Timehop has revealed that more even more data had been stolen that originally thought in their breach. Timehop admitted that in their haste to report the incident, they did not have all the facts of the breach at that time. Timehop’s efforts will be reviewed now that GDPR has been instituted.
Chris Olson, CEO at The Media Trust:
“The GDPR regulators will likely take into account Timehop’s efforts to self-report the breach when they calculate the penalties, but they might take issue with a few things:
1.Did Timehop put in place sufficient security measures? For starters, the attacker gained access to their cloud environment through an account that was unprotected with multi-factor authentication. Furthermore, pervasive encryption was applied only after the breach.
2.Did Timehop had data protection in mind when they designed their processes. It’s not clear how and why user data had “unwittingly been transferred” to the cloud. A data controller and processor should have been enforcing the right policies on handling the data.
3.Did they report the breach in a timely manner? The GDPR requires that a breach is reported within 72 hours of its discovery.
The fact is a company’s largest digital threats are often posed by their digital third parties. With a growing number of regulations on consumer data privacy and many breaches being carried out via third-party code suppliers, companies should get to know and closely monitor who they’re working with. Companies should also ensure those third parties’ activities are compliant with regulations, as they share the blame for third parties’ mishaps.”