Tag Archives: personal data

Phishing ..Christmas..a time for taking?

phishing-alertThere I was, at my desk on Monday morning, preoccupied with getting everything done before the Christmas break, and doing about 3 things at once (or trying to).  An email hit my inbox with the subject “your account information has been changed”.  Because I regularly update all my passwords, I’m used to these kinds of emails arriving from different companies – sometimes to remind me that I’ve logged in on this or that device, or to tell me that my password has been changed, and to check that I the person who actually changed it.

As I hadn’t updated any passwords for a couple of days, I was rather intrigued to see who had sent the email, and I immediately  opened it.  It was from Apple to say I’d added an email as a rescue email to my Apple ID.

apple-email

Well that sounded wrong, so I clicked on the link to ‘Verify Now’ and was taken to a page that looked pretty legitimate.

apple-email-link

 

I thought I should see what was actually going on, so I logged in to my Apple ID using my previous password.  If I had been in any doubt, the fact that it accepted my out-of-date password made it very clear that this was a scam.

The site asked me to continue inputting my data.  At the top of the pages are my name and address details.  It’s also, for the first time, telling me that my account is suspended – always a hacker’s trick to get you worried and filling in information too quickly to think about what you’re actually doing.

apple-verify-1

Then the site starts to request credit card details and bank details …

apple-verify-2

And finally my date of birth so they can steal my identity, and a mobile number so that they can send me scam texts.

apple-verify-3

I know seven other people who received exactly the same email. And it’s just too easy to fall for, so any number of people could be waking up tomorrow with their identity stolen, and bank account and credit cards stripped of all money or credit.

With that in mind, here are some things to look out for in phishy (see what I did there) emails:

  1. Check the email address the email came from! If it looks wrong – it probably is!
  2. Hover your mouse over the links in the email to see where they take you. If this email had really been Apple it would have gone to an https:\\ address, at apple.co.uk
  3. Check grammatical errors in the text of the letter

Now if you do fall for an email as well executed as this, and if I’m completely honest, I’m shocked at how close to a real Apple email and website they looked, make sure you notify your bank and credit card companies immediately.  Change all of your passwords as soon as possible because if you use the same log in combination for any other accounts those could be targeted next.

Christmas has always been a time for giving.  Now it’s become the prime time for taking.

charlotte-seymour-2016

 

Written by Charlotte Seymour, 22nd December 2016

Data Compliant’s Weekly Round-Up

hacker-1

It’s the weekend before Christmas. Have you done all your Christmas shopping? If you’re shopping online, this is the last weekend you can really do your online shopping and still get everything delivered on time. 

Now you may be bored of hearing it but please be careful, look after your passwords, change them regularly, don’t have devices store your information! Lets start the year without a stranger stealing money from your credit cards and bank accounts!

Yahoo…Again 

This week brings us the news that Yahoo had announced a hack from 2013 – a separate breach to the 500,000 hacked records announced in September. 

Yahoo was investigating the 2014 breach when it uncovered the earlier hack – this time discovering that a billions accounts had been compromised. 

The reputational damage to Yahoo is enormous – a clear pattern of poor security is emerging and if I had an account with Yahoo, I’d be considering changing my provider immediately.  Having said that, though,  how can we be certain that other companies haven’t had similar breaches and we just don’t know about them yet?

The ICO’s deputy commissioner, Simon Entwisle has released a statement saying that they are talking to Yahoo and will try to find out how many UK users have been affected by the latest hack. Their immediate advice is to recommend  strongly that customers change their passwords if they haven’t already.

TalkTalk
An update on the huge TalkTalk hack has been released. One of the hackers, a 17 year old, has admitted to 7 offences relating to the hack and has been given a 12-month rehabilitation order and an £85 fine. He was 
told his excellent computer skills need to be used for the good. 19-year old Daniel Kelley also pleaded guilty. He has been told that a jail sentence is inevitable, and has been released on bail prior to sentencing in March.

Uber
Uber has come under fire after an ex-worker claimed that staff could track fares of celebrities, politicians and even ex-partners. If that’s true, it’s lucky for me I’ve only ever used it in Australia where no exes live and unfortunately I’m not yet a celeb!

Uber released a statement to the Standard stating that the claims made by Mr Spangenberg are “absolutely not true … we have hundreds of security and privacy experts working round the clock  to protect our data … all potential violations are quickly and thoroughly investigated.” Uber also makes it clear that access to personal data is limited to approved workers who may only access the data they need in order to perform their job function. 

Lionhead Studio just as bad as ‘Trolls”?
It has been released this week at a BAFTA event that a teenager targeted Sam van Tilburgh and his team, back in 2003, when they were creating the game Fable. The teen released a screen shot of the hero stabbing a child in the head – something no one was expecting to see. 

Rather than go through official routes, Tilburgh and team decided adopt an unconventional aporiach. They were able to track the boy’s IP address and let care the teenager. They then ‘acquired’ some of his school work from and published a part of it, with a demand that he stop or they would publish more and tell be his family what he was up to. He did indeed stop.

Tilburgh said Lionhead’s legal team knew nothing of the retaliating hack, and it has taken 13 years for the story to surface! I wonder if there’ll be repercussions.

The National Lottery hit with fine
So it wasn’t so long ago we heard that hackers had attacked The National Lottery (TNL). Today we hear TNL’s operator Camelot has been issued with a fine of £3m because of a fraudulent payout back in 2009. How this happened has not yet been announced but  it sounds as if a ‘deliberately damaged ticket’ was to blame. The prize fund payout is suspected to be around £2.5m but the actual figure has not yet been officially released.

I, for one will continue to buy my lottery tickets. Although The National Lottery has come under fire recently, it has fuelled a whopping £36 billion into good causes such as sports, community and heritage projects. Also imagine if you won.. (legitimately)

charlotte-seymour-2016

Written by Charlotte Seymour, 17th December 2016

Insider Threats – Charlotte’s View

Insider Threats – Charlotte’s View

Something that is being spoken about more and more (due to the unfortunate higher frequency) is insider threat. It’s in the news an awful lot more than it ever used to be.

Do you remember the auditor of Morrisons who released a spreadsheet detailing just shy of 100,000 members of staff’s (very) personal details? He did end up getting jailed for 8 years but I heard a saying recently, it’s not a digital footprint you leave it’s more of a digital tattoo. Even two years after the incident Morrisons is still suffering the effects.

Now obviously that was what you would call a malicious breach. It does unfortunately happen, but there are ways for you to protect your company against this. Firstly we here at Data Compliant believe that if you have detailed joiner processes in place (i.e. thorough screening and references and criminal checks where appropriate), ongoing appraisals with staff and good leaver processes you can minimise your risk.

Other ways of insider breaches occurring, and much more likely in my opinion, are negligence, carelessness and genuine accidents. Did you know that over 50% of data breaches are cause by staff error? This may be because staff do not follow company procedures correctly and open up pathways for hackers. Or it could be that your staff are tricked into handing over information that they shouldn’t.

Your staff could be your company’s weakest point in relation to protecting it’s personal and confidential data. But you can take simple steps to minimise this risk by training your staff in data protection.

Online training has some big advantages for businesses, it’s a quick, efficient and relatively inexpensive way of training large numbers of employees while “taking them out of the business” for the least possible time.

The risk of breaches isn’t just your business’ reputation, or even a hefty fine from the ICO but as mentioned before, also a criminal conviction. Now that is a lot to risk.

If you’re interested in online training have a look at this video.

 

charlotte

Written by Charlotte Seymour, November 2016

 

Safe Harbor – how does it work?

safe harbor pic

The Data Protection Act 1998 prohibits the transfer of personal data to non-European Union countries unless those countries meet the EU “adequacy” standard for privacy protection. Although both the US and EU profess to similar goals of protecting individuals’ privacy, their actual approaches are quite different.

As a result, the US Department of Commerce consulted with the European Commission, and developed the “Safe Harbor” framework – a cross-border data transfer mechanism that complies with European data protection laws and allows businesses to move personal data from the EU to the United States.  There is a similar but separate framework between the US and Switzerland.

To join the Safe Harbor framework, a company self-certifies to the Department of Commerce that it complies with seven data privacy principles (notice, choice, onward transfer, security, data integrity, access and enforcement) and that it meets the EU adequacy standard.  This self-certification needs to be renewed annually.  If a company fails to complete the annual re-certification process in time, the organisation’s certification is changed to “not current”.

The Federal Trade Commission addresses any violations – indeed on 21st January 2014, the FTC identified twelve companies who claimed in their marketing material that they currently complied with the US – EU Safe Harbor Framework, but who had allowed their certification to expire.  The twelve companies range from technology, consumer products and accounting – as well as National Football League teams.

To “set an example” and to help ensure the ongoing integrity of the Safe Harbor framework, the twelve companies have been prohibited from misrepresenting the extent to which they participate in any privacy or security programme sponsored by the government or any other self-regulatory or standard-setting organisation (including the Safe Harbor Framework).

It is worth noting that agreeing to adhere to the Safe Harbor Frameworks is a permanent undertaking in that an organisation must continue to apply the Safe Harbor Privacy Principles to personal data obtained through the Safe Harbour Frameworks for as long as the organisation stores, uses or discloses the data, even if the organisation has left the Safe Harbor.

There is a Safe Harbor list, which anybody can check to verify an organisation’s status:   https://safeharbor.export.gov/list.aspx

If you are planning to transfer data between the EU and the US, and would like us to help you, just call Michelle or Victoria on 01787 277742 or email victoria@tuffillverner.co.uk or michelle@tuffillverner.co.uk

NHS … patient data … what’s next?

According to the ICO, there were 388 data breaches relating to health data in the first nine months of 2013.  That is 34% of all the data breaches in the UK during the same period, and the proportion has increased from 27% at the end of March to 38% by the end of September 2013.  The chart below compares the number data breach levels by industry sector over the same period.  Given the sensitivity of the health data held by medical organisations in this country, those are shocking statistics.Data breaches by sector to Sept 30 2013

Centralised medical records database

Despite this poor track record, very soon the NHS is going to combine all our medical records into one massive database. Every GP practice in the UK will shortly begin to disclose their patients’ personal and sensitive data to care.data at the Health and Social Care information Centre (HSCIC).  The process is monthly, automatic, and assumes patient consent unless patients actively opt out – which is not necessarily a simple process.

nhs databaseSo what does this mean to patients?  Essentially, personal confidential data (PCD) such as family history, vaccinations, diagnoses, referrals, blood pressure, BMI, cholesterol and NHS prescriptions and more will be extracted from GP systems and shared with care.data.

In order to match data from the GP surgeries with data acquired by the HSCIC from other sources (such as hospitals) identifying data such as data of birth, postcode, NHS number and gender will be included within the data extracts.  Once matched across all the data sources, the data is pseudonymised (ie identifying characteristics are removed).

Once an individual is flagged as “deceased” no further data will be collected – though the data already provided will continue to be processed by the HSCIC.

medical data chartsWhat are the benefits?

If it were possible to trust the security and intentions of those collecting the data, there are some fantastic potential benefits, for example improved patient care; the effective prevention, treatment and management of illness; hospital performance, management of NHS resources; or the analysis and understanding of specific treatment benefits; even planning new health services.

What are the risks?

The poor track record of the NHS in terms of protecting our medical data is alarming and raises concerns over confidentiality of our medical records.  In addition, there are increasing numbers of private companies who provide services to the NHS, from physiotherapists to care homes; from private hospitals to insurance companies.  Members of the public are likely to be uneasy about private companies benefiting from their health data, and equally concerned that their GP will no longer be the “gatekeeper” of their confidential medical data.

Furthermore, although the data will be pseudonymised, single-minded analysts may undoubtedly try and will probably succeed to some degree in finding a way of matching the data against other commercial data sets to “re-identify” the individuals.

Who can use the data?

The data can be released for five listed reasons:  health intelligence, health improvement, audit, health service research and service planning. That’s a pretty broad spectrum, and it is evident that the number and range of potential customers for this centralised database of our medical records is enormous.

For example, how long it will be before insurers persuade the HSCIC that it is to the benefit of the health and social care system that they should model and predict medical claims rates based on the UK’s centralised medical database, and use the findings to price their medical insurance policies accordingly.

Can GP practices opt out?

Doctor Data ControllerThe Health and Social Care Act 2012 creates a statutory obligation for GP practices to disclose the information as directed.  GPs are unable to refuse to do so as such refusal would put them in breach of the statutory requirement.

But because the GP practice is actually the “data controller” of their patients’ confidential medical records, GP practices are also responsible for ensuring that their patients’ personal and sensitive data is handled fairly (as defined under the Data Protection Act 1998).

So it is up to GPs to ensure that patients are aware that their data will be shared with the HSCIC, that the HSCIC has powers to extract personal confidential data, and, arguably, what the HSCIC intends to do with the data.

And if a patient claims they were unaware that their data was to be shared, it would be the GP practice who would be investigated by the ICO.

The GP practices remain data controllers of the data they hold within the practice, but are no longer responsible for the data once it has been disclosed to the HSCIC.  Instead the HSCIC and NHS England become joint data controllers who are obliged to comply with the Data Protection Act.  NHS England will determine the “Purpose” for the data collection, while the HSCIC will determine the manner of processing.

How do patients opt out?

Normally one would expect the sharing of data of this sensitivity and confidentiality to be subject to patient opt-in, rather than the NHS assuming consent.  However, the Health and Social Care Act 2012 empowers the HSCIC to require providers (eg your GP practice) to send it personal confidential data when directed to do so.  And the Act overrides the requirement to seek patient consent.

A patient can inform their GP of their wish to opt out, and no reason is required.  It is worth noting that the right to opt out has been implemented as a constitutional rather than a legal right.  Having opted out, it is up to the GP practice to ensure that the right code is appended to the legal record.

However, the patient has no right to prevent his or her medical data leaving the GP practice if such data carries no identifiable information as this is anonymous data rather than personal data.  The question, really, is what is “identifiable information”?  It is DOB? Arguably in some circumstances, it may be.  And surely an NHS number is identifiable information.

The Secretary of State for Health has given a commitment that individuals’ objections to disclosure ot the HSCIC will be respected in “all but exceptional circumstance” (for example, a civil emergency).

Is the process compliant?

You could argue that this data sharing activity defies the second principle of the Data Protection Act:  “Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with the purpose or those purposes”.  In my view, you don’t talk to your doctor about a medical condition for any purpose other than to have him solve – or try to solve the problem for you.  And while that may include prescriptions, or visits to consultants, hospitals and clinics, making our medical records data available to commercial organisations cannot possibly be considered the “Purpose”.