Tag Archives: data breach

Data Compliant’s Weekly Round-Up

hacker-1

It’s the weekend before Christmas. Have you done all your Christmas shopping? If you’re shopping online, this is the last weekend you can really do your online shopping and still get everything delivered on time. 

Now you may be bored of hearing it but please be careful, look after your passwords, change them regularly, don’t have devices store your information! Lets start the year without a stranger stealing money from your credit cards and bank accounts!

Yahoo…Again 

This week brings us the news that Yahoo had announced a hack from 2013 – a separate breach to the 500,000 hacked records announced in September. 

Yahoo was investigating the 2014 breach when it uncovered the earlier hack – this time discovering that a billions accounts had been compromised. 

The reputational damage to Yahoo is enormous – a clear pattern of poor security is emerging and if I had an account with Yahoo, I’d be considering changing my provider immediately.  Having said that, though,  how can we be certain that other companies haven’t had similar breaches and we just don’t know about them yet?

The ICO’s deputy commissioner, Simon Entwisle has released a statement saying that they are talking to Yahoo and will try to find out how many UK users have been affected by the latest hack. Their immediate advice is to recommend  strongly that customers change their passwords if they haven’t already.

TalkTalk
An update on the huge TalkTalk hack has been released. One of the hackers, a 17 year old, has admitted to 7 offences relating to the hack and has been given a 12-month rehabilitation order and an £85 fine. He was 
told his excellent computer skills need to be used for the good. 19-year old Daniel Kelley also pleaded guilty. He has been told that a jail sentence is inevitable, and has been released on bail prior to sentencing in March.

Uber
Uber has come under fire after an ex-worker claimed that staff could track fares of celebrities, politicians and even ex-partners. If that’s true, it’s lucky for me I’ve only ever used it in Australia where no exes live and unfortunately I’m not yet a celeb!

Uber released a statement to the Standard stating that the claims made by Mr Spangenberg are “absolutely not true … we have hundreds of security and privacy experts working round the clock  to protect our data … all potential violations are quickly and thoroughly investigated.” Uber also makes it clear that access to personal data is limited to approved workers who may only access the data they need in order to perform their job function. 

Lionhead Studio just as bad as ‘Trolls”?
It has been released this week at a BAFTA event that a teenager targeted Sam van Tilburgh and his team, back in 2003, when they were creating the game Fable. The teen released a screen shot of the hero stabbing a child in the head – something no one was expecting to see. 

Rather than go through official routes, Tilburgh and team decided adopt an unconventional aporiach. They were able to track the boy’s IP address and let care the teenager. They then ‘acquired’ some of his school work from and published a part of it, with a demand that he stop or they would publish more and tell be his family what he was up to. He did indeed stop.

Tilburgh said Lionhead’s legal team knew nothing of the retaliating hack, and it has taken 13 years for the story to surface! I wonder if there’ll be repercussions.

The National Lottery hit with fine
So it wasn’t so long ago we heard that hackers had attacked The National Lottery (TNL). Today we hear TNL’s operator Camelot has been issued with a fine of £3m because of a fraudulent payout back in 2009. How this happened has not yet been announced but  it sounds as if a ‘deliberately damaged ticket’ was to blame. The prize fund payout is suspected to be around £2.5m but the actual figure has not yet been officially released.

I, for one will continue to buy my lottery tickets. Although The National Lottery has come under fire recently, it has fuelled a whopping £36 billion into good causes such as sports, community and heritage projects. Also imagine if you won.. (legitimately)

charlotte-seymour-2016

Written by Charlotte Seymour, 17th December 2016

National Lottery customers hacked. But who handed over the key?

master-key

Another day … another hack. Such events are inescapably becoming almost daily news. The endless catalogue of everyday cyber crime, ranging from hacking, ransom attacks, bullying, breaches, theft and fraud, simply underlines that any crime that can be committed in our physical world can – and is – equally being perpetrated in cyber space.

Given that such attacks and breaches are making the headlines almost daily, it baffles me that companies and customers (that’s us by the way) don’t make a greater effort to protect themselves.

Camelot, The National Lottery’s operator, discovered this latest breach on Sunday and went public on Wednesday morning. Camelot says that only 26,500 of the 9.5 million registered user accounts were compromised, and that there has only been activity on just under 50 of the infiltrated accounts. They have confirmed that no money has been removed or added to any of these accounts and that the National Lottery does not hold full debit card or bank account details. The Information Commissioner’s Office says it has launched an investigation.

Camelot insists that the reason for the compromised accounts is because users have been operating the same password for multiple websites. (Sound familiar? Last week’s Deliveroo breach comes to mind).

Quite properly when we hear of a data breach we turn the spotlight onto the companies that we deal with, who are in charge of protecting our information. But it would be no bad thing for us to point the spotlight at ourselves as the other half of the equation. As consumers, we have to take responsibility too.

We have all repeatedly been advised – and frankly, must surely know by now –  it is vital that a different password is used for every website. For as long as we fail to take this basic precaution, these breaches will be possible.  It would seem that we’re no or slow learners.

I don’t know about you, but I have more accounts than I care to think about. A password including capital letters, symbols and numbers is difficult enough to remember for just one account. However with hacks happening more and more frequently it’s made me pull up my socks and change all of my passwords.

I choose not to have my phone or computer store my passwords, because if either device is stolen (or lost) someone will have all my information in the palm of their hand.

It’s time we all realised how vitally important it is to have safe and secure and different passwords for every account we have, especially when cyber criminals are getting wiser and more sophisticated by the minute. A password is a key. So using just one password to access all your websites means that you are effectively handing criminals the master key to all your online activity.

Hint – A password with 12 characters including a few bits and pieces can take over 2 centuries to crack … that’s the one for me!

charlotte-seymour-2016

Written by Charlotte Seymour, 30th November 2016

Data Compliant’s Weekly Round Up

cowboy-round-up-cropped

This week has been a bit hectic when it comes to data breaches and news. We started off with Snoopers’ Charter being passed, then we heard that Deliveroo had been hacked and many of its customers had been paying for someone else’s dinner after passwords were stolen from another business.

We heard of yet another colossal hack – mobile network Three had been infiltrated by 3 hackers dotted all over the country now putting two thirds of the 9,000,000 Three customers at risk. The hackers accessed the upgrade system using an employee log in and were able to intercept the new phones before they reached the customers that the hackers had upgraded. Could this be an insider threat? Although Three can confirm no financial data was appropriated the information that was obtainable were things like names, telephone numbers, addresses and date of birth all of which is classed as personal data in accordance with the Data Protection Act. It’s all very handy data for criminals to steal someone’s identity.

Police are investigating Broxtowe Borough Council after an email containing allegations about someone’s conduct was sent to all staff members (730 people in total) in which they were told about in September. The ICO have said they are not going to take any action.

Hatchimals
Hatchimals are the latest craze with the kids these days and I bet they’re on everyone’s Christmas wish list. For those who don’t know what Hatchimals are, they’re Furby-like toys inside an egg that the child has to nurture until it hatches. Once hatched the toy will learn how to speak from it’s owner – so I’m told by my overly eager nephew. However due to these toys being so popular, scammers are out in force and are taking to social media to encourage loving parents to hand over more than double what these toys are going for. Once the scammers have got the money, the parents are then blocked and never hear from them again. Sometimes over £100 worse off. These toys are out of stock in every retailer that sells children’s toys in the UK so if there is an ad online, on social media, or in an email saying they’re still available and better yet – they’re on sale, don’t be fooled, if it’s too good to be true, it usually is.

Black Friday and Cyber Monday
I would imagine due to it being Black Friday this Friday (25th November) and cyber Monday on the 28th fake adverts and phishing emails are going to be on the rise this week and most of next week too. Although it is sad to think that hackers take to this time of year to steal from loving friends and family to earn themselves a bit of extra money, it does unfortunately happen every year. Now some of these hacks are easy to spot, it just takes a bit of common sense, however they are also getting more and more sophisticated and harder to recognise.

Last year UK consumers spent £2 billion in 24 hours online and in stores on Black Friday and £3.3billion over the whole weekend. Predictions this year are even higher than the last. So if you’re anything like me and are planning to get home from work, make yourself a cup of tea, put your feet up and do your Black Friday shopping online, here are some hints and tips for you to stay safe this weekend.

  • Make sure the websites you are visiting have https: at the front of the URL. The s actually stands for secure! Who knew?
  • If you receive any emails from your bank, paypal or anything asking you to confirm your payment details with a link to click on to do so, hover your mouse over the link to see what the URL is, if it isn’t the company’s name .com/.co.uk etc it’s a scam.
  • Look at the email address you receive an email from, is that the company’s name?
  • Use strong passwords, and different passwords for each log in (this is how many people got stung with Deliveroo as they used the same password for their account with them and with other websites and apps).
  • Read the websites privacy policy before handing over all of your sensitive information. These are legally binding and have to inform you of what the company plans to do with your data.

I could go on and on but these main 5 steps should keep you fairly safe this weekend. Don’t be put off by the minority of people who do wish to scam you into handing over all of your money. There are some good people (and even better bargains) out there, so happy shopping!

charlotte-seymour-2016
Written by Charlotte Seymour – 25th November 2016.

Insider Threats – Charlotte’s View

Insider Threats – Charlotte’s View

Something that is being spoken about more and more (due to the unfortunate higher frequency) is insider threat. It’s in the news an awful lot more than it ever used to be.

Do you remember the auditor of Morrisons who released a spreadsheet detailing just shy of 100,000 members of staff’s (very) personal details? He did end up getting jailed for 8 years but I heard a saying recently, it’s not a digital footprint you leave it’s more of a digital tattoo. Even two years after the incident Morrisons is still suffering the effects.

Now obviously that was what you would call a malicious breach. It does unfortunately happen, but there are ways for you to protect your company against this. Firstly we here at Data Compliant believe that if you have detailed joiner processes in place (i.e. thorough screening and references and criminal checks where appropriate), ongoing appraisals with staff and good leaver processes you can minimise your risk.

Other ways of insider breaches occurring, and much more likely in my opinion, are negligence, carelessness and genuine accidents. Did you know that over 50% of data breaches are cause by staff error? This may be because staff do not follow company procedures correctly and open up pathways for hackers. Or it could be that your staff are tricked into handing over information that they shouldn’t.

Your staff could be your company’s weakest point in relation to protecting it’s personal and confidential data. But you can take simple steps to minimise this risk by training your staff in data protection.

Online training has some big advantages for businesses, it’s a quick, efficient and relatively inexpensive way of training large numbers of employees while “taking them out of the business” for the least possible time.

The risk of breaches isn’t just your business’ reputation, or even a hefty fine from the ICO but as mentioned before, also a criminal conviction. Now that is a lot to risk.

If you’re interested in online training have a look at this video.

 

charlotte

Written by Charlotte Seymour, November 2016

 

Yahoo – biggest data breach ever

people-padlockIt is widely known that hackers target all companies large or small. In social media and cloud storage terms, we’ve seen breaches from a range of businesses include MySpace, LinkedIn, to DropBox and many more.

And now, as almost everyone must be aware, Yahoo has announced it has suffered the largest cyber breach in history. 500 million accounts have been accessed, of which 8 million relate to UK data.  This is a particularly difficult issue for Yahoo, who, as announced in July, is close to finalising the £3.7bn deal to sell its core business to Verizon. The breach occurred two years ago, and there is significant speculation about why it has taken so long for the organisation to discover the breach (coincidentally also July 2016).

In July a hacker known as Peace was discovered selling the information of 200 million Yahoo accounts on the dark website Real Dark.  It wasn’t until then that Yahoo launched an investigation to see whether – and to what extent – they had been hacked.

It is troublesome, to say the least, that a company of Yahoo’s magnitude can be the victim of the largest cyber attack in the world … and simply not notice for two years. Under the upcoming EU General Data Protection Regulation, notification of such a brief to the Supervisory Authority is mandatory within 72 hours of discovery – which doesn’t really help when a company doesn’t discover the breach for such an extended period of time.

Generally speaking, it takes an average of between 98 and 191 days (over six months) to detect an intrusion, and it does beg the question … why?  Some sources report that there is simply too much data for the analysts to sift through to be able to immediately recognise the threat.  In addition, false alarms are common.

So to an extent it’s understandable that there would have been some delay in identifying the breach.  Almost all of us have had an occasion where the car alarm has gone off because of a gust of wind or a vast lorry getting too close. But you would expect that when someone steals your car’s wheels, its seats and the doors, you just might notice.

So what do we know about this breach?

500 million Yahoo users have had their names, email addresses, dates of birth, hashed passwords, telephone numbers and unencrypted security questions accessed. We also know that Verizon only found out two days before the knowledge of the breach was released to the public.

Now we’re all asking the question “Who’s behind it?” Yahoo believes it was a “state-sponsored actor”. So which state? The suspects so far are Russia (supposedly behind hackers Fancy Bears who hacked WADA and released Olympian’s medical records to show what banned drugs they were taking for medical reasons); North Korea (suspected of being behind the hack on Sony after the film ‘The Interview’ showed its leader in a poor light); China (who, despite denial, allegedly recently stole the finger prints of 4 million Americans from The Office of Personnel Management).  Alternatively, it could have been a lone wolf like the TalkTalk breach – TalkTalk too suspected a large corporation but instead it turned out to be a teenager in his bedroom trying to make a few extra quid.

What we need to understand is that, unless companies invest the appropriate time, resource and money to protect their own and their customers’ data, they will continue to be wide open to breach.  In the UK only 51% of large businesses have followed half or more of the government’s 10 steps to cyber security.

So … if only half of us are consciously going to take action to attempt to prevent these breaches, is it any wonder that the hackers have it so easy?

charlotte

Written by Charlotte Seymour, October 2016

Data Breaches UK – Key Stats at a Glance

The 2015 UK data breaches report shows significant rises in numbers and costs of data breaches, with growth shown in my previous blog, Data Breaches – OUCH! .  The infographic below summarises the key data breach stats from 2014, including a nod to the impact of new technology.

Data breach

* All stats taken from 2015 Information Security Breaches Survey commissioned by HM Government – survey conducted by PwC in association with Infosecurity Europe

Data breaches … OUCH!

Alarming data breach statistics are shown in the latest survey from HM Government*, with costs increasing to prohibitive levels for businesses large and small.

Data Breach Costs

Data breach 2015 cost graphs and text

Think  a data breach can’t happen to you?  Think again …

data breach percentages graph 2012 to 2014

* All stats taken from 2015 Information Security Breaches Survey commissioned by HM Government – survey conducted by PwC in association with Infosecurity Europe

Protect your data …

Be Aware Be Secure

The protection of your company data must be of paramount importance to you, so please get in touch if you you would like to discuss the ever-changing issues surrounding data security and the steps you can take to keep your data safe.  Call 01787 277742 or email victoria@datacompliant.co.uk