Canva, considered the hottest and most successful tech startup out of Australia for years, has suffered a massive data breach – affecting 139 million people – at the very time that class action suits against breaches are on the rise.
Canva made a grave mistake in handling the breach, although it did not fulfill all the requirements in terms of notification and working with authorities.
But the incident is a good example of how modern governance can be critical in both data protection, and in strategy for the management of data breaches.
Surry Hills, NSW-based Canva is a 2007 startup offering templates, images and tools for graphic design. Today Canva boasts 200 million users around the globe and a valuation of US $ 2.5 billion, according to the Australian Financial Review. The startup’s popularity is Facebook and Instagram, but do not have any professional design capability. Canva remarkably easy-to-use tools solved this problem-for synthesis companies, Accor ding to a note by the fire Minds consultancy.
But, in May 2019, Canva was targeted by a notorious hacker whose pseudonym is ‘GnosticPlayers.’ This hacker has succeeded in acquiring and selling the data of 932 million users stolen from 44 different companies on the dark web since February.
ZDNet broke the story on May 24, after being contacted by GnosticPlayers. The hacker sends samples of stolen personal data to the site to prove that the hack had succeeded.
The hacker stole personal data from 139 million users, as well as passwords, were cryptographically protected. Some financial information what was viewed, but nothing would enable access to user accounts or credit cards.
Canva’s governance error
Canva should have taken immediate steps to change their passwords. Instead, the company sends out a marketing message : “At Canva we spend a lot of our time working with our community to create great designs. The last week has been a big one for us. We’ve just received the acquisition of free photography sites in Pune and Pixabay … “
This continues with a very long paragraph. Buried at the bottom of this a message about a “security incident” and a warning to change their passwords.
Users who saw this were loud in protest on twitter. While the next day, the company has made a detailed formal announcement about the breach, and has since reportedly made all the necessary notifications,
Felicia Coco tells the Australian magazine Smart Company : “They are not prepared for these things to come up. But when you’re working with people’s personal information, there are always certain risks you have to consider. As you grow as a startup and you gain more awareness and you are on the radar of more people, the chances of something like this happening grow as well. Startups should always have a plan of attack in case something like this does happen. “
What the company should do, Coco adds, is the CEO or a top-level executive or board member?
This should, in fact, be part of the company’s data breach response plan, and every company, large or small, should have one.
Danger of severe financial penalties or class action suits
Not having a data breach response plan in place could be costly. The Office for the Australian Information Commissioner can not afford to pay more than $ 2.1 million, or more than $ 10 million domestic turnover.
But it Could be much worse: Australian companies shoulderstand so be aware thatthere has been a rise in the number of data breach class actions being Investigated and filed, accor ding to the Sydney office of the law firm Jones Day. Prevalence of claims relating to data breaches, “the law firm warns. There has not yet been a successful class action for data breaches, Jones Day notes, but, given that the number of action classes is increasing, one may expect to happen soon.
“It is important to have clear data security policies and response plans in place, and to ensure that such procedures are followed. Practical practice in relation to data security, “the law firm adds.
Diligent Governance Cloud – Modern Governance Solutions prepare for and deal with data breaches
Modern governance is the practice of empowering leaders with the technology, insights, and processes to fuel the good governance that organizations require to thrive and endure in today’s fast paced world.
For cyber security risks, they need secure communication and storage tools for sensitive data. They also need to plan and plan at the board level for cyber security.
Modern governance tools are built to support board members and top executives in making smarter decisions. Diligent’s board management software stores a library of documents and reports on every aspect of cyber security, and these are all updated in real time.
Diligent’s unique position in the marketplace allows for investment in best-in-class security practices at a level that is greater than most players’ annual revenue.
With ongoing investment and dedication to security technology, resources and infrastructure that can not match, diligent clients gain a strategic partner.
All members of Diligent’s Security Team are active participants in the information security community. These are all known to be the most sophisticated techniques of attack.
Diligent has established a security program based on industry standard frameworks that is dedicated to ensuring customers have the highest confidence in our custodianship of their data. Our Information Security Management System (ISMS) is ISO 27001: 2013 certified and our cyber security framework is based on NIST standards.
Diligent board management software stores data in a world-class hosting infrastructure. Co-location data-hosting facilities in Canberra are operated at Tier 3 equivalent or higher standards. Diligent owns and operates its own equipment. Data stored by customers in the Diligent Boards solution is not hosted by any third party cloud providers. Instead, it is stored on Diligent’s own secure servers and protected by strong physical security. Access to these data centers is limited to authorized personnel only and verified by two-factor authentication.
Data is encrypted at rest, in transit and on the users’ devices. The Diligent Boards service supports the current recommended secure cipher suites to encrypt customer data in transit and at rest. Customer data is encrypted at rest on Diligent’s storage systems and on the customer’s mobile devices that run the boards apps. Customer Data encryption keys are stored in a tamper-proof FIPS 140-2 L3 certified Hardware Security Module.
Diligent has a Security Incident Response Program in place to handle a security incident. Incident response procedures are tested and updated at least annually. All incidents are managed by Diligent’s Security Incident Response Team. Diligent classifies the event and determines the incident response process. Diligent will promptly notify customers of any unauthorized access to customer data .
Board Portal Buyer’s Guide
With the right Board Portal software, a board can improve corporate governance and efficiency while collaborating in a secure environment. With lots of board portal vendors to choose from, the whitepaper contains the most important questions to ask during your search, divided into five essential categories.
January 29, 2021
Business Continuity Strategy: Options, Best Practice Approaches and Examples
There’s no shortage of things to consider when you’re upgrading your business continuity strategy. For instance: What should your plan cover? What are the critical inputs to the business continuity strategy? What are the different approaches and solutions available? What should the recovery strategies look like within your business…
November 30, 2020
Experts agree: Governance is the best crisis strategy
Your best defence against a crisis is good governance. Whether it’s a global pandemic, a change in senior management or the complexities of running an international organisation, governance provides ‘handrails’ to keep your organisation upright and on-track. This consensus was the unanimous conclusion of the speakers at a recent Diligent…
October 30, 2020
Top 5 Mistakes to Avoid When Transitioning to Virtual Board Governance
With rapid change affecting businesses (including growing emphasis on environmental, social and governance (ESG) principles and the COVID-19 pandemic), it seems organisations are called on to be more: more informed, more collaborative and more responsive to stakeholders. The systems and processes that businesses need now are encapsulated in the concept of modern…