Last week I received an email notification from a digital agency that one of their service providers was hacked. Consequently their customer data were accessed by an unauthorized party; a hacker. This cyber criminal demanded payment, a cyber security company had to be involved on the spur to determine and close the leak, the Data Privacy Authorities as well as all clients had to be notified and both companies’ reputations were tarnished.
Could this have been prevented? Yes! Let me explain how:
When the digital agency selected the aforementioned service provider as a recruitment platform they simply assumed that the company’s statement on GDPR compliance was trustworthy and sufficient:
“GDPR might be complex and hard to deal with, but it’s a great step towards protecting everyone’s privacy. This includes the privacy of the candidates for your job openings. So where do you start when implementing these regulations in your hiring process? Our privacy officer dove deep with the help of a GDPR expert to figure this out. What we found out is that it’s not as hard as you might think once you get past all the jargon, etc.”
To the contrary, a preventable hack took them by surprise and affected all their customers and their customers’ clients. This is as devastating as an oil spill. It simply spreads relentlessly.
What the digital agency and other clients of the recruitment platform provider should have done is to request proof of preventative measures taken against cyber attacks. If such proof is not available, the client (the digital agency) should suggest to engage a cyber security expert to ensure that all possible safety measures have been applied.
This is a very important step since under the GDPR the data processor (e.g. the digital agency) is held responsible for all related data breaches, including those at a third party like the recruitment platform service provider.
It was the digital agency that had to report the incident to the Data Protection Authorities and consequently they had to depend on their recruitment service provider to take adequate measures.
In conclusion: never trust a third party service provider that deals with privacy sensitive data merely based on a statement or unsubstantiated claim that they fully comply with the GDPR and its related data security measures. It is far better to suggest an independent security agency to check the actual status of their anti-hacking measures. Contact a reputable security agency and request them to contact your third party service providers as a standard procedure. The costs of such a proactive approach are far less than that of a reactive approach.
In The Netherlands, where this incident recently originated and took place, the national Data Protection Authority received nearly 24.000 reports on hacks and malware, 30% up from the previous year.
In 2018 I wrote an article called “GDPR Threats to the CEO” in which I mention that it is not a question of “if” a hack or cyber attack will hit your organization, but “when”.
Better safe than sorry! Be vigilant when you engage with third party service providers. Ultimately it is your responsibility under the GDPR when data breaches occur, not solely your service providers’.