World | Technology

GDPR raises major cybersecurity concerns

It is estimated that 65 per cent of data leaks are the result of malicious malware or phishing attacks. But how many firms admit they’ve been breached?

A Facebook IconFacebook A Twitter IconTwitter A Linkedin IconLinkedin An Email IconEmail

Woman with a laptop works in a large server roomWhile 15 per cent of “data leaks” are caused by (internal) human error, it is estimated that 65 per cent of them are the result of malicious malware or third-party phishing attacks (Shutterstock/Maximumm)

While privacy remains a top concern after the European Union rolled out the General Data Protection Regulation (GDPR) eight months ago, (see GDPR, 8 months in: ‘These issues can longer be ignored’) a number of other cybersecurity challenges have also come to light.

While 15 per cent of “data leaks” are caused by (internal) human error, France’s Commission nationale de l’informatique et des libertés estimates that 65 per cent of them are the result of malicious malware or third-party phishing attacks.

Sometimes, the problem comes down to a programming error. As recently as last September, Facebook acknowledged a breach that allowed 1,500 apps to access photos that users had not posted to the platform and therefore should not have been accessible to third parties. It took about 10 days to seal the leak.

But for every business that admits a breach, how many others are keeping mum? How many don’t discover the scope of the problem until it’s too late? Marriott International—hotels are prime targets for hackers—announced in late November that the data of 500 million of its customers, including passport and credit card numbers, may have been subject to theft since as early as 2014.

Although the hotel chain reported the breach with the relevant authorities, a Europol study revealed that many hacked companies would rather pay a ransom to a hacker than report the incident and pay a fine. And yet, such payments only fund further attacks, and are no guarantee that the hacked information will not be disclosed or otherwise exploited.

In other words, there is still much work to be done. However, Patrick Boucher, president of Gardien Virtuel, a Quebec firm specializing in data security, believes that a trend has begun, and that it will gradually expand. 

“For years, we’ve been explaining to people how important it is to back up their data regularly and store it outside the office, and yet, even for something so obvious, the message still doesn’t get through,” he says. 

“So it’s no surprise that the GDPR seemed somewhat unclear to some people in the beginning. But it’s an excellent tool for raising awareness of data risk management. The new website will also help clarify things.”

For Boucher, there will definitely be a snowball effect. For example, California—the cradle of the web giants—recently passed a law similar to GDPR (the California Consumer Privacy Act), which will go into effect on January 1, 2020.


CPA Canada has published several articles on the GDPR, including GDPR: A Primer for Canadian Businesses, The GDPR is here and companies are rushing to comply with the EU’s new global standard for data privacy and The GDPR protects personal data and 4 other things to know about the EU’s new regulation.