TV Licensing has assured 40,000 TV licence-paying customers whose contact and bank details were intercepted on the TV Licensing website that “the risk [to them] is low”.
If the risk is low, why also warn the victims that they should check for bank fraud and suspicious transactions? How many of those intercepted payment details were immediately used to send money to cyber criminals rather than to TV Licensing? After all, the breach went undetected for about seven days – enough time for a significant number of transactions to be falsified on the fly.
Under the GDPR (General Data Protection Regulation), if there is little or no risk to the rights and freedoms of data subjects, there is no obligation to inform them of the breach. Typically, ‘no risk’ means that the breached data was encrypted and could not be accessed.
The TV Licensing breach occurred because there was no encryption, and there clearly is a risk to data subjects, which is why TV Licensing is quite properly contacting all those affected. These actions demonstrate that there really is a risk to its customers, whatever it might say to the contrary.
One wonders how quickly class action lawsuits against public-sector controllers that suffer data breaches will emerge?