Category Archives: Data Security

National Lottery customers hacked. But who handed over the key?

master-key

Another day … another hack. Such events are inescapably becoming almost daily news. The endless catalogue of everyday cyber crime, ranging from hacking, ransom attacks, bullying, breaches, theft and fraud, simply underlines that any crime that can be committed in our physical world can – and is – equally being perpetrated in cyber space.

Given that such attacks and breaches are making the headlines almost daily, it baffles me that companies and customers (that’s us by the way) don’t make a greater effort to protect themselves.

Camelot, The National Lottery’s operator, discovered this latest breach on Sunday and went public on Wednesday morning. Camelot says that only 26,500 of the 9.5 million registered user accounts were compromised, and that there has only been activity on just under 50 of the infiltrated accounts. They have confirmed that no money has been removed or added to any of these accounts and that the National Lottery does not hold full debit card or bank account details. The Information Commissioner’s Office says it has launched an investigation.

Camelot insists that the reason for the compromised accounts is because users have been operating the same password for multiple websites. (Sound familiar? Last week’s Deliveroo breach comes to mind).

Quite properly when we hear of a data breach we turn the spotlight onto the companies that we deal with, who are in charge of protecting our information. But it would be no bad thing for us to point the spotlight at ourselves as the other half of the equation. As consumers, we have to take responsibility too.

We have all repeatedly been advised – and frankly, must surely know by now –  it is vital that a different password is used for every website. For as long as we fail to take this basic precaution, these breaches will be possible.  It would seem that we’re no or slow learners.

I don’t know about you, but I have more accounts than I care to think about. A password including capital letters, symbols and numbers is difficult enough to remember for just one account. However with hacks happening more and more frequently it’s made me pull up my socks and change all of my passwords.

I choose not to have my phone or computer store my passwords, because if either device is stolen (or lost) someone will have all my information in the palm of their hand.

It’s time we all realised how vitally important it is to have safe and secure and different passwords for every account we have, especially when cyber criminals are getting wiser and more sophisticated by the minute. A password is a key. So using just one password to access all your websites means that you are effectively handing criminals the master key to all your online activity.

Hint – A password with 12 characters including a few bits and pieces can take over 2 centuries to crack … that’s the one for me!

charlotte-seymour-2016

Written by Charlotte Seymour, 30th November 2016

Data Compliant’s Weekly Round Up

cowboy-round-up-cropped

This week has been a bit hectic when it comes to data breaches and news. We started off with Snoopers’ Charter being passed, then we heard that Deliveroo had been hacked and many of its customers had been paying for someone else’s dinner after passwords were stolen from another business.

We heard of yet another colossal hack – mobile network Three had been infiltrated by 3 hackers dotted all over the country now putting two thirds of the 9,000,000 Three customers at risk. The hackers accessed the upgrade system using an employee log in and were able to intercept the new phones before they reached the customers that the hackers had upgraded. Could this be an insider threat? Although Three can confirm no financial data was appropriated the information that was obtainable were things like names, telephone numbers, addresses and date of birth all of which is classed as personal data in accordance with the Data Protection Act. It’s all very handy data for criminals to steal someone’s identity.

Police are investigating Broxtowe Borough Council after an email containing allegations about someone’s conduct was sent to all staff members (730 people in total) in which they were told about in September. The ICO have said they are not going to take any action.

Hatchimals
Hatchimals are the latest craze with the kids these days and I bet they’re on everyone’s Christmas wish list. For those who don’t know what Hatchimals are, they’re Furby-like toys inside an egg that the child has to nurture until it hatches. Once hatched the toy will learn how to speak from it’s owner – so I’m told by my overly eager nephew. However due to these toys being so popular, scammers are out in force and are taking to social media to encourage loving parents to hand over more than double what these toys are going for. Once the scammers have got the money, the parents are then blocked and never hear from them again. Sometimes over £100 worse off. These toys are out of stock in every retailer that sells children’s toys in the UK so if there is an ad online, on social media, or in an email saying they’re still available and better yet – they’re on sale, don’t be fooled, if it’s too good to be true, it usually is.

Black Friday and Cyber Monday
I would imagine due to it being Black Friday this Friday (25th November) and cyber Monday on the 28th fake adverts and phishing emails are going to be on the rise this week and most of next week too. Although it is sad to think that hackers take to this time of year to steal from loving friends and family to earn themselves a bit of extra money, it does unfortunately happen every year. Now some of these hacks are easy to spot, it just takes a bit of common sense, however they are also getting more and more sophisticated and harder to recognise.

Last year UK consumers spent £2 billion in 24 hours online and in stores on Black Friday and £3.3billion over the whole weekend. Predictions this year are even higher than the last. So if you’re anything like me and are planning to get home from work, make yourself a cup of tea, put your feet up and do your Black Friday shopping online, here are some hints and tips for you to stay safe this weekend.

  • Make sure the websites you are visiting have https: at the front of the URL. The s actually stands for secure! Who knew?
  • If you receive any emails from your bank, paypal or anything asking you to confirm your payment details with a link to click on to do so, hover your mouse over the link to see what the URL is, if it isn’t the company’s name .com/.co.uk etc it’s a scam.
  • Look at the email address you receive an email from, is that the company’s name?
  • Use strong passwords, and different passwords for each log in (this is how many people got stung with Deliveroo as they used the same password for their account with them and with other websites and apps).
  • Read the websites privacy policy before handing over all of your sensitive information. These are legally binding and have to inform you of what the company plans to do with your data.

I could go on and on but these main 5 steps should keep you fairly safe this weekend. Don’t be put off by the minority of people who do wish to scam you into handing over all of your money. There are some good people (and even better bargains) out there, so happy shopping!

charlotte-seymour-2016
Written by Charlotte Seymour – 25th November 2016.

Snoopers’ Charter – What do you think?

big brother.pngThe Investigatory Powers Bill, also known as the Snoopers’ Charter, was passed by the House of Lords last week. This means that service providers will now need to keep – for 12 months – records of every website you visit, (not the exact URL but the website itself), every phone call you make, how long each call lasts, including dates and times the calls were made. They will also track the apps you use on your phone or tablet.

The idea behind the Bill is to prevent terrorism and organised crime, which, it goes without saying, we all fully support.  What it will also obviously do is to place massive amounts of personal information into the hands of the government and other bodies for that 12-month period.  And there has been and will continue to be a huge debate over whether and to what extent this is a breach of our privacy.

This Bill will also allow the police and authorities to look at a specific location and see which websites are highly used in that area, and even who is visiting that area. Dozens of public organisations and departments, such as HMRC, the Food Standards Agency and Gambling Commission, will also be able to access this information without needing evidence for ‘reasonable doubt’ to do so.

What has not changed is that security services still have the ability to hack in to your communications, and eavesdrop into your calls, read your texts and emails, only as long as they have the required warrant to do so. So in theory your actual conversations are still safe unless there is a reason to believe you are involved in something you shouldn’t be.

All this is very well, but is the Bill self-defeating?  Doesn’t it just encourage the use of VPNs which will bounce your IP around the world so you can’t be traced?  If you were doing something you didn’t want officials to know about, isn’t that just what you’d do?

Food for thought here is that the UK will expect companies like Google, Facebook and Apple to unencrypt some of their software so that the UK can gain access to those records. These companies aren’t British companies. So can they refuse? The thing that worries me is that if they do refuse, would they be tempted to pull out of working with the UK completely?  In which case, what does the government want more – the business and jobs these companies provide or the data they hold?

Not only that, but we are now living in the age where Yahoo can lose half a billion accounts, a Three Mobile breach can put millions of customers at risk, and thousands of Tesco customers can have money simply removed from their bank accounts.  And the list goes on. Is not keeping all this data stored for 12 months just like a huge red target for hackers?  Even though this Bill is driven by national security, the risk is that it still leaves an ocean of information that can be dipped into, hacked and misused.

I feel caught between a rock and a hard place.  I have no issues with the government bodies looking through my history should they choose to, but is it right that they can? And then you have to wonder … has anything really changed that much?  Hmmm…

What do you think? None of this will go away. Our children will inherit this Bill and will grow up with all of its implications.

charlotte

 

Written by Charlotte Seymour – November 2016

Insider Threats – Charlotte’s View

Insider Threats – Charlotte’s View

Something that is being spoken about more and more (due to the unfortunate higher frequency) is insider threat. It’s in the news an awful lot more than it ever used to be.

Do you remember the auditor of Morrisons who released a spreadsheet detailing just shy of 100,000 members of staff’s (very) personal details? He did end up getting jailed for 8 years but I heard a saying recently, it’s not a digital footprint you leave it’s more of a digital tattoo. Even two years after the incident Morrisons is still suffering the effects.

Now obviously that was what you would call a malicious breach. It does unfortunately happen, but there are ways for you to protect your company against this. Firstly we here at Data Compliant believe that if you have detailed joiner processes in place (i.e. thorough screening and references and criminal checks where appropriate), ongoing appraisals with staff and good leaver processes you can minimise your risk.

Other ways of insider breaches occurring, and much more likely in my opinion, are negligence, carelessness and genuine accidents. Did you know that over 50% of data breaches are cause by staff error? This may be because staff do not follow company procedures correctly and open up pathways for hackers. Or it could be that your staff are tricked into handing over information that they shouldn’t.

Your staff could be your company’s weakest point in relation to protecting it’s personal and confidential data. But you can take simple steps to minimise this risk by training your staff in data protection.

Online training has some big advantages for businesses, it’s a quick, efficient and relatively inexpensive way of training large numbers of employees while “taking them out of the business” for the least possible time.

The risk of breaches isn’t just your business’ reputation, or even a hefty fine from the ICO but as mentioned before, also a criminal conviction. Now that is a lot to risk.

If you’re interested in online training have a look at this video.

 

charlotte

Written by Charlotte Seymour, November 2016

 

Yahoo – biggest data breach ever

people-padlockIt is widely known that hackers target all companies large or small. In social media and cloud storage terms, we’ve seen breaches from a range of businesses include MySpace, LinkedIn, to DropBox and many more.

And now, as almost everyone must be aware, Yahoo has announced it has suffered the largest cyber breach in history. 500 million accounts have been accessed, of which 8 million relate to UK data.  This is a particularly difficult issue for Yahoo, who, as announced in July, is close to finalising the £3.7bn deal to sell its core business to Verizon. The breach occurred two years ago, and there is significant speculation about why it has taken so long for the organisation to discover the breach (coincidentally also July 2016).

In July a hacker known as Peace was discovered selling the information of 200 million Yahoo accounts on the dark website Real Dark.  It wasn’t until then that Yahoo launched an investigation to see whether – and to what extent – they had been hacked.

It is troublesome, to say the least, that a company of Yahoo’s magnitude can be the victim of the largest cyber attack in the world … and simply not notice for two years. Under the upcoming EU General Data Protection Regulation, notification of such a brief to the Supervisory Authority is mandatory within 72 hours of discovery – which doesn’t really help when a company doesn’t discover the breach for such an extended period of time.

Generally speaking, it takes an average of between 98 and 191 days (over six months) to detect an intrusion, and it does beg the question … why?  Some sources report that there is simply too much data for the analysts to sift through to be able to immediately recognise the threat.  In addition, false alarms are common.

So to an extent it’s understandable that there would have been some delay in identifying the breach.  Almost all of us have had an occasion where the car alarm has gone off because of a gust of wind or a vast lorry getting too close. But you would expect that when someone steals your car’s wheels, its seats and the doors, you just might notice.

So what do we know about this breach?

500 million Yahoo users have had their names, email addresses, dates of birth, hashed passwords, telephone numbers and unencrypted security questions accessed. We also know that Verizon only found out two days before the knowledge of the breach was released to the public.

Now we’re all asking the question “Who’s behind it?” Yahoo believes it was a “state-sponsored actor”. So which state? The suspects so far are Russia (supposedly behind hackers Fancy Bears who hacked WADA and released Olympian’s medical records to show what banned drugs they were taking for medical reasons); North Korea (suspected of being behind the hack on Sony after the film ‘The Interview’ showed its leader in a poor light); China (who, despite denial, allegedly recently stole the finger prints of 4 million Americans from The Office of Personnel Management).  Alternatively, it could have been a lone wolf like the TalkTalk breach – TalkTalk too suspected a large corporation but instead it turned out to be a teenager in his bedroom trying to make a few extra quid.

What we need to understand is that, unless companies invest the appropriate time, resource and money to protect their own and their customers’ data, they will continue to be wide open to breach.  In the UK only 51% of large businesses have followed half or more of the government’s 10 steps to cyber security.

So … if only half of us are consciously going to take action to attempt to prevent these breaches, is it any wonder that the hackers have it so easy?

charlotte

Written by Charlotte Seymour, October 2016

EU – US Privacy Shield has been adopted

Privacy ShieldAt last agreement has been reached on the EU – US Privacy Shield agreement which now replaces the Safe Harbor agreement.  Safe Harbor was ruled invalid in 2015 by the EU Court of Justice, because they said there were not sufficient safeguards for personal data under the voluntary scheme.

The new agreement is intended to protect the privacy of EU citizens when their personal information is processed in the US.

Companies will be able to sign up to the EU – US Privacy Shield from August 1st once they have implemented any necessary changes to comply with the strict compliance obligations.

The EU – US Privacy Shield is based on a system of self-certification by which US organisations commit to a set of privacy principles entitled the EU – US  Privacy Shield Framework Principles.

The new framework was unveiled in February and has been under review since then.  Back in June the European Data Protection Supervisor, Giovanni Buttarelli advised that it ‘needed significant improvements’ because it was not ‘robust enough’ and that the Commission should negotiate improvements to the Privacy Shield in three main areas:

  • limiting exemptions to its provisions;
  • improving its redress and oversight mechanisms,
  • integrating all the main EU data protection principles.

For the Privacy Shield to be an effective improvement on Safe Harbour it must provide adequate protection against indiscriminate surveillance as well as obligations on transparency, and data protection rights for people in the EU.

In Brussels on July 12th Věra Jourová, Commissioner for Justice, Consumers and Gender Equality said: “The EU – US  Privacy Shield is a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses. It brings stronger data protection standards that are better enforced, safeguards on government access, and easier redress for individuals in case of complaints”

In summary the EU-US Privacy Shield is based on the following principles:

  • Strong obligations on Companies handling data and robust enforcement
  • Clear safeguards and transparency obligations on US government access
  • Effective protection of individual rights
  • Annual joint review mechanism
  • Easier and cheaper redress possibilities in case of complaints —directly or with the help of the local Data Protection Authority

The Privacy Shield agreement applies to both data controllers and processors (agents), and specifies that processors must be contractually bound to act only on instructions from the EU controller and assist the latter in responding to individuals exercising their rights under the Principles.

Whilst the UK remains a member of the EU (which it will be for least the next 2 years) UK based companies that process data in the US will be able to use the Privacy Shield where appropriate.

Michelle Evans, Data Compliance Director

14th July 2016

Data Breaches UK – Key Stats at a Glance

The 2015 UK data breaches report shows significant rises in numbers and costs of data breaches, with growth shown in my previous blog, Data Breaches – OUCH! .  The infographic below summarises the key data breach stats from 2014, including a nod to the impact of new technology.

Data breach

* All stats taken from 2015 Information Security Breaches Survey commissioned by HM Government – survey conducted by PwC in association with Infosecurity Europe

Data breaches … OUCH!

Alarming data breach statistics are shown in the latest survey from HM Government*, with costs increasing to prohibitive levels for businesses large and small.

Data Breach Costs

Data breach 2015 cost graphs and text

Think  a data breach can’t happen to you?  Think again …

data breach percentages graph 2012 to 2014

* All stats taken from 2015 Information Security Breaches Survey commissioned by HM Government – survey conducted by PwC in association with Infosecurity Europe

Protect your data …

Be Aware Be Secure

The protection of your company data must be of paramount importance to you, so please get in touch if you you would like to discuss the ever-changing issues surrounding data security and the steps you can take to keep your data safe.  Call 01787 277742 or email victoria@datacompliant.co.uk

Security and the Internet of Things

I was invited by ComputerScienceZone to share this fascinating infographic on my site – so here it is – a fascinating insight into the diversity and number of “things”, combined with the risks associated with the rapid growth and poor security.

Security-and-the-Internet-of-Things

Data Security – A Summary

Be SecureWhen we talk about data security what do we actually mean?

Data security means protecting data, such as database, from destructive forces and from the unwanted actions of unauthorised users.

In the UK, the Data Protection Act is used to ensure that personal data is accessible to those whom it concerns, and provides redress to individuals if there are inaccuracies. This is particularly important to ensure individuals are treated fairly, for example for credit checking purposes. The Data Protection Act states that only individuals and companies with legitimate and lawful reasons can process personal information and cannot be shared.

The international standard ISO 27001 covers data and information security. Information security is the practice of defending information from unauthorised access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical)

So what is Data Security? 

  • Data is any type of stored digital information.
  • Security is about the protection of assets.
  • Prevention is the measures taken to protect your assets from being damaged.
  • Detection is the measures taken to allow you to detect when an asset has been damaged, how it was damaged and who damaged it.
  • Reaction is the measures that allow you to recover your assets.
  • Confidentiality ensures that that data is only read by the intended recipients.
  • Integrity ensures that all of the data has not been corrupted from its original source.
  • Availability guarantees that the data is usable upon demand.
  • Accountability is audit information that is kept and protected so that security actions can be traced to the responsible party.

 Audit Standards

Data Security is subject to several types of audit standards and verification, the most common are ISO 27001, PCI, ITIL. Security Administrators are responsible for creating and enforcing a policy that conforms to the standards that apply to their business.

IT certification audits are generally carried out by 3rd parties although regular internal audits are recommended. Clients can also carry out audits before they begin doing business with a company to ensure that their clients data is secured to their standards.

Security Policy

A security policy is a comprehensive document that defines a company’s methods for prevention, detection, reaction, classification, accountability of data security practices and enforcement methods. It generally follows industry best practices as defined by ISO 27001, PCI, ITIL or a mix of them. The security policy is the key document in effective security practices. Once it has been defined it must be implemented and modified and include any exceptions that may need to be in place for business continuity. Most importantly all users need to be trained on these best practices with continuing education at regular intervals.

Securing data

Data needs to be classified in the security policy according to its sensitivity. Once this has taken place, the most sensitive data has extra measures in place to safeguard and ensure its integrity and availability.

All access to this sensitive data must be logged. Secure data is usually isolated from other stored data and it is important that controlling physical access to the data centre or area where the data is stored is implemented.

Active Directory for example is used by many companies and is a centralised authentication management system that is used to control and log access to any data on the system.

Encryption of the sensitive data is critical before transmission across public networks. The use of firewalls on all publicly facing WAN connections needs to be in place and also the deployment of VLANs’ to isolate sensitive departments from the rest of the network. It is important to shut down unused switch ports. If Wi-Fi is deployed then it is important to use authentication servers to verify and log the identity of those logging on. Finally the deployment of anti-virus and malicious software protection on all systems.

Monitoring

Sometimes you will be surprised what you can find by simply walking around and look for passwords in the open, unattended screens.

Ensure that Event Viewer and Log Files are maintained this provides the audit trail. An Intrusion Detection/ Protection systems (IDS/IPS) to monitor the network and system activities for malicious activities or policy violations. Set up SNMP monitoring servers to monitor and alert for everything as this will alert Administrators to everything from unusual bandwidth usage to hardware failure. It is key to know what’s going on with your systems and network.

Documentation is also important, detailed network maps should be available as these maps make it easier to spot security weak points and any flaws in the design that could impact the data security.

You should also consider a network scanner that probes devices to ensure that they are secure. A network scanner will probe and report old out of date software, open ports and the give details on any potential exposures. Networks scans should be scheduled on a regular basis.

Keep up to date and stay Informed

Review log files regularly of any publicly facing server to see what types of attacks are being run against your enterprise.

Trade publications discuss the latest threats and technologies keeps you updated on the latest attack trends. It is important to understand the technology stack that you are protecting and the technology that is used to attack it.

User Education

Something which tends to not be given the required level of importance is user education. All relevant security policies must be clearly explained to the end users. A clear explanation of the consequences for violating these polices must also be explained. The end user needs to sign a document acknowledging that they understand the policies and consequences for violating these policies. 

Enforcement

Any enforcement must obtain executive authority to enforce the business policies and procedures. This must be based on a systematic approach of warnings and punishments.

Tony Schiffman

The author, Tony Schiffman, is Data Security Director at Data Compliant.  If you have any concerns about your organisation’s data security or vulnerabilities and you’d like a chat, please call Tony on 01787 277742 or email dc@datacompliant.co.uk

Data Compliant Services

Services at December 2014