Category Archives: Weekly Roundup

Data Protection Roundup: GDPR undermined by Facebook? Morrisons’ breach liability; Google’s iphone snooping

I find it fascinating to watch how data protection in general and GDPR in particular play out with the huge multinationals which it has been designed to capture, and which arguably have the most to lose in terms of fines.  Facebook and Google are once again in the news in relation to their use of personal data.  And the  High Court judgement against Morrisons sets a precedent which aligns with GDPR’s intention of individuals’ rights to have their data protected.

Google accused of bypassing privacy settings to harvest personal information of 5.4 million iPhone users between 2011 and 2012

The search engine tech giant Google is being taken to court by a group called Google You Owe Us, led by ex-Which director Richard Lloyd. The group claims that several hundred pounds could be owed in compensation to the millions of victims of Google’s transgression against privacy rights, meaning Google could face a massive financial penalty.

Online Cookies

Google breached DPA and PECR by misusing cookies

Google exploited cookies, which are small pieces of computer text that collect data from devices, to run large-scale targeted ad campaigns. In the UK Google’s actions were in breach of the Data Protection Act (DPA) and the Privacy and Electronic Communication Regulation (PECR). For such breaches after the General Data Protection Regulation (GDPR) comes into force in late May 2018, organisations could face a fine of up to €20 million or 4% of annual global turnover (whichever is higher – and for the billion-dollar giant Google, obviously the latter).  However, this case relates to a period prior to GDPR.

Google on Phone

Did you go online with your iPhone? Were your privacy preferences ignored?

For several months in 2011 and 2012, Google stands accused of bypassing the default privacy settings on Apple phones in order to track the online behaviour of Safari users, by placing ad-tracking cookies onto the devices. This then enabled advertisers to target content to those devices and their users.

The Google activity has become known as the ‘Safari workaround,’ and while it affected various devices, the lawsuit filed in the High Court addresses the targeting of iPhone users.

Over 5 million people in Britain had an iphone during the period.  “In all my years speaking up for consumers,” Mr Lloyd from Google You Owe Us states, “I’ve rarely seen such a massive abuse of trust where so many people have no way to seek redress on their own. Through this action, we will send a strong message to Google and other tech giants in Silicon Valley that we’re not afraid to fight back.”

According to the veteran privacy rights campaigner, Google claimed that he must go to California, the heartland of the Silicon revolution, if he wanted to pursue legal action against the firm, to which he responded, “It is disappointing that they are trying to hide behind procedural and jurisdictional issues rather than being held to account for their actions.”

According to the BBC, the broadcaster was told by Google that these legal proceedings are “not new” and that they “have defended similar cases before.” Google has stated that they do not believe the case has any merit and that they intend to contest it.

While there is no precedent in the UK for such massive action against Google, in the US Google has settled two large-scale litigation cases out of court. Regarding the same activity, the tech company agreed to pay a record $22.5m (£16.8m) in a case brought by the US Federal Trade Commission in 2012. It also made out of court settlements with a small number of British consumers.

According to the BBC, the case will probably be heard in the High Court in Spring 2018, a month or so prior to the enforcement of the GDPR.

 

Morrisons found liable for employee data breach

Morrisons workers brought a claim against the supermarket after a former member of staff, senior internal auditor Andrew Skelton (imprisoned as a result of his actions) stole and posted online confidential data (including salary and bank details) about nearly 100,000 employees.

Compensation Nov 2017In an historic High Court ruling, the Supermarket has been found liable for Skelton’s actions, which means that  those affected may claim compensation for the “upset and distress” caused.

The case is the first data leak class action in the UK.  Morrisons has said it will appeal the decision.

 

Facebook claims European data protection standards will not allow for their pattern-recognition “suicide alert tool” to be usable in EU.

Facebook Dislike

Facebook blames GDPR for its plans to withhold Suicide Prevention software from EU

Facebook’s decision to deny EU countries a pattern-recognition tool to alert authorities to users possibly suffering from depression or suicidal thoughts has been criticised as a move to undermine the upcoming tightening of EU-wide data protection standards, enshrined in the General Data Protection Regulation (GDPR).

Facebook has argued that their Artificial Intelligence (AI) programme which scans the social media network for troubling comments and posts that might indicate suicidal ideation will not be employed in EU countries on the grounds that European policy-makers and the public at large are too sensitive about privacy issues to allow site-wide scanning.

In a blogpost, Facebook’s VP of Product Management stated, “we are starting to roll out artificial intelligence outside the US to help identify when someone might be expressing thoughts of suicide, including on Facebook Live. This will eventually be available worldwide, except the EU.”

Tim Turner, a data consultant based in Manchester, has suggested that the move might be “a shot across the EU’s bows […] Facebook perhaps wants to undermine the GDPR — which doesn’t change many of the legal challenges significantly for this — and they’re using this as a method to do so.”

Mr Turner continues, “nobody could argue with wanting to save lives, and it could be a way of watering down legislation that is a challenge to Facebook’s data hungry business model. Without details of what they think the legal problems are with this, I’m not sure they deserve the benefit of the doubt.”

Written by Harry Smithson  1st December, 2017

 

 

Weekly Roundup: lack of data protection budgeting among UK businesses; international resolution to secure transparency among subcontractors; fine for ex-council worker

1 in 5 UK businesses have no data protection budget – compared to 4 in 5 local authorities 

GDPR Budget

A report by international email management company Mimecast states that a fifth of surveyed UK businesses do not have a specific budget dedicated to information security or data protection – a source of great concern ahead of the stringent General Data Protection Regulation (GDPR) in May 2018.

495038416

Over 80% of councils were found to have no funding towards meeting mandatory GDPR requirements

This reinforces the concerns over the information provided in response to a FOI  request by M-Files Corporation in July, which found that four out of five councils had, at that time, yet to allocate funding towards meeting the new requirements of the GDPR.  That research also found that 56% of local authorities contacted had still not appointed a data protection officer despite this being mandated by GDPR.

That such a substantial proportion of businesses have no explicit budgetary or financial commitment to combatting cybercrime and personal data abuse may be particularly unwelcome news to proponents and enforcers of the new GDPR. The Information Commissioner’s Office, the independent data protection authority, has been working hard over the last year to publicise and prepare British organisations for the impending legislation.

The lack of data protection budgeting is compounded by Mimecast’s findings that many UK businesses may not be monitoring their data efficiently. For instance, 15% of the surveyed organisations stated that they did not know whether they had suffered a data loss incident during the last year or not. 27% blamed human error for previous losses, which would indicate that a large number of organisations will need to start taking employee data protection and handling training much more seriously.

44% of the surveyed organisations suspect that their email system contains personal sensitive information as defined under the GDPR, but only 17% of them believed that this information could be retrieved immediately. The average amount of hours it would take British organisations to track down sensitive personal information was calculated as 8.

The report suggests that a significant number of organisations are very underprepared for the increased responsibility and accountability demanded by the GDPR. For help and information on preparing for the GDPR, see the Data Compliant main site.

10th International Conference of Information Commissioners (ICIC 2017) resolves to tackle difficulties of access to information on outsourced public services

The Information Commissioner’s Office (ICO) has confirmed a resolution on international action for improving access to information frameworks surrounding contracted-out public services, a system which has seen increased use throughout Europe, and rapid growth in the UK since 2010.

Challenges have been arising for a couple of decades concerning the transparency of information about the “new modes of delivery for public services.” This is often because the analysis of the efficacy of subcontracted services can be rendered difficult when, due to the principle of competition in the private sector, certain information – particularly regarding the production process of public services – can escape public scrutiny on the grounds of the protection of commercial confidentiality.

The International Conference, jointly hosted by Information Commissioner Elizabeth Denham and Acting Scottish Information Commissioner Margaret Keyse, was attended by Commissioners of 39 jurisdictions from 30 countries and seven continents. The resolution was passed in Manchester on 21st September following dialogue with civil society groups.

The resolution highlights the “challenge of scrutinising public expenditure and the performance of services provided by outsourced contractors” and “the impact on important democratic values such as accountability and transparency and the wider pursuit of the public interest.”

The Conference summarised that the first step to be taken would be the promotion of “global open contracting standards,” presumably as a means of garnering consensus on the importance of transparency in this regard for the benefit of the public, researchers and policy-makers. A conference working group is to be formed to “share practice about different initiatives that have been developed to tackle the issue.”

The event lasted two days and ran with the title: ‘Trust, transparency and progressive information rights.’ Contributions were heard from academics, journalists, freedom of information campaigners and regulators.

Access to information on the grounds of individual rights and the safeguarding of public interests will be strengthened by the provisions of the GDPR. This resolution provides a reminder and opportunity for organisations working as subcontractors to review the ways in which they store and handle data. Transparency and accountability, longer considered in any way contradictory, are key watchwords for the clutch of data protection reforms taking place throughout the world. Many organisations would do well to assess whether they are in a position to meet the standards of good governance and best practice regarding data management, which will soon become a benchmark for consumer trust.

Ex-employee of Leicester City Council fined for stealing vulnerable people’s personal information

The ICO has confirmed the prosecution of an ex-council worker for unlawfully obtaining the personal information of service users of Leicester City Council’s Adult Social Care Department.

vulnerable

Personal data, including medical conditions, care and financial records were “unlawfully” obtained by an ex-council worker

The personal details of vulnerable people were taken without his employer’s consent, and breached the current Data Protection Act 1998. 34 emails containing the personal information of 349 individuals, including sensitive personal data such as medical conditions, care and financial details and records of debt, were sent to a private email address prior to the individual having left the council.

The ICO’s Head of Enforcement Steve Eckersley stated, “Employees need to understand the consequences of taking people’s personal information with them when they leave a job role. It’s illegal and when you’re caught, you will be prosecuted.”

 

Harry Smithson  29th September 2017

 

 

 

Data Protection Weekly Roundup: GDPR exemption appeals, gambling industry exploitation scandal, cyber attacks and data breaches

Corporate pensions company Scottish Widows to lobby for specific exemptions from the General Data Protection Regulation ahead of EU initiative’s May 2018 introduction.

Pensions

Scottish Widows seeks derogations in relation to communicating with its customers in order to “bring people to better outcomes.”

The Lloyds Banking Group subsidiary Scottish Widows, the 202-year old life, pensions and investment company based in Edinburgh, has called for derogations from the GDPR.

A great deal has been written across the Internet about the impending GDPR, and much of the information available is contradictory. In fact many organisations and companies have been at pains to work out what exactly will be expected of them come May 2018. While it is true that the GDPR will substantially increase policy enforcers’ remits for penalising breaches of data protection law, the decontextualized figure of monetary penalties reaching €20 million or 4% of annual global turnover – while accurate in severe cases – has become something of a tub-thump for critics of the regulation.

Nevertheless, the GDPR is the most ambitious and widescale attempt to secure individual privacy rights in a proliferating global information economy to date, and organisations should be preparing for compliance. But the tangible benefits from consumer and investor trust provided by data compliance should always be kept in sight. There is more information about the GDPR on this blog and the Data Compliant main site.

Certain sectors will feel the effects of GDPR – in terms of the scale of work to prepare for compliance – more than others. It is perhaps understandable, therefore, why Scottish Widows, whose pension schemes may often be supplemented by semi-regular advice and contact, would seek derogations from the GDPR’s tightened conditions for proving consent to specific types of communications. Since the manner in which consent to communicate with their customers was acquired by Scottish Widows will not be recognised under the new laws, the company points out that “in future we will not be able to speak to old customers we are currently allowed to speak to.”

Scottish Widows’ head of policy, pensions and investments Peter Glancy’s central claim is that “GDPR means we can’t do a lot of things that you might want to be able to do to bring people to better outcomes.”

Article 23 of the GDPR enables legislators to provide derogations in certain circumstances. The Home Office and Department of Health for instance have specific derogations so as not to interfere with the safeguarding of public health and security. Scottish Widows cite the Treasury’s and DWP’s encouragement of increased pension savings, and so it may well be that the company plans to lobby for specific exemptions on the grounds that, as it stands, the GDPR may put pressure on the safeguarding of the public’s “economic or financial interests.”

Profiling low income workers and vulnerable people for marketing purposes in gambling industry provokes outrage and renewed calls for reform.

gambling

The ICO penalised charities  for “wealth profiling”. Gambling companies are also “wealth profiling” in reverse – to target people on low incomes who can ill afford to play

If doubts remain that the systematic misuse of personal data demands tougher data protection regulations, these may be dispelled by revelations that the gambling industry has been using third party affiliates to harvest data so that online casinos and bookmakers can target people on low incomes and former betting addicts.

An increase in the cost of gambling ads has prompted the industry to adopt more aggressive marketing and profiling with the use of data analysis. An investigation by the Guardian including interviews with industry and ex-industry insiders describes a system whereby data providers or ‘data houses’ collect information on age, income, debt, credit information and insurance details. This information is then passed on to betting affiliates, who in turn refer customers to online bookmakers for a fee. This helps the affiliates and the gambling firms tailor their marketing to people on low incomes, who, according to a digital marketer, “were among the most successfully targeted segments.”

The data is procured through various prize and raffle sites that prompt participants to divulge personal information after a lengthy terms and conditions that marketers in the industry suspect serves only to obscure to many users how and where the data will be transferred and used.

This practice, which enables ex-addicts to be tempted back into gambling by the offer of free bets, has been described as extremely effective. In November last year, the Information Commissioner’s Office (ICO) targeted more than 400 companies after allegations the betting industry was sending spam texts (a misuse of personal data). But it is not mentioned that any official measures were taken after the investigations, which might have included such actions as a fine of £500,000 under the current regulations. Gambling companies are regulated by the slightly separate Gambling Commission, who seek to ensure responsible marketing and practice. But under the GDPR it may well be that the ICO would have licence to take a much stronger stance against the industry’s entrenched abuse of personal information to encourage problem gambling.

Latest ransomware attack on health institution affects Scottish health board, NHS Lanarkshire.

According to the board, a new variant of the malware Bitpaymer, different to the infamous global WannaCry malware, infected its network and led to some appointment and procedure cancellations. Investigations are ongoing into how the malware managed to infect the system without detection.

Complete defence against ransomware attacks is problematic for the NHS because certain vital life-saving machinery and equipment could be disturbed or rendered dysfunctional if the NHS network is changed too dramatically (i.e. tweaked to improve anti-virus protection).

A spokesman for the board’s IT department told the BBC, “Our security software and systems were up to date with the latest signature files, but as this was a new malware variant the latest security software was unable to detect it. Following analysis of the malware our security providers issued an updated signature so that this variant can now be detected and blocked.”

Catching the hackers in the act

Hackers

Attacks on newly-set up online servers start within just over one hour, and are then subjected to “constant” assault.

According to an experiment conducted by the BBC, cyber-criminals start attacking newly set-up online servers about an hour after they are switched on.

The BBC asked a security company, Cybereason, to carry out to judge the scale and calibre of cyber-attacks that firms face every day.   A “honeypot” was then set up, in which servers were given real, public IP addresses and other identifying information that announced their online presence, each was configured to resemble, superficially at least, a legitimate server.  Each server could accept requests for webpages, file transfers and secure networking, and was accessible online for about 170 hours.

They found that that automated attack tools scanned such servers about 71 minutes after they were set up online, trying to find areas they could exploit.  Once the machines had been found by the bots, they were subjected to a “constant” assault by the attack tools.

Vulnerable people’s personal information exposed online for five years

Vulnerable customers

Vulnerable customers’ personal data needs significant care to protect the individuals and their homes from harm

Nottinghamshire County Council has been fined £70,000 by the Information Commissioner’s Office for posting genders, addresses, postcodes and care needs of elderly and disabled people in an online directory – without basic security or access restrictions such as a basic login requiring username or password.  The data also included details of the individuals’ care needs, the number of home visits per day and whether they were or had been in hospital.  Though names were not included on the portal, it would have taken very little effort to identify the individuals from their addresses and genders.

This breach was discovered when a member of the public was able to access and view the data without any need to login, and was concerned that it could enable criminals to target vulnerable people – especially as such criminals would be aware that the home would be empty if the occupant was in hospital.

The ICO’s Head of Enforcement, Steve Eckersley, stated that there was no good reason for the council to have overlooked the need to put robust measures in place to protect the data – the council had financial and staffing resources available. He described the breach as “serious and prolonged” and “totally unacceptable and inexcusable.”

The “Home Care Allocation System” (HCAS) online portal was launched in July 2011, to allow social care providers to confirm that they had capacity to support a particular service user.  The breach was reported in June 2016, and by this time the HCAS system contained a directory of 81 service users. It is understood that the data of 3,000 people had been posted in the five years the system was online.

Not surprisingly, the Council offered no mitigation to the ICO.  This is a typical example of where a Data Privacy Impact Assessement will be mandated under GDPR.

Harry Smithson, 6th September 2017

Data Protection Weekly Round-up: New Data Protection Bill; the impact of Brexit; £150k fines for failure to apply TPS

This week there’s been much in the media about the UK’s upcoming new Data Protection Bill.  Unfortunately some of the reporting has been unclear, providing very woolly information on some of the new rights of individuals, and the circumstances they do – or do not – apply.  Nonetheless, the main story is that the Data Protection Act will be replaced and that it will include the requirements of the EU’s General Data Protection Regulation (GDPR).

In other news, the ICO has taken further action against companies who fail to follow the current Data Protection Act and PECR regulations.  This week the spotlight falls on companies who fail to screen their call lists against TPS.  This illegal behaviour has resulted in fines of £150,000 for the week.

Data Protection Bill set to be read out in Parliament in September

Queen

As promised in the Queen’s Speech, GDPR will become part of the UK’s new data protection law. The process begins next month  in Parliament.

The government has said that it plans to give the Data Protection Bill, announced in the Queen’s speech in June, an airing in Parliament at some point next month. This has been confirmed by the Department for Digital, Culture, Media and Sport (which continues to be officially abbreviated as DCMS, despite the recent addition of ‘Digital’).

The new Bill will replace the existing Data Protection Act 1998 and one of its chief aims is to implement the EU-wide General Data Protection Regulation (GDPR).  The UK must adhere to GDPR during its time as a member state and almost certainly beyond – albeit under different legal provisions. The manner in which this EU initiative could apply in the UK after a finalised Brexit is discussed in the next story.

This first reading of the Bill next month is largely a formality. It gives lawmakers, consultants and interested parties a chance to inform themselves and gather the information they need before a second reading takes place, during which a parliamentary debate is properly staged.

Last month, Germany became the first EU member state to approve its data protection legislation meeting the requirements of GDPR – the German Federal Data Protection Act (‘Bundesdatenschutzgesetz‘).

House of Lords publishes a report on the EU data protection package

Responding to the government’s plans outlined in a White Paper on The United Kingdom’s exit from and new partnership with the European Union, the House of Lords has reviewed various options regarding the data protection policy aspect of this new relationship in a report published on 18th July.

Since the government has stated that it wants to “maintain unhindered and uninterrupted data flows with the EU post-Brexit,” the House of Lords has assessed this commitment with a view to providing a more detailed set of practical objectives.

EU

For the UK to continue trading with EU citizens post-Brexit, GDPR or its equivalent will  need to apply.

The report summarises that the UK has two feasible options if it wants to continue uninterrupted data flow with the EU, which is now a lynchpin in our service-driven economy. There will be a transitional period of adopting the General Data Protection Regulation (GDPR) and the Police and Criminal Justice Directive (PCJ) while the UK remains an EU Member State, regulations which the government plans to implement with the aforementioned new Data Protection Bill. But the report states that after Brexit, the UK will either have to pursue an ‘adequacy decision’ from the European Commission, “certifying that [the UK] provides a standard of protection which is ‘essentially equivalent’ to EU data protection standards,” or else individual data controllers will have to implement their own data protection safeguards, which would “include tools such as Standard Contractual Clauses, and Binding Corporate Rules.”

The report favours the former, that is, adequacy decisions conferred to the UK as a third state in its relation to the EU, provided under Articles 45 and 36 of the GDPR and PCJ respectively. The report states that the Lords were “persuaded by the Information Commissioner’s view that the UK is so heavily integrated with the EU – three quarters of the UK’s cross-border data flows are with EU countries – that it would be difficult for the UK to get by without an adequacy arrangement.”

The report concludes that there is no prospect of a clean break, since the UK will have to continue to update its domestic data protection policies to remain aligned to the standards of EU data protection in the event of changing regulations – that is, if the UK wants the seamless transfer of data with EU countries that is regarded as crucial to the digital economy and the UK’s competitive position in the modern globalised market.

Information Commissioner’s Office (ICO) levies £150,000 of fines for nuisance calls

The ICO has issued official warnings, “reminding companies making direct marketing calls that people registered with the Telephone Preference Service are ‘off-limits,’” after two Bradford-based firms were fined a total of £150,000 for flouting this preference.

fined 150000
Calling consumers without consent is illegal unless you run the files against TPS.

HPAS Ltd (t/a Safestyle UK) and Laura Anderson Ltd (t/a Virgo Home Improvements) have been fined £70,000 and £80,000 respectively for making illegal nuisance calls to people on the TPS register. Both firms have been issued enforcement notices and will face court action if the practice continues.

The ICO received 264 complaints about Virgo over 20 months (despite repeated warnings and formal monitoring), and 440 complaints about the latter in 19 months.  Virgo Home Improvements had already been fined £33,000 just over a year ago, bringing their total fines for making nuisance calls up to £113,000.

One complaint about Safestyle quoted by the ICO read, “this harassment has been going on for over five years now. I want it to stop.” Members of the public are becoming increasingly aware of data protection policy, and the prospect of new legislation that will crack down on aggravating breaches such as these will be welcomed by many.

Written by Harry Smithson, 8th August 2017

http://www.datacompliant.co.uk

Data Protection Weekly Round-up: PECR breaches, ransomware research and Facebook on security

Two large corporations fined for PECR breaches; Google study reveals ransomware profits, and Facebook urges people-led changes to security methodology

In the blog below, you’ll note how the Information Commissioner’s Office is taking a hard-line approach to PECR.  If an organisation uses electronic channels to re-permission its database in time for GDPR enforcement in May 2018, it must comply with PECR. Moneysupermarket.com is the latest in a series of big names to fall foul of email regulations.

You’ll also see an analysis of ransomware profitability, which helps explain its continued growth;   the final story summarises Facebook’s views on data security.

The ICO issues fines amounting to £160,000 for Provident Personal Credit and Moneysupermarket.com

The Information Commissioner’s Office has issued civil monetary penalties of £80,000 each for Provident Personal Credit, a Bradford-based sub-prime lender, and Moneysupermarket.com, a leading brand comparison site, on the 17th and 20th of July respectively. In both cases the fine was  for breaching the Privacy and Electronic Communications Regulation (PECR).

Text confused person

Unsolicited texts annoy prospects and customers

Quick-loan credit firm Provident Personal Credit, a brand operated by Provident Financial, was fined £80,000 for sending out nearly 1 million nuisance text messages in the space of 6 months.

The company employed a third party affiliate to send the unsolicited marketing for loans provided by a sister brand, Satsuma Loans.

Text messages may not be sent if the recipients have not consented to receiving marketing texts, so this activity was in breach of PECR.

emails out of laptop

Beware of sending “service” emails which are actually “marketing” emails

A few days later, the price and brand comparison website Moneysupermarket.com was fined for sending 7.1 million emails over 10 days updating customers with its Terms and Conditions, despite these customers having explicitly opted-out of receiving this type of email. This offence is almost identical to the breaches for which Morrison’s, Honda and Flybe were fined last month.

One of the key problems was the section “Preference Centre Update” which said: “We hold an e-mail address for you which means we could be sending you personalised news, products and promotions. You’ve told us in the past you prefer not to receive these. If you’d like to reconsider, simply click the following link to start receiving our e-mails.”

In a previous blog, we explained the ambiguity between ‘service’ emails and ‘marketing’ emails when implicitly emailing or communicating marketing content to individuals who have opted out. This is in breach of regulations (which will only get stricter after the General Data Protection Legislation comes into force in May 2018).

Google research leads to fears of proliferating ransomware

ransomware 2

Ransomware encrypts and scrambles victims’ computerised files. The files will not be decrypted until after a ransom is paid

Research carried out by Elie Bursztein, Kylie McRoberts and Luca Invernizzi from Google has found that cyber-thieves have made $25m (£19m) in the last two years through the use of ransomware. The research suggests that this type of malware regularly makes more than $1m (£761,500) for its creators.

The two strains of ransomware that have seen the most success are ‘Locky’ and ‘Cerber,’ which have collected $7.8m (£5.9m) and $6.9m (£5.2) respectively. But fears have arisen that due to the profitability of ransomware, new and more expansive variants will emerge amid the increasingly competitive, aggressive and “fast-moving” market for cybercrime weaponry. Mr Burszstein warns that ‘SamSam’ and ‘Spora’ are variants that seem to be gaining traction.

The research collected reports from victims of ransomware but also from an experiment wherein thousands of ‘synthetic’ virtual victims were created online. Mr Bursztein and his colleagues then monitored the network traffic generated by these fake victims to study the movement of money. More than 95% of Bitcoin payments (the preferred currency for ransom payments) were cashed out via Russia’s BTC-e exchange.

The lucrative nature of ransomware has led the Google researchers to conclude that it is “here to stay” and may well proliferate among the many syndicates and crime networks around the world. At a talk at the Black Hat conference, one of the world’s largest information security events, Mr Bursztein warned, “it’s no longer a game reserved for tech-savvy criminals, it’s for almost anyone.”

Facebook’s security boss argues that the industry should change its approach

facebook

Hitting the data security balance: user issues vs. tech solutions

At a talk at this year’s Black Hat, Facebook’s Chief Information Security Officer, Alex Stamos, has criticised the information security industry’s over-prioritisation of technology over people.

Advocating a ‘people-centric’ approach to information security, Mr Stamos stated his belief that most security professionals were too focused on complex ‘stunt’ hacks involving large corporations and state organisations, and tended to ignore problems that the majority of technology users face.

He told the attendees, “we have perfected the art of finding problems without fixing real-world issues. We focus too much on complexity, not harm.”

He explained that most Facebook users are not being targeted by spies or nation states, and that their loss of control over their information are from simple causes with simple solutions in which, he claims, the security industry takes no interest. He criticised the industry in general for lacking ‘empathy’ with less tech-savvy people, citing the often-expressed thought by security professionals that there would be fewer breaches and data losses if people were perfect.

He used the example of the widespread criticism from cyber experts that the security team for Facebook subsidiary Whatsapp faced after their decision to use ‘end-to-end’ encryption for the popular messaging app, which was heralded by some as sacrificing security for the sake of usability. Such a sacrifice did not manifest, but Mr Stamos was keen to emphasise the fact that it simply did not occur to security experts that usability was worth pursuing.

Mr Stamos advocated the diversification of the industry by working with less technically minded people who could empathise with the imperfections of tech-users, thus helping to develop more straightforward tools and services that would benefit a larger amount of people.

Facebook has also committed half a million dollars to fund a new project to secure election campaigns from cyber attack.  The initiative will be run by the Belfer Center for Science and International Affairs, a think-tank affiliated to Harvard University.  This is timely, given the scandals around the cyber- attack on French President Emmanuel Macron’s recent election campaign, and the Russian hack of the Democratic National Committee during the US elections last year.

If you have any data privacy compliance, governance or security concerns which you’d like to discuss with Data Compliant, please email dc@datacompliant.co.uk.

Harry Smithson   20th July 2017

Data Compliant’s Weekly Roundup: NHS Trust breaches DPA, Wetherspoons delete entire customer database, & more

The ICO censures NHS Trust for breaching data protection law

In light of the Royal Free NHS Trust’s mishandling of 1.6 million patients’ information for research and innovation purposes, the Information Commissioner’s Office (ICO) has asked the Trust to sign a four-point undertaking to ensure future compliance with data protection law. This requires  them to:

  • establish a proper legal basis under the Data Protection Act for the Google DeepMind project and for any future trials;
  • set out how it will comply with its duty of confidence to patients in any future trial involving personal data;
  • complete a privacy impact assessment, including specific steps to ensure transparency
  • commission an audit of the trial, the results of which will be shared with the Information Commissioner

The Royal Free worked with ‘DeepMind,’ Google’s recently acquired artificial intelligence technology, to develop an ‘alert, detection and diagnosis system.’ The hospital provided details of 1.6 million patients to the DeepMind division with a view to creating an app called ‘Streams’ that helps doctors detect patients at risk of acute kidney injury (AKI). The patients had not given their consent to this, and indeed did not know that their information was being shared in this way.

DeepMind is a sophisticated artificial intelligence program that offers ‘self-taught AI software’ to process and find solutions to projects that would otherwise require massive amounts of human learning and labour.

Elizabeth Denham, the Information Commissioner, stated:

“There’s no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights.”

Wetherspoons notifies email subscribers that they will be ceasing email correspondence

In a measure anticipating the General Data Protection Regulations (GDPR) coming into force next year, the popular pub chain J. D. Wetherspoons will be deleting their entire customer email database.

This may also be in response to a data breach in 2015 in which over 650,000 of the company’s customer email addresses were affected.

This ‘unexpected’ news came as Wetherspoons customers received an email on the 23rd last month explaining:

“I’m writing to inform you that we will no longer be sending our monthly customer newsletters by e-mail.

Many companies use e-mail to promote themselves, but we don’t want to take this approach – which many consider intrusive.

Our database of customers’ email addresses, including yours, will be securely deleted.”

We reported on this blog last month the fines that the ICO issued for illegal marketing offences made by Morrison’s, Flybe and Honda. It would seem that these high-profile cases are beginning to influence major companies in how they deal not only with the imminent tightening of regulations under the GDPR, but also increasing public awareness surrounding data protection law.

It has been reported by the NCC Group that fines from the ICO in 2016 would be £69m instead of the actual £880,500, if the GDPR had been in force. This would explain Wetherspoons decision.

A Wetherspoons spokesperson told Wired.com:

“We felt, on balance, that we would rather not hold even email addresses for customers. The less customer information we have, which now is almost none, then the less risk associated with data.”

The Government Digital Service (GDS) makes users change passwords after security breach

The DGS website, which allows registered users to find data published by government departments and agencies; public bodies and authorities, has asked its users to change their passwords after a publicly accessible database of usernames and emails had been discovered during a security scan.

The Information Commissioner’s Office has been notified but is yet to make an official statement on the matter.

A GDS spokeswoman told the BBC that only data.gov.uk accounts were compromised, not accounts associated with any other government website. She continued to explain that only email addresses, usernames and ‘hashed’ passwords, i.e. passwords that have been scrambled, not personal information such as names and addresses, had become accessible. Scrambled passwords are not as useful to cyber-criminals.

However, as a precaution, registered users will have to change their password when they next try to log in and were advised to change their password for other websites or services if it is the same as the one they used for the data.gov site.

There is no evidence yet to suggest that this breach has been exploited in any way.

Cyber-criminals often send emails to victims of a data breach, masquerading as service emails, in order to tease out more information, so web users ought to be careful in these circumstances and look out for phishing emails in their inboxes.

The ICO announces fines issued to 13 charities for failing to follow data protection rules

The ICO announced this week fines that the authority issued in April after a series of investigations taking place since 2015 uncovered 13 charities’ misuse of personal information.

The ICO’s online statement highlights fines ranging from £6,000 for Oxfam for processing information about people that had not been consensually provided, to £18,000 for the International Fund for Animal Welfare for numerous breaches of data protection law, including the sharing of donor information with other charities.

Government department changes name: DCMS becomes DDCMS

The government has announced that the former Department for Culture, Media and Sport (DCMS) will now be the Department for Digital, Culture, Media and Sport (DDCMS). This reflects the government’s commitment to preparing for an increasingly digitalised world.

However, the department will still be known as the DCMS in all communications.

A government statement outlines the change:

“In a move that acknowledges the way the Department’s remit has evolved, the Prime Minister and Culture Secretary Karen Bradley have agreed a departmental name change. The Department will continue to be referred to as DCMS in all communications, but is now the department for Digital, Culture, Media and Sport.”

 

 

Harry Smithson 7th July 2017

 

 

 

 

 

Weekly Roundup: Global Cyber-Attack, Google Scan Emails, Political Party Under Investigation, Nuisance Calls Fine

Malware outbreak in 64 countries, Google scrap email scans, and the Conservative Party face ‘serious allegations’

Global cyber-attack disrupts companies in 64 countries

Corrupted Ukrainian accountancy software ‘MEDoc’ is suspected to be the medium of a cyberattack on companies ranging from British ad agency WPP to Tasmanian Cadbury’s factory, with many European and American firms reporting disruption to services. Banks in Ukraine, Russian oil giant Rosneft, shipping giant Maersk, a Rotterdam port operator, Dutch global parcel service TNT and US law firm DLA Piper were among those suffering inabilities to process orders or else general computer shutdowns.

Heralded as “a recent dangerous trend” by Microsoft, this attack comes just 6 weeks after the WannaCry attack primarily affecting NHS hospitals. Both attacks appear to make use of a Windows vulnerability called ‘Eternal Blue,’ thought to have been discovered by the NSA and leaked online – although the NSA has not confirmed this. The NSA’s possible use of this vulnerability, which has served to create a model for cyber-attacks for political and criminal hackers, has been described by security experts as “a nightmare scenario.”

A BBC report suggests that given 80% of all instances of this malware were in Ukraine, and that the provided email address for the ‘ransom’ closed down quickly, the attack could be politically motivated at Ukraine or those who do business in Ukraine. Recent announcements suggest it could be related to data not money.

The malware appears to have been channelled through the automatic update system, according to security experts including the malware expert credited with ending the WannaCry attack, Marcus Hutchins. The MEDoc software would have originally begun this process legitimately, but at some point the update system released the malware into numerous companies’ computer systems.

 

Google to stop scanning Gmail accounts for personalised marketing data

In a blog published at the end of last week, the tech firm Google have confirmed that they will stop scanning Gmail users’ emails for the sake of accruing data to be used in personalised adverts, by the end of the year. This will put the consumer version of Gmail in line with the business edition.

Google had advertised their Gmail service by offering 1GB of ‘free’ webmail storage. However, it transpired that Google was paying for this offer by running these scans.

This recent change in tactic has been met with ‘qualified’ welcome by privacy campaigners. Executive director Dr Gus Hosein of Privacy International, the British charity who have been campaigning for regulators to intervene since they discovered the scans, stated:

When they first came up with the dangerous idea of monetising the content of our communications, Privacy International warned Google against setting the precedent of breaking the confidentiality of messages for the sake of additional income. […] Of course they can now take this decision after they have consolidated their position in the marketplace as the aggregator of nearly all the data on internet usage, aside from the other giant, Facebook.

Google faced a fairly substantial backlash on account of these scans when they were discovered, notably from Microsoft, with their series of critical ‘Gmail man’ adverts, depicting a man searching through people’s messages.

However, digital rights watchdog Big Brother Watch celebrated Google’s move, describing it as “absolutely a step in the right direction, let’s hope it encourages others to follow suit.”

UK Conservative Party under investigation for breaching data protection and election law

A Channel 4 News undercover investigation has provoked ‘serious allegations’ of data protection and election offences against the Conservative Party.

The investigation uncovered the party’s use of a market research firm based in Neath, South Wales, to make thousands of cold calls to voters in marginal seats ahead of the election this month. Call centre staff followed a ‘market research’ script, but under scrutiny this script appears to canvass for specific local Conservative candidates – in a severe breach of election law.

Despite the information commissioner Elizabeth Denham’s written warnings to all major parties before the election began, reminding them of data protection law and the illegality of such telecommunications, the Conservatives operated a fake market research company. This constitutes a breach separate to election law, and mandates the Information Commissioner’s Office to investigate.

The ICO’s statement on 23rd June reads,

The investigation has uncovered what appear to be underhand and potentially unlawful practices at the centre, in calls made on behalf of the Conservative Party. These allegations include:

  • Paid canvassing on behalf of Conservative election candidates – banned under election law.
  • Political cold calling to prohibited numbers
  • Misleading calls claiming to be from an ‘independent market research company’ which does not apparently exist

MyHome Installations Ltd fined £50,000 for nuisance calls

Facing somewhat less public scrutiny and condemnation than the Conservative Party, Maidstone domestic security firm MyHome Installations has been issued a £50,000 fine by the ICO for making nuisance calls.

The people who received these calls had explicitly opted out of telephone marketing by registering their numbers with the Telephone Preference Service (TPS), the “UK’s official opt-out of telephone marketing.”

The ICO received 169 complaints from members of the public who’d received unwanted calls about electrical surveys and home security from MyHome Installations Ltd.

Harry Smithson 28 June 2017