In January 2022, The International Committee of the Red Cross, who oversee the global operations of The Red Cross confirmed that the organisation had suffered a sophisticated cyber-attack. Resulting from the breach of security, more than 515,000 highly sensitive personal records were exposed relating to seriously vulnerable individuals globally.
Investigations have now revealed that this significant data breach could have been averted. It has been confirmed that cyber criminals gained unauthorised access to the IT infrastructure of the organisation via “the abuse of an unpatched vulnerability”. The situation is further compounded by the fact that The International Committee of the Red Cross failed to apply a “fix” to its systems, which had been rolled out some months earlier.
This high profile and significant data breach reinforces how crucial it is for businesses and organisations to demonstrate that they are EU GDPR accountable and that they comply with their individual GDPR legal obligations. Article 32 of the GDPR requires that IT systems and software are continually up to date, robust and secure for the protection and security of personal information.
Conducting regular IT infrastructure audits and monitoring for irregular activity across networks is crucial for Data Controllers and Data Processors. The targeted and sophisticated cyber-attack on Ireland’s HSE in May 2021 is yet another serious data breach which could have been averted. Investigations revealed that the Health Safety Executive were operating Windows 7 at the time the systems were infiltrated. (Support for Windows 7 ceased in January 2020!).
As a Data Controller and Data Processor perhaps now is the time to question how compliant your business, organisation is with Article 32 of the EU General Data Protection Regulation? Time for an IT audit?