A new era in data privacy enforcement: your open source code may be your new weakest link

Publish date:

As you may have heard, an airline company was assigned a potential £183 million fine by the Information Commissioner’s Office (ICO) for a large breach of consumer personal data in 2018, unveiling vast swathes of customer information used in flight booking.

Essentially, the malicious element of the attack involved redirecting users who were filling in booking forms on the website to a fake site run by the criminals. This was possible due to the use of open-source javascript on the webpage which was vulnerable to being manipulated. It’s important to note here that the offending code was not even written by the airline it ended up impacting. Most modern web applications use open source code so developers don’t have to spend time writing code for standard, reusable features. Open source code has its merits, as well as risks associated with it – we have written about this in more detail here: Open Source Software Vulnerabilities.

The UK’s ICO made a statement with a hefty fine

The ICO is empowered to fine an organisation (subject to appeal and judicial review) up to 2% of global turnover if they have not taken “appropriate technical and organisation measures” to secure personal data and that lack of diligence has resulted in a “breach”.

Now, this is very much an upping of the ante as the highest fine the ICO has ever levied successfully was £500,000 on Facebook Ireland (which is of course a drop in the ocean in terms of revenue for the social networking giant).

The regulatory authority clearly felt that a statement was needed that this is a new era in data privacy. In the 21st century, large companies practically rely on vast streams of data to operate their business models effectively and produce value both for themselves and for their clients.

As is often the case, regulatory structures designed to prevent the fallout of negative externalities are always trying to catch up with the extremely rapid progress of technology and its effect on processes and people.

An appeal’s outcome would signal how seriously organisations should take open source code

An appeal has already been submitted by the airline; but while good behaviour post-incident may influence the scale of a fine, it won’t determine whether the fine itself is applicable in the first place. It is now up to the courts to determine whether the fine follows the spirit of the law.

What matters is whether an organisation has been negligent or even actively reckless with regards to its security procedures. An aggressive decision from the courts will potentially allow the ICO to have a freer hand to actively pursue reckless security breaches rather than hesitating over the value of investigations.

And the US is catching up with the GDPR-inspired California Consumer Privacy Act

Of course, all of this has to be put in context of the global picture.

Just last month Facebook was also fined $5 billion by the Federal Trade Commission (FTC) for major data privacy breaches. The issue was that the company had failed to disclose both the nature and scale of a leak of personal data of over 50 million users to the now infamous Cambridge Analytica. The fine is the largest ever levied by the FTC against a technology company and is a strong indication of broader regulatory, political and social attitudes hardening towards lax personal data processing.

And that’s not even mentioning the class-action lawsuit that has just been allowed to move forward against the same company regarding automated facial recognition technology identifying people in photos posted to the site. The litigation could potentially result in billions of damages due to the alleged collection and storage of biometric personal data being a potential violation of Illinois state law. The circuit court stated: “The development of face templates using facial-recognition technology without consent (as alleged here) invades an individual’s private affairs and concrete interests.”

Moreover, the GDPR-inspired California Consumer Privacy Act is scheduled to come into force on January 1st 2020, immediately enabling a far more aggressive regulatory regime for organisations based in arguably the world’s most critical tech jurisdiction.

The potential consequences are many: hopefully it would drive more DevSecOps investment

The cost of implementing appropriate security measures early on in product and service design is minuscule compared to potential regulatory fines and reputational damage. AppSec and CloudSec remain the most underfunded areas in comparison to other security domains:

AppSec and CloudSec are underfunded in comparison to the $124bn predicted total cyber spend in 2019 (Gartner Report)
AppSec and CloudSec are underfunded in comparison to the $124bn predicted total cyber spend in 2019 (Gartner Report)

This is reflective of the fact DevSecOps is a new idea; indeed, the first SAST tool (a very standard code review tool) was only invented in 2010. As we move toward a world built on cloud-hosted microservice applications, the spending on these two areas will no doubt increase.

So, check how secure is your DevOps – take a quick yet thorough survey to benchmark your DevSecOps maturity against your peers.



Umar Uddin


Related Posts


COVID-19: Flattening the cybersecurity curve

Nikita Mahajan
Date icon July 9, 2020

To set up your business for success in this ‘new normal’, there are some capabilities in...


Internet of things (IoT) security: it’s time to take a new approach

Date icon July 8, 2020

Whether you run a farm or a high-tech manufacturing plant, your business is now reliant on...


Cybersecurity: Building a fortress or staying ahead?

Linden, Geert van der
Date icon June 1, 2020

For a long time, cybersecurity was viewed as mostly static and set in stone.