Jug Puljizevic wrote an article dealing with privacy issues after Thomas Cook collapse. Over 500.000 holidaymakers are scattered around the globe and around 20.000 jobs are at risk… can it impact your privacy?
The dust slowly settles on Thomas Cook collapse as thousands of stranded holidaymakers are slowly returning home. The world's oldest travel firm left over 500.000 holidaymakers scattered around the globe (around 150.000 of them from UK). Moreover, around 20.000 jobs are at risk (9.000 of them in the UK).
The financial details of the collapse are more or less known. Every single news portal in Europe (and many more overseas) follows the story closely. With every hour new troublesome issues emerge: bosses with huge bonuses, holidaymakers and crew "trapped" in Cuba, hotels demanding additional payment for already payed vacations, airlines are boosting their prices and ripping off customers.
The elefant in the room
There are numerous pages with useful answers and tips for affected Thomas Cook holidaymakers but not a single one dealing with personal data protection issues. That's worrying, but let's take one step at the time. The first step is a simple, elementary school mathematical problem.
500.000 stranded holidaymakers (10% of them in Greece alone) gave a lot of personal data to Thomas Cook (and its partners). At least 20% of them are kids or minors. So you have over half million passport and credit card numbers, a lot of sensitive data, including health informations (like food intolerance and allergies)... Not to mention all the people who already booked and payed for a vacation later this year. Numbers are very high and difficult to guess but data of over a million people could be affected.
On the other side of equation there are over 500 Thomas Cook stores, with computers, servers and bunch of papers lying around. Most of them now empty and unattended. To make things even more interesting there are 20.000 workers with a very uncertain future. We can assume a lot of them use their own devices (like phones, tablets, laptops...) for business purposes (and other way around). I'm not familiar with Thomas Cook BYOD (Bring Your Own Device) policy but let's assume that even the best policies and procedures are challenged by human errors or deliberate actions.
If an insurance professional or a risk manager is reading this article I'm sure they could calculate / assess the risk factor using the data mentioned above (feel free to comment).
Should I be worried?
A year ago Thomas Cook reported a data breach which exposed the names, email addresses, and flight details of customers. To be precise: full name of all travelers on accessed booking, e-mail address of person registering the booking, departure and return date with airport and flight number.
The flaw was discovered by Roy Solberg, a programmer in Norway, who reported it at once. Thomas Cook response was late and troubling. They used Art. 33 of the GDPR to avoid reporting this incident both to the ICO and its customers stating the breach is unlikely to result in a risk to the rights and freedoms of natural persons. You can read more in an article which title says a lot: "Thomas Cook website spills personal info – and it's fine with that".
During this troublesome period for Thomas Cook it's easy to imagine numerous risks for customers data. Combined with already poor safety measures and inexistent privacy practices - we get a serious data breach waiting to happen (or to become public if already happened). Also it's not difficult to imagine one or more (ex)employees, stealing and selling databases or sets of personal data in order to compensate for a job loss or "to get what company owns" 'em.
But...
That's just one side of the coin. With Thomas Cook demise all of personal data didn’t just disappear. Also in most similar cases, the bankrupt company doesn’t destroy or secure the data.
For example Canadian retailer "Netlink Computer (NCIX) declared bankruptcy at the end of 2017, it left behind more than $35 million in unpaid bills, as well as hundreds of PCs, servers, and hard drives from its back-office operations. Some of that hardware was sold at auction by NCIX’s bankruptcy trustee. Other machines, apparently confiscated by NCIX’s landlord in lieu of $150,000 of unpaid rent, made their way to Craigslist" - the Parallax article says.
The Institute of Chartered Accountants in England and Wales (ICAEW) published an interesting read "The GDPR - FAQs for insolvency practitioners". You can find a lot of useful insights like: "GDPR won’t stop you selling a database of customers or an in-house list of those who have registered on a website but you should ensure that the company has records of what individuals have consented to, including what they were told, and when and how they consented. The company’s records should also show whether they have consent for texts, emails and automated calls, if relevant."
The conclusion
Thomas Cook collapse could be a case study for handling (not only personal) data during bankruptcy. Potential risks are yet to be fully comprehended but the threat is real and worrying. This case also shows the complexity of serious data privacy approach and GDPR implementation in practice. Privacy by design and privacy by default are not just catchy slogans and GDPR implementation isn't just a bunch of documents and shiny privacy policy on your website. If you don't believe me, ask Thomas Cook... and his customers.
Jug Puljizevic
Article was originally published on LinkedIn – you can read it here.