Included in this issue of Data & Privacy News: Radisson Hotel Group report data breach of loyalty scheme members; Facebook EU-US data transfer ruling in High Court to be appealed; Eurostar resets customer passwords due to attempted hack and more

Radisson Hotel Group report data breach of loyalty scheme members  

The Radisson Hotel Group has reported a breach of loyalty scheme members' personal data. 

All affected members have been notified by email, however the breach was not reported within the 72 hour time limit as required by the GDPR. 

The Group has not provided any more information on how the data was accessed by hackers but has revealed that the information exposed includes names, addresses, emails, company names and phone numbers.

Investigations are ongoing by Radisson and all unauthorised access has been blocked and affected accounts secured.

ICO issues new guidance on passwords and encryption  

The ICO has issued new guidance on passwords to help organisations comply with the GDPR. 

The regulator has said that organisations should consider better alternatives to passwords such as utilising a single sign on system.

The ICO have also warned organisations about storing passwords in "plaintext" with certain known algorithms unsuitable due to security weaknesses which can be exploited.

Alongside the password guidance, the ICO has issued additional guidance on encryption. This is specifically mentioned in Article 32 of the GDPR as a measure which organisations can implement to keep personal information secure. 

UK Government identifies 'big data' as a potential area for legislation following misuse 

The Government has identified 'big data' use by businesses as a potential area for legislation with press reports of Business Secretary Greg Clark asking the Competition and Markets Authority to advise on its misuse.

The term 'big data' generally describes the way businesses target customers by collecting, processing and analysing substantial data sets from an array of sources, which frequently contain personal data.

A review is already under way by the Civil Aviation Authority looking into how budget airlines use algorithms in seat allocation for those who fail to pay extra for allocated seating. The review will analyse whether companies are misusing personal data to the detriment of their customers but to the benefit of the company.

Facebook EU-US data transfer ruling in High Court to be appealed 

Facebook is going to bring an appeal in the Irish Supreme Court on the 21 January 2019 to attempt to halt the Irish High Court from referring questions over the legality of EU-US data transfers agreements to the European Court of Justice. 

The case will have major consequences for the EU's support of Privacy Shield and standard contractual clauses, with questions being raised as to whether they are adequate for protecting European citizen's privacy.

Facebook is expected to argue that the High Court made an incorrect finding of fact and there is no requirement to seek clarification from the CJEU on EU-US data transfers under the Privacy Shield agreement.

Eurostar resets customer passwords due to attempted hack  

Eurostar has reset customer passwords following an attempted hack of an unspecified number of accounts between 15-19 October 2018. 

The firm said it had notified the individuals who had their accounts targeted, whilst other passengers will be required to reset their details the next time they log in to the service.  

Eurostar has declined to comment on whether the origin had been traced though they have confirmed that payment details were not affected and that the ICO has been made aware.

Key Contacts

Helena Brown

Helena Brown

Partner, Commercial and Data Protection & Head of Data
Edinburgh, UK

View profile
Ross McKenzie

Ross McKenzie

Partner, Commercial & Data Protection
Aberdeen, UK

View profile