British Dental Association Data Breach
by Andrew Gogarty, Chief Security Evangelist
06 August 2020
Not many people are fans of the dentist, and it appears that cyber criminals share the same sentiment. It’s feared that dentists’ bank account details have been stolen by cyber criminals last week in a hack against the British Dental Association (BDA).
The BDA’s website is currently showing a statement that says both their website and other systems, such as their telephones, are offline.
According to BBC News, the BDA has admitted to its members that it’s still not sure exactly what was accessed in the breach that took place on the 31st July and it’s contacting those it “thinks” had data compromised.
As always with breaking news like this, it’s not fair to jump to conclusions around what happened without all the facts, especially when the BDA have claimed it’s still investigating the extent of the breach.
However, when handling personally identifiable information, it’s an expectation of the General Data Protection Regulation (GDPR) to have appropriate and proportionate security measures in place to safeguard that data.
Considering that BDA members’ bank account details are now in the hand of cyber criminals, it would be difficult for them to argue to the Information Commissioners Office (ICO) that not having visibility and control over who had access to their data was appropriate or proportionate.
In today’s digital age, this is yet another example that demonstrates the importance of having the right controls in place, including continuous monitoring of environments that hold sensitive information.
The statement released as part of BDA’s incident response suggests that this was a ‘sophisticated’ attack, which is a term used all too often early on in highly publicised cyber attack announcements. Will this be a genuine sophisticated cyber attack, or yet another breach resulting from a lack of cyber security best practice?