guest was not at their homes. The only guest was not at risk but the resort was too. Cause of this incident, Butlins faced many negative results that are discussed hereunder.

1. Penalties for breach of Law:- As mentioned earlier, company has not complied with the provisions of the Data Protection Act 2018 and GDPR. It was the responsibility of the company to keep the data of it is guest secure, but the company failed to do so. Section 157 of the act says that a person can be penalized for infringement of any provisions of GDPR via penalty notice . Subsection 1 of this section says that a penalty notice can levy a penalty of the amount mentioned under article 83 of GDPR or the standard maximum amount if any amount is not mentioned under the subjective article (Legislation.gov.uk, 2018). Here, the standard maximum amount refers to an amount of twenty million Euros or 2% of the global turnover of the company (in case of an undertaking) or in any other case twenty million Euros.
   

In the studied case, Butlins has infringed the provisions of section 2 of the act as well as of GDPR and can be held liable under section 157 of the act, if the breach would be confirmed. GDPR has been effective in May 2018 and now Butlins can face a penalty notice under these new data protection regulations. As the case is very recent, the penalties have not been decided yet.

2. Damages: -Another possible risk for the company is the payment of damages. However company has confirmed that payment details of the guests have not been leaked to the third party, yet to state that victim parties can ask for damages from the company if the cause of this data breach incident they face certain losses in any form. The risk, if would happen will be very significant as 34000 guests were affected in total and in such a way, the total amount of damages will be a high amount. The risk of the damages as potential as the risk of penalties. Where penalties are payable to authorities, damages are payable to victim parties. The company did not do any fraudulent activity and has informed the authorities within 72 hours about the data breach; hence, there are chances of low penalties. However, victim parties can ask for the damages.

3. Goodwill Loss: -As mentioned in the background of the company, Butlins is there in the market for years. People do trust in this company and therefore make the booking of their holidays with the same. The data breach case is certainly a risk for the goodwill of the company. Personal information such as name, home addresses, contact details are very significant and can be for many criminal activities. Cybersecurity engineer of Falanx Group, Mr. Rob Shapland said that although the payment data has not been accessed, yet rest of the data could be used for criminal activities such as robbery against of guest when they are away (Ingham, 2018). The incident attracted reputational damages to the company and would affect the future business of the company. People lost their trust in Butlins and goodwill of the company has affected in an adverse manner.

4. Cost increment and accountability:- Company’s data has been leaked once and now for the better security company needs to ensure the prevention of such activities and incidents in future that will lead an additional cost to the company. The main cause behind this incident was a phishing attack and therefore the company is required to change the passwords of affected mail ids and also need to implement the more strong technical system in the organization that is not accessible to a third party and is secure from the reach of unauthorized access. Further, apart from this, the company also needs to answer several queries and allegations of authorities as well as of media that is an issue itself.

5. Revenue of the company:- No one wants to take the services of an organization that is not responsible about the security of it is customers and clients and therefore the revenue of company can be decreased in future. Cause of globalization there is already a high competition in the market and now after the data breach activity, there is a possibility that customers will move towards other resorts or holiday package providers. In addition to this, penalties, damages, and the additional cost of IT services will also put a negative impact on the profits of the company.

Above-mentioned risks are potential that Butlins can face in future as the case is very recent and authorities have not provided any judgment on the case. In addition to the above-mentioned consequences, the company can also face other risks because of data breach case.

Conclusion

GDPR is very new regulations that have been enacted to provide security to EU citizens. It is not only GDPR but also DPO Act 2018 that requires a company or an individual to act in a reasonable manner while dealing with private data of individuals. In the studied case, one of the resort chains of UK failed to keep the data of its guest secure. The company can face many issues in future for this breach that includes monetary as well as non-monetary losses. In the investigation of the case, it has been noted that the company responded very quickly and notified the customers and authority the incident of a data breach. The issue is directly connected with corporate governance failure. Being a resort chain, it was the liability of the company to act in a responsible manner. However, a third party has stolen data and company was not involved in the same, yet the company will be responsible for the fines and damages. Now the company is advised to behave in a more responsible manner as any further similar issue can be a danger for the existence of the company. After the introduction of the GDPR, the public has more rights and the person/company who process with the same has more liabilities. Therefore, this is to conclude that it Butlin’s did not only breached the provisions of GDPR but also failed to comply with the requirements of corporate governance.

References

Ashford, W. (2018). Butlin’s warns of potential personal data breach. [online] Available from: https://www.computerweekly.com/news/252446694/Butlins-warns-of-potential-personal-data-breach [Accessed on 03/11/2018]

Badshah, N. (2018) Butlin's data hack: up to 34,000 guest details may have been stolen [online] Available from: https://www.theguardian.com/technology/2018/aug/10/butlins-data-hack-guest-details-stolen [Accessed on 03/11/2018]

Bhatia, P. (2018) Intro to GDPR: A Plain English Guide to Compliance. EU: Advisera Expert Solutions Limited.

Butlins.com. (2018) Our Story. [online] Available from: https://www.butlins.com/get-to-know-us/our-beliefs-and-colourful-story/ [Accessed on 03/11/2018]

Data Protection Act 2018

Eugdpr.org. (2018) The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. [online] Available from: https://eugdpr.org/ [Accessed on 03/11/2018]

Hashim, A. (2018) Butlin’s Suffered Data Breach Exposing Personal Data Of 34,000 Customers. [online] Available from: https://latesthackingnews.com/2018/08/11/butlins-suffered-data-breach-exposing-personal-data-of-34000-customers/ [Accessed on 03/11/2018]

Ingham, L.  (2018) Butlins breach exposes customers to identity theft. [online] Available from: https://www.verdict.co.uk/butlins-breach-identity-theft/ [Accessed on 03/11/2018]

 Legislation.gov.uk. (2018) Data Protection Act 2008. [online] Available from: https://www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpga_20180012_en.pdf [Accessed on 03/11/2018]

News.sky.com. (2018) Butlin's admits 34,000 guest records stolen in hack. [online] Available from: https://news.sky.com/story/butlins-admits-34000-guest-records-lost-in-hack-11468288 [Accessed on 03/11/2018]

Owler.com. (2018) Butlins's Competitors, Revenue, Number of Employees, Funding and Acquisitions. [online] Available from: https://www.owler.com/company/butlins [Accessed on 03/11/2018]

Revolvy.com. (2018) Butlin. [online] Available from: https://www.revolvy.com/page/Butlin [Accessed on 03/11/2018]

Tech.newstatesman.com. (2018) Butlin’s data breach may have exposed 34,000 guests’ personal information. [online] Available from: https://tech.newstatesman.com/security/butlins-data-breach [Accessed on 03/11/2018]