Tag Archives: cyber security

Data Protection Weekly Round-up: PECR breaches, ransomware research and Facebook on security

Two large corporations fined for PECR breaches; Google study reveals ransomware profits, and Facebook urges people-led changes to security methodology

In the blog below, you’ll note how the Information Commissioner’s Office is taking a hard-line approach to PECR.  If an organisation uses electronic channels to re-permission its database in time for GDPR enforcement in May 2018, it must comply with PECR. Moneysupermarket.com is the latest in a series of big names to fall foul of email regulations.

You’ll also see an analysis of ransomware profitability, which helps explain its continued growth;   the final story summarises Facebook’s views on data security.

The ICO issues fines amounting to £160,000 for Provident Personal Credit and Moneysupermarket.com

The Information Commissioner’s Office has issued civil monetary penalties of £80,000 each for Provident Personal Credit, a Bradford-based sub-prime lender, and Moneysupermarket.com, a leading brand comparison site, on the 17th and 20th of July respectively. In both cases the fine was  for breaching the Privacy and Electronic Communications Regulation (PECR).

Text confused person

Unsolicited texts annoy prospects and customers 

Quick-loan credit firm Provident Personal Credit, a brand operated by Provident Financial, was fined £80,000 for sending out nearly 1 million nuisance text messages in the space of 6 months.

The company employed a third party affiliate to send the unsolicited marketing for loans provided by a sister brand, Satsuma Loans.

Text messages may not be sent if the recipients have not consented to receiving marketing texts, so this activity was in breach of PECR.

emails out of laptop

Beware of sending “service” emails which are actually “marketing” emails

A few days later, the price and brand comparison website Moneysupermarket.com was fined for sending 7.1 million emails over 10 days updating customers with its Terms and Conditions, despite these customers having explicitly opted-out of receiving this type of email. This offence is almost identical to the breaches for which Morrison’s, Honda and Flybe were fined last month.

One of the key problems was the section “Preference Centre Update” which said: “We hold an e-mail address for you which means we could be sending you personalised news, products and promotions. You’ve told us in the past you prefer not to receive these. If you’d like to reconsider, simply click the following link to start receiving our e-mails.”

In a previous blog, we explained the ambiguity between ‘service’ emails and ‘marketing’ emails when implicitly emailing or communicating marketing content to individuals who have opted out. This is in breach of regulations (which will only get stricter after the General Data Protection Legislation comes into force in May 2018).

Google research leads to fears of proliferating ransomware

ransomware 2

Ransomware encrypts and scrambles victims’ computerised files. The files will not be decrypted until after a ransom is paid

Research carried out by Elie Bursztein, Kylie McRoberts and Luca Invernizzi from Google has found that cyber-thieves have made $25m (£19m) in the last two years through the use of ransomware. The research suggests that this type of malware regularly makes more than $1m (£761,500) for its creators.

The two strains of ransomware that have seen the most success are ‘Locky’ and ‘Cerber,’ which have collected $7.8m (£5.9m) and $6.9m (£5.2) respectively. But fears have arisen that due to the profitability of ransomware, new and more expansive variants will emerge amid the increasingly competitive, aggressive and “fast-moving” market for cybercrime weaponry. Mr Burszstein warns that ‘SamSam’ and ‘Spora’ are variants that seem to be gaining traction.

The research collected reports from victims of ransomware but also from an experiment wherein thousands of ‘synthetic’ virtual victims were created online. Mr Bursztein and his colleagues then monitored the network traffic generated by these fake victims to study the movement of money. More than 95% of Bitcoin payments (the preferred currency for ransom payments) were cashed out via Russia’s BTC-e exchange.

The lucrative nature of ransomware has led the Google researchers to conclude that it is “here to stay” and may well proliferate among the many syndicates and crime networks around the world. At a talk at the Black Hat conference, one of the world’s largest information security events, Mr Bursztein warned, “it’s no longer a game reserved for tech-savvy criminals, it’s for almost anyone.”

Facebook’s security boss argues that the industry should change its approach

facebook

Hitting the data security balance: user issues vs. tech solutions 

At a talk at this year’s Black Hat, Facebook’s Chief Information Security Officer, Alex Stamos, has criticised the information security industry’s over-prioritisation of technology over people.

Advocating a ‘people-centric’ approach to information security, Mr Stamos stated his belief that most security professionals were too focused on complex ‘stunt’ hacks involving large corporations and state organisations, and tended to ignore problems that the majority of technology users face.

He told the attendees, “we have perfected the art of finding problems without fixing real-world issues. We focus too much on complexity, not harm.”

He explained that most Facebook users are not being targeted by spies or nation states, and that their loss of control over their information are from simple causes with simple solutions in which, he claims, the security industry takes no interest. He criticised the industry in general for lacking ‘empathy’ with less tech-savvy people, citing the often-expressed thought by security professionals that there would be fewer breaches and data losses if people were perfect.

He used the example of the widespread criticism from cyber experts that the security team for Facebook subsidiary Whatsapp faced after their decision to use ‘end-to-end’ encryption for the popular messaging app, which was heralded by some as sacrificing security for the sake of usability. Such a sacrifice did not manifest, but Mr Stamos was keen to emphasise the fact that it simply did not occur to security experts that usability was worth pursuing.

Mr Stamos advocated the diversification of the industry by working with less technically minded people who could empathise with the imperfections of tech-users, thus helping to develop more straightforward tools and services that would benefit a larger amount of people.

Facebook has also committed half a million dollars to fund a new project to secure election campaigns from cyber attack.  The initiative will be run by the Belfer Center for Science and International Affairs, a think-tank affiliated to Harvard University.  This is timely, given the scandals around the cyber- attack on French President Emmanuel Macron’s recent election campaign, and the Russian hack of the Democratic National Committee during the US elections last year.

If you have any data privacy compliance, governance or security concerns which you’d like to discuss with Data Compliant, please email dc@datacompliant.co.uk.

Harry Smithson   20th July 2017

Weekly Roundup: Global Cyber-Attack, Google Scan Emails, Political Party Under Investigation, Nuisance Calls Fine

Malware outbreak in 64 countries, Google scrap email scans, and the Conservative Party face ‘serious allegations’

Global cyber-attack disrupts companies in 64 countries

Corrupted Ukrainian accountancy software ‘MEDoc’ is suspected to be the medium of a cyberattack on companies ranging from British ad agency WPP to Tasmanian Cadbury’s factory, with many European and American firms reporting disruption to services. Banks in Ukraine, Russian oil giant Rosneft, shipping giant Maersk, a Rotterdam port operator, Dutch global parcel service TNT and US law firm DLA Piper were among those suffering inabilities to process orders or else general computer shutdowns.

Heralded as “a recent dangerous trend” by Microsoft, this attack comes just 6 weeks after the WannaCry attack primarily affecting NHS hospitals. Both attacks appear to make use of a Windows vulnerability called ‘Eternal Blue,’ thought to have been discovered by the NSA and leaked online – although the NSA has not confirmed this. The NSA’s possible use of this vulnerability, which has served to create a model for cyber-attacks for political and criminal hackers, has been described by security experts as “a nightmare scenario.”

A BBC report suggests that given 80% of all instances of this malware were in Ukraine, and that the provided email address for the ‘ransom’ closed down quickly, the attack could be politically motivated at Ukraine or those who do business in Ukraine. Recent announcements suggest it could be related to data not money.

The malware appears to have been channelled through the automatic update system, according to security experts including the malware expert credited with ending the WannaCry attack, Marcus Hutchins. The MEDoc software would have originally begun this process legitimately, but at some point the update system released the malware into numerous companies’ computer systems.

 

Google to stop scanning Gmail accounts for personalised marketing data

In a blog published at the end of last week, the tech firm Google have confirmed that they will stop scanning Gmail users’ emails for the sake of accruing data to be used in personalised adverts, by the end of the year. This will put the consumer version of Gmail in line with the business edition.

Google had advertised their Gmail service by offering 1GB of ‘free’ webmail storage. However, it transpired that Google was paying for this offer by running these scans.

This recent change in tactic has been met with ‘qualified’ welcome by privacy campaigners. Executive director Dr Gus Hosein of Privacy International, the British charity who have been campaigning for regulators to intervene since they discovered the scans, stated:

When they first came up with the dangerous idea of monetising the content of our communications, Privacy International warned Google against setting the precedent of breaking the confidentiality of messages for the sake of additional income. […] Of course they can now take this decision after they have consolidated their position in the marketplace as the aggregator of nearly all the data on internet usage, aside from the other giant, Facebook.

Google faced a fairly substantial backlash on account of these scans when they were discovered, notably from Microsoft, with their series of critical ‘Gmail man’ adverts, depicting a man searching through people’s messages.

However, digital rights watchdog Big Brother Watch celebrated Google’s move, describing it as “absolutely a step in the right direction, let’s hope it encourages others to follow suit.”

UK Conservative Party under investigation for breaching data protection and election law

A Channel 4 News undercover investigation has provoked ‘serious allegations’ of data protection and election offences against the Conservative Party.

The investigation uncovered the party’s use of a market research firm based in Neath, South Wales, to make thousands of cold calls to voters in marginal seats ahead of the election this month. Call centre staff followed a ‘market research’ script, but under scrutiny this script appears to canvass for specific local Conservative candidates – in a severe breach of election law.

Despite the information commissioner Elizabeth Denham’s written warnings to all major parties before the election began, reminding them of data protection law and the illegality of such telecommunications, the Conservatives operated a fake market research company. This constitutes a breach separate to election law, and mandates the Information Commissioner’s Office to investigate.

The ICO’s statement on 23rd June reads,

The investigation has uncovered what appear to be underhand and potentially unlawful practices at the centre, in calls made on behalf of the Conservative Party. These allegations include:

  • Paid canvassing on behalf of Conservative election candidates – banned under election law.
  • Political cold calling to prohibited numbers
  • Misleading calls claiming to be from an ‘independent market research company’ which does not apparently exist

MyHome Installations Ltd fined £50,000 for nuisance calls

Facing somewhat less public scrutiny and condemnation than the Conservative Party, Maidstone domestic security firm MyHome Installations has been issued a £50,000 fine by the ICO for making nuisance calls.

The people who received these calls had explicitly opted out of telephone marketing by registering their numbers with the Telephone Preference Service (TPS), the “UK’s official opt-out of telephone marketing.”

The ICO received 169 complaints from members of the public who’d received unwanted calls about electrical surveys and home security from MyHome Installations Ltd.

Harry Smithson 28 June 2017

Data Compliant’s Weekly Round Up

cowboy-round-up-cropped

This week has been a bit hectic when it comes to data breaches and news. We started off with Snoopers’ Charter being passed, then we heard that Deliveroo had been hacked and many of its customers had been paying for someone else’s dinner after passwords were stolen from another business.

We heard of yet another colossal hack – mobile network Three had been infiltrated by 3 hackers dotted all over the country now putting two thirds of the 9,000,000 Three customers at risk. The hackers accessed the upgrade system using an employee log in and were able to intercept the new phones before they reached the customers that the hackers had upgraded. Could this be an insider threat? Although Three can confirm no financial data was appropriated the information that was obtainable were things like names, telephone numbers, addresses and date of birth all of which is classed as personal data in accordance with the Data Protection Act. It’s all very handy data for criminals to steal someone’s identity.

Police are investigating Broxtowe Borough Council after an email containing allegations about someone’s conduct was sent to all staff members (730 people in total) in which they were told about in September. The ICO have said they are not going to take any action.

Hatchimals
Hatchimals are the latest craze with the kids these days and I bet they’re on everyone’s Christmas wish list. For those who don’t know what Hatchimals are, they’re Furby-like toys inside an egg that the child has to nurture until it hatches. Once hatched the toy will learn how to speak from it’s owner – so I’m told by my overly eager nephew. However due to these toys being so popular, scammers are out in force and are taking to social media to encourage loving parents to hand over more than double what these toys are going for. Once the scammers have got the money, the parents are then blocked and never hear from them again. Sometimes over £100 worse off. These toys are out of stock in every retailer that sells children’s toys in the UK so if there is an ad online, on social media, or in an email saying they’re still available and better yet – they’re on sale, don’t be fooled, if it’s too good to be true, it usually is.

Black Friday and Cyber Monday
I would imagine due to it being Black Friday this Friday (25th November) and cyber Monday on the 28th fake adverts and phishing emails are going to be on the rise this week and most of next week too. Although it is sad to think that hackers take to this time of year to steal from loving friends and family to earn themselves a bit of extra money, it does unfortunately happen every year. Now some of these hacks are easy to spot, it just takes a bit of common sense, however they are also getting more and more sophisticated and harder to recognise.

Last year UK consumers spent £2 billion in 24 hours online and in stores on Black Friday and £3.3billion over the whole weekend. Predictions this year are even higher than the last. So if you’re anything like me and are planning to get home from work, make yourself a cup of tea, put your feet up and do your Black Friday shopping online, here are some hints and tips for you to stay safe this weekend.

  • Make sure the websites you are visiting have https: at the front of the URL. The s actually stands for secure! Who knew?
  • If you receive any emails from your bank, paypal or anything asking you to confirm your payment details with a link to click on to do so, hover your mouse over the link to see what the URL is, if it isn’t the company’s name .com/.co.uk etc it’s a scam.
  • Look at the email address you receive an email from, is that the company’s name?
  • Use strong passwords, and different passwords for each log in (this is how many people got stung with Deliveroo as they used the same password for their account with them and with other websites and apps).
  • Read the websites privacy policy before handing over all of your sensitive information. These are legally binding and have to inform you of what the company plans to do with your data.

I could go on and on but these main 5 steps should keep you fairly safe this weekend. Don’t be put off by the minority of people who do wish to scam you into handing over all of your money. There are some good people (and even better bargains) out there, so happy shopping!

charlotte-seymour-2016
Written by Charlotte Seymour – 25th November 2016.

Data breaches … OUCH!

Alarming data breach statistics are shown in the latest survey from HM Government*, with costs increasing to prohibitive levels for businesses large and small.

Data Breach Costs

Data breach 2015 cost graphs and text

Think  a data breach can’t happen to you?  Think again …

data breach percentages graph 2012 to 2014

* All stats taken from 2015 Information Security Breaches Survey commissioned by HM Government – survey conducted by PwC in association with Infosecurity Europe

Protect your data …

Be Aware Be Secure

The protection of your company data must be of paramount importance to you, so please get in touch if you you would like to discuss the ever-changing issues surrounding data security and the steps you can take to keep your data safe.  Call 01787 277742 or email victoria@datacompliant.co.uk

Security and the Internet of Things

I was invited by ComputerScienceZone to share this fascinating infographic on my site – so here it is – a fascinating insight into the diversity and number of “things”, combined with the risks associated with the rapid growth and poor security.

Security-and-the-Internet-of-Things

Data Security – A Summary

Be SecureWhen we talk about data security what do we actually mean?

Data security means protecting data, such as database, from destructive forces and from the unwanted actions of unauthorised users.

In the UK, the Data Protection Act is used to ensure that personal data is accessible to those whom it concerns, and provides redress to individuals if there are inaccuracies. This is particularly important to ensure individuals are treated fairly, for example for credit checking purposes. The Data Protection Act states that only individuals and companies with legitimate and lawful reasons can process personal information and cannot be shared.

The international standard ISO 27001 covers data and information security. Information security is the practice of defending information from unauthorised access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical)

So what is Data Security? 

  • Data is any type of stored digital information.
  • Security is about the protection of assets.
  • Prevention is the measures taken to protect your assets from being damaged.
  • Detection is the measures taken to allow you to detect when an asset has been damaged, how it was damaged and who damaged it.
  • Reaction is the measures that allow you to recover your assets.
  • Confidentiality ensures that that data is only read by the intended recipients.
  • Integrity ensures that all of the data has not been corrupted from its original source.
  • Availability guarantees that the data is usable upon demand.
  • Accountability is audit information that is kept and protected so that security actions can be traced to the responsible party.

 Audit Standards

Data Security is subject to several types of audit standards and verification, the most common are ISO 27001, PCI, ITIL. Security Administrators are responsible for creating and enforcing a policy that conforms to the standards that apply to their business.

IT certification audits are generally carried out by 3rd parties although regular internal audits are recommended. Clients can also carry out audits before they begin doing business with a company to ensure that their clients data is secured to their standards.

Security Policy

A security policy is a comprehensive document that defines a company’s methods for prevention, detection, reaction, classification, accountability of data security practices and enforcement methods. It generally follows industry best practices as defined by ISO 27001, PCI, ITIL or a mix of them. The security policy is the key document in effective security practices. Once it has been defined it must be implemented and modified and include any exceptions that may need to be in place for business continuity. Most importantly all users need to be trained on these best practices with continuing education at regular intervals.

Securing data

Data needs to be classified in the security policy according to its sensitivity. Once this has taken place, the most sensitive data has extra measures in place to safeguard and ensure its integrity and availability.

All access to this sensitive data must be logged. Secure data is usually isolated from other stored data and it is important that controlling physical access to the data centre or area where the data is stored is implemented.

Active Directory for example is used by many companies and is a centralised authentication management system that is used to control and log access to any data on the system.

Encryption of the sensitive data is critical before transmission across public networks. The use of firewalls on all publicly facing WAN connections needs to be in place and also the deployment of VLANs’ to isolate sensitive departments from the rest of the network. It is important to shut down unused switch ports. If Wi-Fi is deployed then it is important to use authentication servers to verify and log the identity of those logging on. Finally the deployment of anti-virus and malicious software protection on all systems.

Monitoring

Sometimes you will be surprised what you can find by simply walking around and look for passwords in the open, unattended screens.

Ensure that Event Viewer and Log Files are maintained this provides the audit trail. An Intrusion Detection/ Protection systems (IDS/IPS) to monitor the network and system activities for malicious activities or policy violations. Set up SNMP monitoring servers to monitor and alert for everything as this will alert Administrators to everything from unusual bandwidth usage to hardware failure. It is key to know what’s going on with your systems and network.

Documentation is also important, detailed network maps should be available as these maps make it easier to spot security weak points and any flaws in the design that could impact the data security.

You should also consider a network scanner that probes devices to ensure that they are secure. A network scanner will probe and report old out of date software, open ports and the give details on any potential exposures. Networks scans should be scheduled on a regular basis.

Keep up to date and stay Informed

Review log files regularly of any publicly facing server to see what types of attacks are being run against your enterprise.

Trade publications discuss the latest threats and technologies keeps you updated on the latest attack trends. It is important to understand the technology stack that you are protecting and the technology that is used to attack it.

User Education

Something which tends to not be given the required level of importance is user education. All relevant security policies must be clearly explained to the end users. A clear explanation of the consequences for violating these polices must also be explained. The end user needs to sign a document acknowledging that they understand the policies and consequences for violating these policies. 

Enforcement

Any enforcement must obtain executive authority to enforce the business policies and procedures. This must be based on a systematic approach of warnings and punishments.

Tony Schiffman

The author, Tony Schiffman, is Data Security Director at Data Compliant.  If you have any concerns about your organisation’s data security or vulnerabilities and you’d like a chat, please call Tony on 01787 277742 or email dc@datacompliant.co.uk

Data Compliant Services

Services at December 2014

Data Security – Phishing

phishing

45% of phishing attacks are successful, according to Google’s December 2014 report.   Indeed, the infamous 2013 Target data breach was due to a successful spear phishing attack on one of the company’s suppliers. The reported cost to the business was a massive $162M plus additional expenses resulting from class action lawsuits and reputational damage.

Many data breaches are a direct result of the attacker using individuals or employees to access systems or data, and it’s worth noting that 58% of large organisations and a third of SMEs fall prey to staff-related data breaches (*UK 2014 Information Security Breaches Survey).

With that in mind, I thought it would be helpful to summarise some points to help recognise and deal with phishing emails.

What is phishing?

Phishing is a deceptive means of trying to acquire personal information such as your identity or data that you hold and access – for example your user name, passwords, credit card details, contact directories and so on.  Phishing is typically carried out by email or instant message, which may ask you to provide the data directly, or it may send you to a website or phone number where you will be asked to provide data.

Why Phishing Works

A phishing effort can be hard to recognise, particularly if it comes from a source that you are inclined to trust – for example a friend or colleague (who may have been phished themselves), or your bank, social media site, telephone provider etc.

  • Phishing emails are designed to look like real emails from real, sometimes large, reputable organisations.
  • They are likely to seem to come from an organisation or individual you know and would expect to hear from – for example your bank or building society, your insurer, a business with whom you are in regular contact, your social networking sites, an online auction site or even a friend whose email sits in your address book
  • They may look absolutely authentic, including using legitimate logos
  • They may well contain information that you would not expect a scammer to know – for example personal data (that they may, for example, have picked up from one of your social networking sites)
  • They may include links to websites which will require you to enter personal information – and that website may also look very similar to the legitimate website it is pretending to be.

How to spot a phishing email

There are ways to recognise and avoid being caught out by fraudulent emails or the links they contain.

  • Are you expecting the email you’ve just received? Any email which asks you for personal information or log in details or to verify your account must be treated with caution – most reputable companies will never ask for your personal details in an email
  • Don’t be pressured just because the email looks urgent
  • Beware of attachments – these may pretend to be an order summary or an invoice for immediate payment or a receipt or any manner of other things.  If you haven’t placed an order, or your bill is already paid, then be careful.   If in doubt, simply do not open the attachment.
  • Check the email’s spelling, grammar and formatting – if they’re not correct, treat the email as suspicious
  • Never respond to an email that asks you to update your credit card or payment details
  • Watch out for free giveaways with links to websites – it’s likely that such websites will attempt to embed a virus into your computer which allows them to  capture your keystrokes to get your login details or financial details such as your bank account

How to spot a phishing link?

Such links are likely to include all or part of the legitimate website address.

  • Be aware than any change to the legitimate address may lead to a false website – a spelling mistake, a missing letter – just one character’s difference can take you somewhere you just don’t want to go,
  • It is generally safer to go to the online website using your own bookmarks or by typing in the website address yourself
  • Where a website link is provided, it may be “masked” so that what you see will not take you where you expect.  Using your mouse to “hover” your cursor over the link may enable you to see the actual address – DO NOT CLICK ON ANY LINK unless or until you are completely certain it is the legitimate website

Protect against phishing

Being aware and understanding how to spot a potential phishing effort is helpful, but additional steps should be taken to protect your computer and system against such attacks.  There is no single solution – the best option is to adopt a multi-layered approach:

  • Good security software will help to prevent successful phishing by spotting “bad” links and blocking fake websites.
  • While not providing all-encompassing protection, anti-virus, anti-spyware and anti-malware applications should be used, and kept up-to-date. Ensure that at least two different supplier technologies are in operation.
  • Ensure that all firewall settings should be used and updated regularly to help prevent phishing and block attacks.
  • Subscribe to cyber-intelligence services which may be used to identify on-line threats, misrepresentations, or online fraud’s targeting brands – for example, RSA or Verisign
  • Ensure that applications and operating systems are up-to-date and fully patched

What to do if you have opened a phishing email

Just opening the email is unlikely to cause a problem.  However, it is helpful to report phishing emails:

  • To the ISP (internet service provider) that was used to send you the email so that ISP provider can close the sender’s email account
  • If “report spam” buttons are available, use them
  • Report the email to the legitimate organisation the sender is pretending to be
  • Delete the email from your device
  • Inform your IT department and / or your data protection / data compliance / data security officer
  • Report the phishing email to Action Fraud – the UK’s national fraud and internet crime reporting centre – at https://reportlite.actionfraud.police.uk/

What to do if you click on a phishing link

  • Immediately run a virus check on your computer whether or not you have provided any personal details
  • Change your password for organisation which the phisher is mimicking
  • If you use the same password for multiple accounts, you need to change all these passwords too
  • Notify the relevant financial organisation(s) if you have entered banking or credit card information
  • Inform your IT department and / or your data protection / data compliance / data security officer
  • Report the phishing email to Action Fraud at https://reportlite.actionfraud.police.uk/

As phishing attacks predominantly targeting end-users, it is a good idea to invest in a security education and awareness programme to raise the profile of risk.  It’s also helpful to include your clients in such a programme.

If you have any concerns about your organisation’s vulnerability to phishing attacks and you’d like a chat about staff training or prevention, just call 01787 277742 or email dc@datacompliant.co.uk

Data Compliant Services

Services at December 2014