A timeshare resort in Scotland is back in the headlines this week for a major security breach which could lead to serious trouble with the ICO (Information Commissioners Office).
The resort was previously in the headlines, only weeks ago, with timeshare owners unhappy after a series of redundancies had been made at the resort, leaving it understaffed. This latest blunder is bound to leave owners further disgruntled as the resort have made a serious error with the personal details of more than 2,400 members being posted on their website. Loch Rannoch Highland Club has been reported to the data protection watchdog after posting 243 pages of sensitive information. The information posted was a list of timeshare owners email addresses and phone numbers, and, if gotten into the wrong hands provided very useful for some unscrupulous companies who target timeshare owners specifically.
Bosses at the resort said the information was taken down as soon as they became aware of it and only a small amount had been viewed online, despite this the ICO confirmed they would be looking into the incident and asked anyone who thought they may be affected to get in touch with their concerns.
The ICO has powers to fine any company who breech data privacy laws under the recently implemented GDPR rules and any company thought to be negligent could face fines of up to £20 million euros or 4% of the total annual turnover, whichever is higher. The ICO issues penalties on a case by case basis, so no doubt if the resort is proven to have been negligent in the way it handled members data, they will undoubtedly be expecting a large penalty.
Data breaches are common these days with sophisticated cyber criminals finding new ways to access information, but the ICO has made it clear it is solely the responsibility of a company to keep people’s personal information safe. In fact, just this year the ICO issued the Marriott Chain with a whopping £18.4 million fine for a major breach that affected more than 339 million guests worldwide including seven million people from the UK. The attack took place in 2014, but incredibly went unnoticed until 2018, during which time cyber criminals were left to access members names, email addresses, phone numbers, passport numbers and even some peoples credit card information. It was on that basis the ICO issued the fine, accusing Marriot of failing to protect personal data required by the General Data Protection Regulation (GDPR).
What do cyber criminals do with our personal information?
One of two things happens when our data is stolen, a cybercriminal will either exploit the data to profit themselves or sell it on the dark web to someone who will exploit it. It also depends on what type of information is stolen to how valuable it is. The information is sorted into categories which is more attractive to buyers. Personal Identifiable Information (PII) is any information that can be used to identify a person specifically, such as their name, address, email, and date of birth. Cybercriminals will use this information to commit a variety of fraudulent activities. With this information they can apply for loans and credit cards in your name, gain access to your personal emails, access your personal devices like computer or phone and have even been known to extort people for money. These are just some of the ways criminals can make money from our personal data, however information is stolen the repercussions can be devastating to an individual and this is why handling personal data is such an important issue and why the ICO takes any breaches very seriously.