At the beginning of the year, Moncler confirmed that it had suffered from a ransomware attack on its systems that led to a headline-making data breach. The leaked data exposed information about the Italian outerwear-maker’s employees and former employees, “some suppliers, consultants and business partners,” and customers. It followed from a data-centric attack on American fashion brand Guess, which was on the receiving end of a data breach in the summer of 2021. In that case, criminals were able to obtain social security numbers, ID numbers (driving licenses and passports), and financial account numbers. Around the same time, Chanel suffered a similar fate with its South Korean operation, which resulted in the leak of names, personal information, and shopping histories.
Instances of cyberattacks and hacking generally should not come as a surprise to brands. A recent Office for National Statistics report showed that while most forms of crimes in the United Kingdom are seeing a downtrend, crimes involving computers and hacking are experiencing a noticeable uptick. The same is true in the U.S., with ransomware attacks, alone, rising by almost 100 percent in 2021 according to SonicWall’s 2022 Cyber Threat Report.
When hacks occur, government agencies, such as the Information Commissioner’s Office (“ICO”) in the United Kingdom and the Federal Bureau of Investigation and relevant State authorities in the U.S., expect companies to deal with them proactively and ensure that any serious breach is resolved effectively. In light of increasing threats of cyberattacks and hacking, including for fashion brands, guidance on how companies – in fashion and beyond – should approach the issue are set out below …
What do hackers want and how do they get it?
Fashion brands are a gold mine for data that can be exploited. Hackers target clients’ personal information, financial information, and operations and systems, which is all readily available, especially since most players in this space maintain e-commerce shops. Hackers can access such information by way of a data breach, namely, targeted attacks into secure log ins, where they obtain information; ransomware, where access to files or systems is blocked until a ransom fee is paid; and/or denial of service attacks, in which a system or server is flooded with targeted requests, preventing legitimate requests from being fulfilled.
What actions should you take if a breach occurs?
In the UK, the ICO expects a company to take action if it finds itself the victim of a cyberattack or breach, which it defines as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.” Primarily, companies are expected to carry out a data breach risk assessment, including by determining whether there a risk that data subjects will be seriously affected by the breach. They are also expected to inform individuals who have been affected by a high-risk data breach without delay, and inform the regulator as soon as practically possible, and in any event, within 72 hours.
In the U.S., the response will vary from state to state. Depending on the severity of the breach, the state attorney general, and eventually customers, may need to be notified with similar notification requirements as found under UK law.
When providing details to affected individuals, a brand needs to inform them, in clear language, of the nature of the breach and what personal data was affected. They should also be provided with details of the relevant contact point or the details of the brand’s data protection officer. It is recommended that individuals are provided with information on how the brand will assist them going forward and any actions they can take to protect themselves. Guidance from the ICO outlines that this may include forcing a password reset; advising individuals to use strong, unique passwords; and telling them to look out for phishing emails or fraudulent activity on their accounts.
If, after a risk assessment, the brand has decided that a notification to the ICO is not necessary, it is still highly advisable that the company records information about the breach and actions taken in response. If the ICO decides that an investigation is necessary, the company may be asked to justify the decisions it made.
Reporting the data breach
If a report to the ICO is necessary, then it is important that the following information is captured and shared with the ICO: the approximate number of affected individuals; how many personal data records were affected; the name of the data protection officer or contact point details; the effects of the breach, and actions taken in response.
Again, in the U.S., while this may vary from state to state, it is likely that the report will contain information that is similar to what is expected by the ICO.
Take home points
If a brand finds itself on the receiving end of a cyberattack or other data breach, it is important to be as prepared as possible. Planning in advance is ideal, and is likely to include contingency measures. However, as it may be difficult to plan for all eventualities, the following best practices will also limit what can be hacked: Do not store sensitive data in clear text – pseudonymize or encrypt, and so not hold onto incomplete or old data, whilst it may not be relevant to your business, it can expose the data subjects to malicious actions from hackers. Ensure access to data is handles on a strict basis, and ensure the company carries out appropriate security policy and regular cyber security training for staff. Finally, carry out regular information risk assessments, and maintain a response and recovery plan.
Vladimir Arutyunyan is an associate in Fox Williams’ commercial and techology team in London.