Tag Archives: data breach

Data Compliant’s Weekly Round Up

cowboy-round-up-cropped

This week has been a bit hectic when it comes to data breaches and news. We started off with Snoopers’ Charter being passed, then we heard that Deliveroo had been hacked and many of its customers had been paying for someone else’s dinner after passwords were stolen from another business.

We heard of yet another colossal hack – mobile network Three had been infiltrated by 3 hackers dotted all over the country now putting two thirds of the 9,000,000 Three customers at risk. The hackers accessed the upgrade system using an employee log in and were able to intercept the new phones before they reached the customers that the hackers had upgraded. Could this be an insider threat? Although Three can confirm no financial data was appropriated the information that was obtainable were things like names, telephone numbers, addresses and date of birth all of which is classed as personal data in accordance with the Data Protection Act. It’s all very handy data for criminals to steal someone’s identity.

Police are investigating Broxtowe Borough Council after an email containing allegations about someone’s conduct was sent to all staff members (730 people in total) in which they were told about in September. The ICO have said they are not going to take any action.

Hatchimals
Hatchimals are the latest craze with the kids these days and I bet they’re on everyone’s Christmas wish list. For those who don’t know what Hatchimals are, they’re Furby-like toys inside an egg that the child has to nurture until it hatches. Once hatched the toy will learn how to speak from it’s owner – so I’m told by my overly eager nephew. However due to these toys being so popular, scammers are out in force and are taking to social media to encourage loving parents to hand over more than double what these toys are going for. Once the scammers have got the money, the parents are then blocked and never hear from them again. Sometimes over £100 worse off. These toys are out of stock in every retailer that sells children’s toys in the UK so if there is an ad online, on social media, or in an email saying they’re still available and better yet – they’re on sale, don’t be fooled, if it’s too good to be true, it usually is.

Black Friday and Cyber Monday
I would imagine due to it being Black Friday this Friday (25th November) and cyber Monday on the 28th fake adverts and phishing emails are going to be on the rise this week and most of next week too. Although it is sad to think that hackers take to this time of year to steal from loving friends and family to earn themselves a bit of extra money, it does unfortunately happen every year. Now some of these hacks are easy to spot, it just takes a bit of common sense, however they are also getting more and more sophisticated and harder to recognise.

Last year UK consumers spent £2 billion in 24 hours online and in stores on Black Friday and £3.3billion over the whole weekend. Predictions this year are even higher than the last. So if you’re anything like me and are planning to get home from work, make yourself a cup of tea, put your feet up and do your Black Friday shopping online, here are some hints and tips for you to stay safe this weekend.

  • Make sure the websites you are visiting have https: at the front of the URL. The s actually stands for secure! Who knew?
  • If you receive any emails from your bank, paypal or anything asking you to confirm your payment details with a link to click on to do so, hover your mouse over the link to see what the URL is, if it isn’t the company’s name .com/.co.uk etc it’s a scam.
  • Look at the email address you receive an email from, is that the company’s name?
  • Use strong passwords, and different passwords for each log in (this is how many people got stung with Deliveroo as they used the same password for their account with them and with other websites and apps).
  • Read the websites privacy policy before handing over all of your sensitive information. These are legally binding and have to inform you of what the company plans to do with your data.

I could go on and on but these main 5 steps should keep you fairly safe this weekend. Don’t be put off by the minority of people who do wish to scam you into handing over all of your money. There are some good people (and even better bargains) out there, so happy shopping!

charlotte-seymour-2016
Written by Charlotte Seymour – 25th November 2016.

Insider Threats – Charlotte’s View

Insider Threats – Charlotte’s View

Something that is being spoken about more and more (due to the unfortunate higher frequency) is insider threat. It’s in the news an awful lot more than it ever used to be.

Do you remember the auditor of Morrisons who released a spreadsheet detailing just shy of 100,000 members of staff’s (very) personal details? He did end up getting jailed for 8 years but I heard a saying recently, it’s not a digital footprint you leave it’s more of a digital tattoo. Even two years after the incident Morrisons is still suffering the effects.

Now obviously that was what you would call a malicious breach. It does unfortunately happen, but there are ways for you to protect your company against this. Firstly we here at Data Compliant believe that if you have detailed joiner processes in place (i.e. thorough screening and references and criminal checks where appropriate), ongoing appraisals with staff and good leaver processes you can minimise your risk.

Other ways of insider breaches occurring, and much more likely in my opinion, are negligence, carelessness and genuine accidents. Did you know that over 50% of data breaches are cause by staff error? This may be because staff do not follow company procedures correctly and open up pathways for hackers. Or it could be that your staff are tricked into handing over information that they shouldn’t.

Your staff could be your company’s weakest point in relation to protecting it’s personal and confidential data. But you can take simple steps to minimise this risk by training your staff in data protection.

Online training has some big advantages for businesses, it’s a quick, efficient and relatively inexpensive way of training large numbers of employees while “taking them out of the business” for the least possible time.

The risk of breaches isn’t just your business’ reputation, or even a hefty fine from the ICO but as mentioned before, also a criminal conviction. Now that is a lot to risk.

If you’re interested in online training have a look at this video.

 

charlotte

Written by Charlotte Seymour, November 2016

 

Yahoo – biggest data breach ever

people-padlockIt is widely known that hackers target all companies large or small. In social media and cloud storage terms, we’ve seen breaches from a range of businesses include MySpace, LinkedIn, to DropBox and many more.

And now, as almost everyone must be aware, Yahoo has announced it has suffered the largest cyber breach in history. 500 million accounts have been accessed, of which 8 million relate to UK data.  This is a particularly difficult issue for Yahoo, who, as announced in July, is close to finalising the £3.7bn deal to sell its core business to Verizon. The breach occurred two years ago, and there is significant speculation about why it has taken so long for the organisation to discover the breach (coincidentally also July 2016).

In July a hacker known as Peace was discovered selling the information of 200 million Yahoo accounts on the dark website Real Dark.  It wasn’t until then that Yahoo launched an investigation to see whether – and to what extent – they had been hacked.

It is troublesome, to say the least, that a company of Yahoo’s magnitude can be the victim of the largest cyber attack in the world … and simply not notice for two years. Under the upcoming EU General Data Protection Regulation, notification of such a brief to the Supervisory Authority is mandatory within 72 hours of discovery – which doesn’t really help when a company doesn’t discover the breach for such an extended period of time.

Generally speaking, it takes an average of between 98 and 191 days (over six months) to detect an intrusion, and it does beg the question … why?  Some sources report that there is simply too much data for the analysts to sift through to be able to immediately recognise the threat.  In addition, false alarms are common.

So to an extent it’s understandable that there would have been some delay in identifying the breach.  Almost all of us have had an occasion where the car alarm has gone off because of a gust of wind or a vast lorry getting too close. But you would expect that when someone steals your car’s wheels, its seats and the doors, you just might notice.

So what do we know about this breach?

500 million Yahoo users have had their names, email addresses, dates of birth, hashed passwords, telephone numbers and unencrypted security questions accessed. We also know that Verizon only found out two days before the knowledge of the breach was released to the public.

Now we’re all asking the question “Who’s behind it?” Yahoo believes it was a “state-sponsored actor”. So which state? The suspects so far are Russia (supposedly behind hackers Fancy Bears who hacked WADA and released Olympian’s medical records to show what banned drugs they were taking for medical reasons); North Korea (suspected of being behind the hack on Sony after the film ‘The Interview’ showed its leader in a poor light); China (who, despite denial, allegedly recently stole the finger prints of 4 million Americans from The Office of Personnel Management).  Alternatively, it could have been a lone wolf like the TalkTalk breach – TalkTalk too suspected a large corporation but instead it turned out to be a teenager in his bedroom trying to make a few extra quid.

What we need to understand is that, unless companies invest the appropriate time, resource and money to protect their own and their customers’ data, they will continue to be wide open to breach.  In the UK only 51% of large businesses have followed half or more of the government’s 10 steps to cyber security.

So … if only half of us are consciously going to take action to attempt to prevent these breaches, is it any wonder that the hackers have it so easy?

charlotte

Written by Charlotte Seymour, October 2016

Data Breaches UK – Key Stats at a Glance

The 2015 UK data breaches report shows significant rises in numbers and costs of data breaches, with growth shown in my previous blog, Data Breaches – OUCH! .  The infographic below summarises the key data breach stats from 2014, including a nod to the impact of new technology.

Data breach

* All stats taken from 2015 Information Security Breaches Survey commissioned by HM Government – survey conducted by PwC in association with Infosecurity Europe

Data breaches … OUCH!

Alarming data breach statistics are shown in the latest survey from HM Government*, with costs increasing to prohibitive levels for businesses large and small.

Data Breach Costs

Data breach 2015 cost graphs and text

Think  a data breach can’t happen to you?  Think again …

data breach percentages graph 2012 to 2014

* All stats taken from 2015 Information Security Breaches Survey commissioned by HM Government – survey conducted by PwC in association with Infosecurity Europe

Protect your data …

Be Aware Be Secure

The protection of your company data must be of paramount importance to you, so please get in touch if you you would like to discuss the ever-changing issues surrounding data security and the steps you can take to keep your data safe.  Call 01787 277742 or email victoria@datacompliant.co.uk

Data Security – Phishing

phishing

45% of phishing attacks are successful, according to Google’s December 2014 report.   Indeed, the infamous 2013 Target data breach was due to a successful spear phishing attack on one of the company’s suppliers. The reported cost to the business was a massive $162M plus additional expenses resulting from class action lawsuits and reputational damage.

Many data breaches are a direct result of the attacker using individuals or employees to access systems or data, and it’s worth noting that 58% of large organisations and a third of SMEs fall prey to staff-related data breaches (*UK 2014 Information Security Breaches Survey).

With that in mind, I thought it would be helpful to summarise some points to help recognise and deal with phishing emails.

What is phishing?

Phishing is a deceptive means of trying to acquire personal information such as your identity or data that you hold and access – for example your user name, passwords, credit card details, contact directories and so on.  Phishing is typically carried out by email or instant message, which may ask you to provide the data directly, or it may send you to a website or phone number where you will be asked to provide data.

Why Phishing Works

A phishing effort can be hard to recognise, particularly if it comes from a source that you are inclined to trust – for example a friend or colleague (who may have been phished themselves), or your bank, social media site, telephone provider etc.

  • Phishing emails are designed to look like real emails from real, sometimes large, reputable organisations.
  • They are likely to seem to come from an organisation or individual you know and would expect to hear from – for example your bank or building society, your insurer, a business with whom you are in regular contact, your social networking sites, an online auction site or even a friend whose email sits in your address book
  • They may look absolutely authentic, including using legitimate logos
  • They may well contain information that you would not expect a scammer to know – for example personal data (that they may, for example, have picked up from one of your social networking sites)
  • They may include links to websites which will require you to enter personal information – and that website may also look very similar to the legitimate website it is pretending to be.

How to spot a phishing email

There are ways to recognise and avoid being caught out by fraudulent emails or the links they contain.

  • Are you expecting the email you’ve just received? Any email which asks you for personal information or log in details or to verify your account must be treated with caution – most reputable companies will never ask for your personal details in an email
  • Don’t be pressured just because the email looks urgent
  • Beware of attachments – these may pretend to be an order summary or an invoice for immediate payment or a receipt or any manner of other things.  If you haven’t placed an order, or your bill is already paid, then be careful.   If in doubt, simply do not open the attachment.
  • Check the email’s spelling, grammar and formatting – if they’re not correct, treat the email as suspicious
  • Never respond to an email that asks you to update your credit card or payment details
  • Watch out for free giveaways with links to websites – it’s likely that such websites will attempt to embed a virus into your computer which allows them to  capture your keystrokes to get your login details or financial details such as your bank account

How to spot a phishing link?

Such links are likely to include all or part of the legitimate website address.

  • Be aware than any change to the legitimate address may lead to a false website – a spelling mistake, a missing letter – just one character’s difference can take you somewhere you just don’t want to go,
  • It is generally safer to go to the online website using your own bookmarks or by typing in the website address yourself
  • Where a website link is provided, it may be “masked” so that what you see will not take you where you expect.  Using your mouse to “hover” your cursor over the link may enable you to see the actual address – DO NOT CLICK ON ANY LINK unless or until you are completely certain it is the legitimate website

Protect against phishing

Being aware and understanding how to spot a potential phishing effort is helpful, but additional steps should be taken to protect your computer and system against such attacks.  There is no single solution – the best option is to adopt a multi-layered approach:

  • Good security software will help to prevent successful phishing by spotting “bad” links and blocking fake websites.
  • While not providing all-encompassing protection, anti-virus, anti-spyware and anti-malware applications should be used, and kept up-to-date. Ensure that at least two different supplier technologies are in operation.
  • Ensure that all firewall settings should be used and updated regularly to help prevent phishing and block attacks.
  • Subscribe to cyber-intelligence services which may be used to identify on-line threats, misrepresentations, or online fraud’s targeting brands – for example, RSA or Verisign
  • Ensure that applications and operating systems are up-to-date and fully patched

What to do if you have opened a phishing email

Just opening the email is unlikely to cause a problem.  However, it is helpful to report phishing emails:

  • To the ISP (internet service provider) that was used to send you the email so that ISP provider can close the sender’s email account
  • If “report spam” buttons are available, use them
  • Report the email to the legitimate organisation the sender is pretending to be
  • Delete the email from your device
  • Inform your IT department and / or your data protection / data compliance / data security officer
  • Report the phishing email to Action Fraud – the UK’s national fraud and internet crime reporting centre – at https://reportlite.actionfraud.police.uk/

What to do if you click on a phishing link

  • Immediately run a virus check on your computer whether or not you have provided any personal details
  • Change your password for organisation which the phisher is mimicking
  • If you use the same password for multiple accounts, you need to change all these passwords too
  • Notify the relevant financial organisation(s) if you have entered banking or credit card information
  • Inform your IT department and / or your data protection / data compliance / data security officer
  • Report the phishing email to Action Fraud at https://reportlite.actionfraud.police.uk/

As phishing attacks predominantly targeting end-users, it is a good idea to invest in a security education and awareness programme to raise the profile of risk.  It’s also helpful to include your clients in such a programme.

If you have any concerns about your organisation’s vulnerability to phishing attacks and you’d like a chat about staff training or prevention, just call 01787 277742 or email dc@datacompliant.co.uk

Data Compliant Services

Services at December 2014

NHS Data Sharing – why the delay?

iStock_000006820636Medium

It’s good to see that common sense has prevailed, and the roll-out of care.data has been deferred until Autumn – primarily, it would seem, to allow time to make absolutely certain that all patients have been made aware of the plans to do so.

The media, privacy lobby groups and, most notably, both the ICO and The Royal College of General Practitioners flagged their concerns that communicating the NHS data sharing plans with patients had been inadequate, leaving many individuals throughout the country unaware either of the plans to share their sensitive, confidential patient data, or indeed of their right to refuse to participate (see more here about how and why your patient data is to be held in a central NHS database).

There has been some attempt to inform the public – primarily by GPs (mine was excellent, providing information and opt-in / opt-out forms with repeat prescriptions; issuing leaflets and showing posters in the surgery; and showing information on the website ).  The NHS distributed some 22 million leaflets which were apparently delivered in January / February, but there has been a great deal of criticism of the leaflet’s creative approach, which has been described as bland … appalling … one-sided … and more.  I have to say, I never received it … or if I did, I threw it away unread on the assumption that it was “junk mail”.

I was interested to read what the Royal College of General Practitioners think, and of their own strong desire that GPs, patients and the nation are all properly informed and able to make their own decision whether to support the development of the NHS database or opt out. http://www.rcgp.org.uk/news/2014/february/college-welcomes-decision-to-delay-care-data.aspx

On the subject of making people aware … I find it quite fascinating to watch the government’s delight in using broadcast channels like TV and radio to promote themselves when it suits them.  Yet they seem curiously reluctant to use these same channels to inform the public of an issue as significant and important as the sharing of our own sensitive and confidential medical data.

However, it is quite clear that the NHS must now decide how it will ramp up its communication campaign before the Autumn in order to satisfy the public, the ICO, the RCGP and the media.  Only then will it be possible for the launch of care.data to take place.

Data Compliant Ltd provides advice on data compliance, data security, and runs training classes and workshops.  If you or your business have any concerns over your data being compliant and secure, please contact Michelle or Victoria.  

victoria@datacompliant.co.uk                        michelle@datacompliant.co.uk