How to protect your financial information online – and how should organisations react to a potentially serious data breach?
What is interesting however is the contrasting approaches of these organisations to inform the public of security issues. This acts as a reminder for users everywhere of the merits of double checking website security even when dealing with household names.
How do you know if a website is 'secure'?
We are told to check the icons at the top of our browsing screens for whether or not security standards are being applied before we provide any personal data. This is particularly the case where we are inputting bank or card details. However many of us assume consistent security levels on high profile sites. Where that assumption is wrong who is to blame?
Rumours of a problem with the TV Licensing website (tvlicensing.co.uk) were followed by a swift denial of any issues on the Authority’s Twitter site. Screenshots from blogs show that there were two sites running at the same time, one of which was not secure but was still allowing users to input their card details. The clue was in the missing “s” at the end of the 'https://www.' part of the web address and the missing padlock at the top of the browser. The insecure site, where card data was apparently unencrypted and therefore vulnerable, continued to operate for some time before both sites were taken down. The website is still unavailable a day later (at the time of writing) but nothing has yet appeared in the mainstream media alerting users to the potential compromise of their banking information.
"If they do find that there is a potentially serious risk to their customers, such as the misappropriation of their card details, they should immediately alert the data regulator and their customers".
How does the website protect your data?
All websites should take their users data very seriously. One way that they can do this is to ensure that they possess something called an SSL certificate. If a site has its SSL certificate correctly applied you can see the 's' and the padlock symbol. We spoke to Jonathan Rawlins, director of the web development agency Pixel Pixel about how this process works:
"SSL (Secure Socket Layer) is a security protocol used on the web in order to limit the risk of data interception or hijack by encrypting the messages sent between the user's browser and a website. An SSL certificate can thus help to protect you from snooping and 'man-in-the-middle' attacks. If you find yourself on an insecure website then your web browser should inform you, but best practice is to leave immediately. They are not taking your security seriously, so why should you risk your data on their site.
An SSL certificate is granted to a website by a Certification Authority (CA). This is a trusted 3rd-party who handle the cryptographic signing of the certificate. When a user wishes to connect to a certified site, their browser will read the certificate and ask the CA to confirm whether or not the site is trusted. If all is well, then your browser can exchange cryptographic keys with the server and begin transmitting data over SSL".
What should a website do if they discover a security flaw?
In contrast, the compromise of card details on the British Airways website has been widely publicised, alerting customers to the need to monitor their bank accounts and credit ratings. The moment it realised that payment data had been put at risk BA says it began immediately to contact its customers. Approximately 380,000 transactions were compromised and BA’s efforts to alert those affected have included taking out advertisements in newspapers.
The divergence in reactions to a threat to customers’ financial data is palpable. Whilst all of us are responsible for checking the security of any website before inputting our data, particularly that of a financial nature, it is incumbent upon an organisation to alert potential victims of a serious data breach as a matter of urgency. This is particularly the case when the new data protection legislation has made clear how important those obligations are.
Prior to sending out communications asserting that there is nothing wrong with the website, organisations should be continuously testing whether or not that is the case. If they do find that there is a potentially serious risk to their customers, such as the misappropriation of their card details, they should immediately alert the data regulator and their customers. The threshold is not where they have evidence that financial information was stolen. It is where there is a serious risk that it has been. That threshold does not allow an organisation to take days to examine the issue and perfect its press communications for example. The needs of the data subject must come first.
If you are given misinformation - the costs for the website can quickly rise
Customers concerned at rumours of data insecurity but who were subsequently told that there was no such issue may well have relied upon that reassurance and not monitored their finances more closely. For the majority not checking the Internet for rumoured data breaches they may yet be unaware of the issue. In the time before more widespread notification the responsibility of the organisation for any losses suffered would increase, as would the eventual reputational damage when the breach comes to light. Add to those negative consequences the regulatory penalties imposed for any failure to comply with the legislation and these negatives rapidly outweigh the impact of exposing a breach.