Active Network breach: 'EU law boosts security'

22 March 2018

A photograph of a laptop, taken side on, with lots of binary code appearing to have shot out of the screen. The zeroes and ones are light green in colour while the background is dark green. — Image caption,
New EU rules mean businesses can be fined up to 4% of annual global turnover or around £15m for the most serious data breaches

By Brian Meechan

BBC News

A data breach at a website used for athletic events in Wales shows why new cyber-security rules are needed, a legal expert has argued.

Active Network is used by a number of events including Velothon Wales, the Cardiff Half Marathon and Ironman Wales to process registrations and payments.

The US firm has admitted payment details had been accessed over a nine month period.

New EU rules - along with hefty fines - come into force in May.

The General Data Protection Regulation (GDPR) increases responsibilities on companies and protects EU citizens regardless of where the data is being used.

Declan Goodwin, of-Cardiff based firm Capital Law, said the Active Network breach highlighted why the GDPR was essential.

He said: "Companies like Active Network will need to improve data protection compliance as breaches like this will have much more significant implications under GDPR."

An image of the Cardiff Half marathon - with lots hundreds of runners tightly packed together in Cardiff.

Competitors in events such as the Cardiff Half Marathon had their payments processed via Active Network

Earlier this week, it emerged that Dallas-based firm Active Network told customers its details were accessed between December 2016 and September 2017.

Under the current Data Protection Act, there is no legal requirement for companies to report breaches to authorities. This will change under GDPR.

Mr Goodwin added: "The GDPR has a wider territorial scope than the current system, meaning companies outside of Europe that process the data of people in Europe can't ignore it."

The information commissioner's office confirmed it was aware of an incident relating to Active Network and was making enquiries.

A spokesman added: "Organisations have a legal duty to ensure the security of any personal data they process."

Dr Pete Burnap, from Cardiff University's School of Computer Science and Informatics, said cyber security has to be a priority.

He added: "This latest breach further highlights the need for constant vigilance and preparedness around IT networks and systems - particularly those holding sensitive information.

"With the new General Data Protection Regulation (GDPR), companies face increased penalties for data breaches - 4% of annual global turnover or €20, whichever is greater."

More on this story