GDPR

£385,000 Data Protection Fine For Uber

Posted on by Andy Miller

Ride-hailing (and now bike and scooter-hiring) service Uber has been handed a £385,000 fine by the ICO for data protection failings during a cyber-attack back in 2016.

What Happened?

The original incident took place in October and November 2016 when hackers accessed a private GitHub coding site that was being used by Uber software engineers. Using the login details obtained via the GitHub, the attackers were able to go to the Amazon Web Services account that handled the company’s computing tasks and access an archive of rider and driver information. The result was the compromising (and theft) of data relating to 600,000 US drivers and 57 million user accounts.

The ICO’s investigation focuses on avoidable data security flaws, during the same hack, that led to the theft (using ‘credential stuffing’) of personal data, including full names, email addresses and phone numbers, of 2.7 million UK customers from the cloud-based storage system operated by Uber’s US parent company.

The ICO’s fine to Uber also relates to the record of nearly 82,000 UK-based drivers, including details of journeys made and how much they were paid.

Attackers Paid To Keep Breach Quiet

Another key failing of Uber was that not only did the company not inform affected drivers about the incident for more than a year, but Uber chose to pay the attackers $100,000 through its bug bounty programme (a deal offered by websites and software developers to offer recognition and payment to those who report software bugs), to delete the stolen data and keep quiet about the breach.

Before GDPR

Even though GDPR, which came into force on 25th May this year says that the ICO has the power to impose a fine on a data controller of up to £17m or 4% of global turnover, the Uber breach took place before GDPR.  This means that the ICO issued the £385,000 fine under the Data Protection Act 1998, which was in force before GDPR.

Other Payments and Fines

Uber also had to pay a $148m settlement agreement in a case in the US brought by 50 US states and the District of Columbia over the company’s attempt to cover up the data breach in 2016.

Also, for the same incident, Uber is facing a £533,000 fine from the data protection authority for the Netherlands, the Autoriteit Persoonsgegevens.

What Does This Mean For Your Business?

As noted by the ICO director of investigations, Steve Eckersley, as well as the data security failure, Uber’s behaviour in this case showed a total disregard for the customers and drivers whose personal information was stolen, as no steps were taken to inform anyone affected by the breach, or to offer help and support.

Sadly, Uber joins a line of well-known businesses that have made the news for all the wrong reasons where data handling is concerned e.g. Yahoo’s data breach of 500 million users’ accounts in 2014 followed by the discovery that it was the subject of the biggest data breach in history to that point back in 2013. Similar to the Uber episode is the Equifax hack where 143 million customer details were stolen (44 million possibly from UK customers), while the company waited 40 days before informing the public and three senior executives sold their shares worth almost £1.4m before the breach was publicly announced.

This story should remind businesses how important it is to invest in keeping security systems up to date and to maintain cyber resilience on all levels. This could involve keeping up to date with patching (9 out of 10 hacked businesses were compromised via un-patched vulnerabilities) and should extend to training employees in cyber-security practices, and adopting multi-layered defences that go beyond the traditional anti-virus and firewall perimeter.

Companies need to conduct security audits to make sure that no old, isolated data is stored on any old systems or platforms, thereby offering no easy access to cyber-criminals. Companies may now need to use tools that allow security devices to collect and share data and co-ordinate a unified response across the entire distributed network.

Even though the recent CIM study showed that less than one-quarter of consumers trust businesses with their data security, at least the ICO is currently sending some powerful messages to (mainly large) businesses about the consequences of not fulfilling their data protection responsibilities.  For example, as well as the big fine for Uber, back in October, the ICO fined a Manchester-based company £150,000 for making approximately 64,000 nuisance direct marketing calls to people who had opted out via the TPS, and earlier this month, a former employee of a vehicle accident repair centre who stole customer data passed it to a company that made nuisance phone calls was jailed for 6 months following an ICO investigation.

Firefox Quantum Browser’s ‘Monitor 2.0’ Will Warn You About Security Breaches

Posted on by Andy Miller

Mozilla’s latest update for its Firefox Quantum browser includes the Firefox Monitor 2.0 security tool, which can tell you whether a site you’re visiting has suffered a security breach in the last 12 months and whether your details have been leaked online.

Developed in Partnership with HIBP

Back in June, the Mozilla blog detailed how it was testing the Firefox Monitor tool which was being developed in partnership with HaveIBeenPwned.com (HIBP), a service run by Troy Hunt, described by Mozilla as “one of the most renowned and respected security experts and bloggers in the world”.  At the time of testing, it was announced that Monitor, through its HIBP / Firefox partnership, would be able to check a user’s email address against the HIBP database in a private-by-design way.  Mozilla said that visitors to the Firefox Monitor website would be able to check (by entering an email address) to see if their accounts were included in any known data breaches, with details on sites and other sources of breaches and the types of personal data exposed in each breach. It was also announced that the Firefox site would offer recommendations on what to do in the case of a data breach, and how to help the user to secure their accounts.

Rolled Out

The Monitor 2.0 security tool that’s just been rolled out in the latest Firefox Quantum update can tell you if your details have been leaked online (if you visit monitor.firefox.com), provide a desktop notification /alert when you visit a website that’s been compromised in the last 12 months, and give extra security details such as how many accounts were affected by a breach and what happened in the breach.

You Can Turn Notifications Off

Mozilla has been quick to point out that the Monitor tool has been designed to help but not annoy users and as such, if you’ve already been told about the potential security issues, you can navigate back without being told again and you can disable the notifications altogether with a just few clicks, if you’d prefer not to see them.

What Does This Mean For Your Business?

Google Chrome dominates the browser market, but there is still a lot of competition among those fighting it out with a less than 10% share of the market – Apple’s Safari, Firefox, Microsoft’s Internet Explorer & Edge.  Adding this tool, that’s linked to a renowned security expert, to the Firefox browser could add some real value at a time when the news is full of major security breaches, but most of us may not know how to check whether our details have been stolen, and what to do next.

Businesses always need to be very security-conscious, particularly since the introduction of GDPR, and being able to see notifications about pages that have been breached may be another way that business users can help to protect themselves.

The tips and personal stories of those who have been affected by a data breach highlighted on the Firefox website for Quantum business users may also help raise awareness about online privacy and could help provide prompts and ideas to help keep improving data protection and cyber resilience in businesses.

Jail For Car Accident Data Thief

Posted on by Andy Miller

An employee at a vehicle accident repair centre who stole the data of customers and passed it to a company that made nuisance phone calls has been jailed for 6 months following an investigation by the Information Commissioner’s Office (ICO).

Used Former Co-Worker’s Login To Company Computer

The employee of Nationwide Accident Repair Services, Mustafa Kasim, used a former co-workers’ login details to access software on the company computer system (Audatex) that was used to estimate repair costs.  The software also stored the personal data (names and phone numbers) of the owners of the vehicles, and it was the personal data of thousands of customers that Mr Kasim took without the company’s permission, and then passed on to a claims management company that made unsolicited phone calls to those people.

ICO Contacted

Mr Kasim was unmasked as the data thief after the Accident Repair Company noticed that several clients had made complaints that they were being targeted by nuisance calls, and this led to the decision to get the ICO involved.

During the investigation, it was discovered that Mr Kasim continued to take and pass on customer data even after he started a new job at a different car repair organisation which used the same Audatex software system.

First With A Prison Sentence

What makes this case so unusual is that it is the first prosecution to be brought by the Information Commissioner’s Office (ICO) under legislation which carries a potential prison sentence.

Computer Misuse Act

Even though the ICO would normally prosecute in this kind of case under the Data Protection Act 1998 or 2018 with penalties of fines rather than prison sentences, in the case of Mr Kasim it was judged that the nature and extent of the criminal behaviour required making a wider range of penalties available to the court.  It was decided, therefore, that s.1 of the Computer Misuse Act 1990 would be used in the prosecution, and it was the offences under this that resulted in the 6-month prison sentence that Mr Kasim received.

What Does This Mean For Your Business?

Since preparing for GDPR, many companies have become much more conscious about the value of personal data, the importance of protecting customer data, and the possible penalties and consequences of failing to do so.  In this case, the ICO acknowledged that reputational damage to affected companies whose data is stolen in this way can be immeasurable e.g. Nationwide Accident Repair Services and Audatex. The ICO also noted the anxiety and distress caused the accident repair company’s customers who received nuisance calls.

This case was also a way for the ICO to send a powerful message that obtaining and disclosing personal data without permission is something that will be taken very seriously, and that the ICO will push boundaries and be seen to use any tool at its disposal to protect the data protection rights of individuals. The case also serves as a reminder to businesses that looking at ways to provide the maximum protection of customer data and plug any loopholes is a worthwhile ongoing process, and that threats can come from within as well as from cyber criminals on the outside.

Businesses Turning To Zero-Trust Security Model

Posted on by Andy Miller

As a widening attack surface and evolving threats mean that organisations continue to breached despite a large security spend, many businesses are now turning to the ‘zero-trust’ security model.

What Is The Zero-Trust Security Model?

The Zero Trust security model, introduced by analyst firm Forrester Research, is an alternative architecture for IT security that doesn’t work on the traditional assumption that the perimeter is the main focus and that the inside of an organization’s network can be trusted. Zero-trust assumes that untrusted actors exist both inside and outside a company network, and that every user access request has to be authorised, using the principle of “never trust, always verify”. In this way, Zero-trust can address lateral threat movement within the network i.e. stopping insider and other threats from spreading once inside.

Breaches

Almost 70% of organisations are getting breached an average of five times a year, with 81% of breaches being simply linked to weak, default or stolen passwords. Once inside networks, attackers can camouflage their attack behind a legitimate identity like a database administrator, can go on to access and decrypt encrypted information, and be harder to spot and stop because of their apparent legitimacy.

According to some security commentators, this shows that identity, and identity-centric security measures are areas that organisations need to focus on, and this is where architecture such as zero-trust can help.

10 Cyber-Attacks Per Week

More businesses are recognising the need for a better approach to all-round security, particularly in an environment where hacking’s on the up. For example, The UK‘s National Cyber Security Centre has just announced that it has stopped 1,600 attacks over the past two years, many by hostile nation states and that there are now 10 such attacks per week. Also, the NCSC’s Active Cyber Defence (ACD) initiative reports removing 138,398 phishing sites hosted in the UK between September 2017 and August 2018.

Four Pillars of Zero-Trust Security

The zero-trust security model is, therefore, believed to be another step forward in the battle against cyber-criminals. The success of the zero-trust security model is based upon four key ‘pillars’, which are:

  1. Verifying users. This involves identity consolidation which can tackle weak / shared password issues (using single sign-on and one-time passwords), de-facto authentication everywhere, and monitoring user behaviour e.g. time and location factors.
  2. Validating devices.
  3. Limiting access of privileged users where possible.
  4. Applying machine learning to all these factors, and using this to step up the authentication processes wherever necessary. Machine learning also removes the need for manual intervention.

Benefits

Those who have implemented zero-trust security have reported many benefits. These include cost savings due to gains in incident response efficiencies and technology consolidation, and greater confidence in supporting users on mobile devices and rolling out new partner and customer experiences.

Challenge

One main challenge to the growth of the adoption of zero-trust security measures is the mistaken belief that it has to be time-consuming and takes a lot of effort to implement. Security commentators are keen to point out that, in reality, implementing a zero-trust security model is a step-by-step process.

What Does This Mean For Your Business?

It seems that the benefits of the zero-trust model are now becoming widely known by UK businesses and organisations. For example, an IDG study revealed that 71% of security-focused IT decision makers are actively pursuing a zero-trust security model, 10% are currently doing pilots, and around 8% who have implemented it fully.

It’s important to realise that the implementation needn’t be a huge hassle and expense and can be tackled step-by-step, using commercial off-the-shelf technology. This approach to security offers businesses the chance to customise their security for their specific data and assets, and strengthen their infrastructure from the ground up by enabling the identification of vulnerabilities and gaps in their current security models at the root level.

This approach can bring some much-needed benefits, not least of which is a greater feeling of trust and a confidence boost. In terms of more measurable benefits to businesses, a Forrester and Centrify study, for example, has shown that by applying best practices of zero-trust principles, organisations recorded 50% fewer breaches within just two months. These kinds of figures are making this approach to security very attractive to many businesses, particularly those who have fallen victim to costly cyber attacks.

Windows 10 October Rollout Suspended Due To File Deleting Fault

Posted on by Andy Miller

The October rollout of the update to Windows 10 as part of the SaaS model has been suspended due to reports that some customers have experienced mass file deletions.

Eating Files

It has been reported that the rollout of version 1809 October 2018 update for Windows 10 has been temporarily halted after users reported that files had been deleted and over-written.

The update rollout (which is due to be happening in waves over the course of this month) was stopped after users took to Microsoft’s support site and social media to complain, express their anger, and warn other users of what appears to be quite a serious fault.

For example, one user warned others that if documents are saved in the user directory, i.e. users/John, and not on OneDrive, the update deletes everything in that location. Similarly, another user reported that the whole of their “My Documents” folder was deleted by the update, including all of their personal documents (Word docs, spreadsheets, etc). Other issues such as incorrect CPU usage in Task Manager and broken audio drivers have also been reported.

What’s Causing It?

Some tech commentators are blaming the fault on OneDrive, Microsoft’s online file hosting and synchronization service, and a bug in its user profile settings. Engadget, for example, has said that the bug may have slipped through early testing despite reports of the issue appearing on Microsoft’s Feedback Hub some months ago.

The official word is that the exact cause is, as yet, unknown and that users who have already downloaded the update or are enrolled in programs like Windows Insider shouldn’t proceed with version 1809 until Microsoft has released a fix. For the rest of us, it’s a case of making sure that we haven’t downloaded the broken version yet, backing up files now as a precaution, and waiting for the automatic update as normal (which should contain the fix).

On The Upside – More Android Compatibility

Even though the technical fault in the update has dominated the news, with the fix in place, there are some positive aspects and improvements in the update, most notably in Android compatibility. For example, the update allows a better connection between your phone and your Windows desktop by enabling photo syncing and a direct interface to send and receive text messages via your device.

Other Good Points

Also, the latest update will bring a cloud clipboard (across devices), allowing you to copy more than one thing at a time. This will be included as part of Windows Timeline. There will also be new extensions for both Chrome and Firefox to give them the same functionality as Edge.

What Does This Mean For Your Business?

Many tech commentators had predicted that it was likely that there would be some kind of problem with the latest update, but this file-deleting bug is probably much worse than they were expecting and could be devastating, disruptive and costly to businesses that have installed the update but haven’t recently backed-up their files. It is worth, therefore, taking the official advice of backing up files now as a precaution and if you’re part of the Windows Insider programme, not proceeding with version 1809 until the fix has been released.

The Android OS has the biggest worldwide market share, just ahead of Symbian, thanks to its extensive app availability, easy interface, functionality and affordability. With more of us spending more time away from the desktop in the working day, it is helpful, therefore, that the latest Windows 10 update will help sync our Android phones with our desktops.

Since many people don’t use Edge as their main browser, its also good news that the latest Windows update (extensions) will bring greater functionality to Firefox and Chrome.

How Business Emails Are Vulnerable

Posted on by Andy Miller

Research by digital risk management and threat intelligence firm Digital Shadows has revealed that company credentials and emails that can be easily accessed on the web are making it easier for cyber-criminals to target businesses with attacks.

What’s Are The Problems?

According to the research, businesses may be suffering targeted attacks because several key problems that are caused by the results of previous hacks and breaches, and by current poor security practices. These problems are that:

  • Around 12.5 million company email archive files are publicly accessible due to misconfigured archive storage drives e.g. FTP and Amazon S3 buckets. Business emails contain sensitive personal and financial information e.g. the research uncovered 27,000 invoices, 7,000 purchase orders and 21,000 payment records. These things are valuable to cyber-criminals as they help them to target attack methods such as phishing.
  • Improper backing-up of email archives has contributed to their exposure online.
  • Criminal forums e.g. on the dark web, now contain some 33,568 finance department email addresses that have been exposed in third-party breaches, 27,992 of which have passwords associated with them. These forums also contain large numbers of the business of email access credentials, some of which are reported by the research to be worth $5,000 for a single username and password pair to cyber-criminals.
  • Email hacking services can be purchased for as little as $150, with results available in a week or less. The researchers were even offered a 20% share of the proceeds that could be harvested from exploiting email vulnerabilities.

What Does This Mean For Your Business?

Business email credentials have a high potential return on investment to cyber-criminals, and therefore have a high value, which is why many cyber-criminals feel that it is worth looking for them and paying substantial amounts for them on criminal forums. The high value may mean that criminals may even collaborate to target larger organisations. Hacks and breaches over time, together with the subsequent buying and selling of the stolen email credentials may mean that many businesses are exposed to multiple types of email attack such as phishing, and man-in-the-middle attacks without even knowing it.

One thing the research does show is that by tightening up email security practices, businesses could reduce the risks that they face. Measures that companies could take to help reduce such risks include:

  • Including business email compromise (BEC) in business continuity planning and disaster recovery planning.
  • Strengthening wire transfer / BACs controls by e.g. building-in manual controls and as well as multiple-person authorisations to approve significant amounts.
  • Improving staff training to enable them to follow practices that minimise company email and other security risks.
  • Continuously monitoring for any exposed credentials (particularly those of finance department emails), and conducting assessments of executives’ digital footprints e.g. using Google Alerts to track new web content related to them.
  • Preventing email archives from being publicly exposed e.g. by making sure that archive storage drives are configured correctly.
    Being very careful where contractors back-up emails on network-attached storage (NAS) devices is concerned. Making users have passwords, disabling guest / anonymous access, and insisting on NAS devices that are secured by default could help.

Facebook Hack Keeps Getting Worse

Posted on by Andy Miller

As if the recent Facebook hack of 50 million user accounts that was discovered on 25th September wasn’t bad enough, it became apparent that it could also affect “Facebook Login” service, which allows other apps to use people’s Facebook account to login.

What Happened?

On Tuesday 25 September, Facebook engineers discovered that hackers had used a vulnerability in Facebook’s “View As” feature (which lets people see how their profiles appear to others) to steal digital keys known as “access tokens” from any accounts of people whose profiles were searched for using the “View As” feature. This meant that hackers were able to move from one Facebook friend to another, taking control of all those accounts along the way. It is estimated that the staggering number of 50 million user accounts were compromised in this way.

It has been reported that Facebook had noted a spike in the number of people using the “View As” feature in relations to Facebook’s video uploading feature for posting “happy birthday” messages (a known, year-old vulnerability), but didn’t put two and two together at that point. Even though the hack was reported to have been discovered by Facebook on Thursday 25th September, It is now thought that the hack actually took place on 16th September.

Reporting Problems

Even though less than 10% of the 50 million Facebook accounts affected by the security breach were in the European Union, this is still a significant number, and required a report within 72 hours of discovery of the breach to comply with GDPR. It has been reported, however, that Ireland’s Data Protection Commission (DPC) has said that Facebook’s initial notification to the regulator about the breach (on Thursday) didn’t have enough detail, and this could lead to an official investigation and possibly some (substantial) fines. Facebook’s discovery of the breach on the Tuesday, and notification to Ireland DPC on the Thursday meant that, at least it kept within the 72-hour disclosure deadline required under GDPR.

Worse – Other Services Using Login By Facebook Could Be Affected

One of the things that has made the breach even worse than was previously thought is that, if you use Facebook to log into other services, such as Instagram (owned by Facebook), Tinder, Spotify and even Airbnb, the attackers could also use the stolen access tokens to gain the same level of access to any of these, and may have been able to steal all of your profile info, photos, private messages and more. The fact that the hackers have stolen tokens means that they don’t need to enter a username and password to access a site because the token is a signal that they’re already logged in.

Fixed, Says Facebook

Facebook has reported that it has now fixed the flaw by logging everyone out of their accounts and suspending the “view as” feature.

What Does This Mean For Your Business?

This hack was on a massive scale, and was the biggest in Facebook’s history, coming not long after the revelations about Facebook’s sharing of its customer data with Cambridge Analytica for political purposes. This has undoubtedly dealt another blow to Facebook’s reputation but more importantly, it could lead to further problems for Facebook’s users. The fact that the hackers were able to steal tokens, thereby rendering strong passwords and multi-factor authentication useless (which is frightening in itself), means that the attackers could use any personal data and information that they may have harvested from Facebook and other Facebook login sites to target users in future cyber attacks. The information taken could, for example, be used in phishing attacks, fraud, and even blackmail. The information used for blackmail (photos, private messages, etc) could even cause damage to personal and work relationships.

Once again, it seems, we can’t trust a major tech company to adequately protect our personal data and information, even after it has gone to the trouble, over the last few months, of spending large amounts on advertising campaigns to tell us how much it can be trusted. Even though the initial crime appears to be a large-scale hack, the fact is that users could find themselves being the victim of cyber attacks in future because of the information that has been stolen.

UK Government Guilty of Mass Surveillance Human Rights Breach

Posted on by Andy Miller

The European Court of Human Rights in Strasbourg has found the UK government guilty of violating the right to privacy of citizens under the European convention because the safeguards within the government’s system for bulk interception of communications were not strong enough to provide guarantees against abuse.

The Case

The case which led to the verdict, was brought against the UK government by 14 human rights groups, journalism organisations, and privacy organisations such as Amnesty International, Big Brother Watch and Liberty in the wake of the 2013 revelations by Edward Snowden, specifically that GCHQ was secretly intercepting communications traffic via fibre-optic undersea cables.

In essence, although the court, which voted by a majority of five to two votes against the UK government, accepted that police and intelligence agencies need covert surveillance powers to tackle threats, those threats do not justify spying on every citizen without adequate protections.

Three Main Points

The ruling against the UK government in this case centred on three points – firstly the regime for bulk interception of communications (under section 8(4) of RIPA), secondly the system for collection communications data (under Chapter II of RIPA), and finally the intelligence sharing programme.

The UK government was found to breach the convention on the first 2 points, but the ECHR didn’t find a legal problem with GCHQ’s regime for sharing sensitive digital intelligence with foreign governments. Also, the court decided that bulk interception with tighter safeguards was permissible.

Key Points

Some of the key points highlighted by the rulings against the UK government, in this case, are that:

  • Bulk interception is not unlawful in itself, but the oversight of that apparatus was not up to scratch in this case.
  • The system governing the bulk interception of communications is not capable of keeping interference to what is strictly necessary for a democratic society.
  • There was concern that the government could examine the who, when and where of a communication, apparently without restriction i.e. problems with safeguards around ‘related data’. The worry is that related communications data is capable of painting an intimate picture of a person e.g. through mapping social networks, location tracking and insights into who they interacted with.
  • There had been a violation of Article 10 relating to the right to freedom of expression for two of the parties (journalists), because of the lack of sufficient safeguards in respect of confidential journalist material.

Privacy Groups Triumphant

Privacy groups were clearly very pleased with the outcome. For example, the Director of Big Brother Watch is reported as saying that the judgement was a step towards protecting millions of law-abiding citizens from unjustified intrusion.

What Does This Mean For Your Business?

Like the courts, we are all aware that we face threats of terrorism, online sexual abuse and other crimes, and that advancements in technology have made it easier for terrorists and criminals to evade detection, and that surveillance is likely to be a useful technique to help protect us all, our families and our businesses.

However, we should have a right to privacy, particularly if we feel strongly that there is no reason for the government to be collecting and sharing information about us that, with the addition of related data, could identify us not just to the government but to any other parties who come into contact with that data.

The reality of 2018 is that we now live in a country where in addition to CCTV surveillance, we have the right to surveillance set in law. The UK ‘Snooper’s Charter’ / Investigatory Powers Act became law in November 2016 and was designed to extend the reach of state surveillance in Britain. The Charter requires web and phone companies (by law) to store everyone’s web browsing histories for 12 months, and also to give the police, security services and official agencies unprecedented access to that data. The Charter also means that security services and police can hack into computers and phones and collect communications data in bulk, and that judges can sign off police requests to view journalists’ call and web records.

Although businesses and many citizens prefer to operate in a safe and predictable environment, and trust governments to operate surveillance just for this purpose and with the right safeguards in place, many are not prepared to blindly accept the situation. Many people and businesses (communications companies, social media, and web companies) are uneasy with the extent of the legislation and what it forces companies to do, how necessary it is, and what effect it will have on businesses publicly known to be snooping on their customers on behalf of the state.

This latest ruling against the government won’t stop bulk surveillance or the sharing of data with intelligence partners, but many see it as a blow against a law that makes them uneasy in a time when GDPR is supposed to have given us power over what happens to our data.

ICO Highlights Prevalence of GDPR Myths

Posted on by Andy Miller

The Information Commissioner’s Office (ICO) has reported taking 500+ calls per week reporting GDPR data breaches, but one-third of the calls appear to be based on myths and misunderstandings or over-reporting about GDPR matters.

Update After Freedom of Information Request

The update by the ICO about how things appear to be going just three months after the introduction of GDPR came shortly after a Freedom of Information (FOI) by law firm EMW yielded figures that showed that the number of complaints between 25th May and 3rd July 2018 rose to 6,281 versus 2,417 during the same period in 2017.

Over-Reporting

A key problem highlighted by the ICO is that many companies feel that in order to achieve compliance and avoid being penalised, they have to be transparent to the degree that they “over-report” by reporting everything. Also, many of the reports are incomplete.

One common misconception highlighted by the ICO that is leading to unnecessary calls is that instead of reporting suspected data breaches to the ICO within 72 hours ‘from the point of discovery’, many companies appear to believe that the mandatory reporting period is 72 ‘working’ hours.

Fine Fears Unfounded

Another key point that the ICO was keen to make was that even though there have been some high profile cases that have involved big companies receiving big fines since the introduction of GDPR, many thousands of incidents are closed each year without financial penalty but with advice, guidance and reassurance offered instead. Another point that the ICO would like to make known is that the real norm of the work they do is simply audits, advisory visits and guidance sessions.

In fact, ICO Deputy Commissioner James Dipple-Johnstone has been quoted as saying that businesses that take their data protection responsibilities seriously “have nothing to fear from an ICO inspection or investigation”.

Cyber Crime Reports

The ICO has said that almost half of the calls that it received weekly involve some cyber element, and around one-third of calls relate to phishing attacks.

Phishing attacks are still such a popular method of cyber-crime because many companies have been focusing on malware detection and may not have trained and educated their staff about the risks, how to spot phishing attacks, and what to do about them.

What Does This Mean For Your Business?

Of course, organisations need to take their data protection responsibilities seriously to protect customers and the company itself, but part of dealing with that responsibility correctly is being clear on what GDPR actually requires a company to do; how and when. This is why GDPR requires (via mandatory appointment under Article 37) organisations / companies to have a data protection officer (DPO) i.e. someone tasked with the responsibility and security leadership role to oversee data protection strategy and implementation, and to ensure proper compliance with GDPR requirements. Part of the responsibilities of a DPO are to educate the company and train employees about GDPR and how it applies to them and their work. A DPO is required to have expert knowledge of data protection law and practices, and having a person on hand to consult about GDPR matters would be a good way to prevent unnecessary calls and complaints being made to the ICO, and to prevent unnecessary concerns, misunderstandings and mistaken beliefs prevailing within the company that could lead to other problems.

Only 32% of Emails Clean Enough To ‘Make It’

Posted on by Andy Miller

A bi-annual study by FireEye has found that less than a third of over half a billion emails analysed were considered clean enough not to be blocked from entering our inboxes.

Phishing Problem Evident

The study found that even though 9 out of 10 emails that are blocked by email security / anti-virus didn’t actually contain malware, 81% of the blocked emails were phishing attacks. This figure is double that of the previous 6 months.

Webroot’s Quarterly Threat Trends Report data, for example, shows that 1.39 million new phishing sites are created each month, and that this figure was even as high as 2.3 million in May last year. It is likely that phishing attacks have increased so much because organisations have been focusing too much of their security efforts on detecting malware. Also, human error is likely to be a weak link in any company, and phishing has proven to be very successful, sometimes delivering results in a second wave as well as the first attack. For example, in the wake of the TSB bank system meltdown, phishing attacks on TSB customers increased by 843% in May compared with April.

A recent KnowBe4 study involved sending phishing test emails to 6 million people, and the study found that recipients were most likely to click on phishing emails when they promised money or threatened the loss of money. This highlights a classic human weakness that always provides hope to cyber-criminals, and the same criminals know that the most effective templates for phishing are the ones that cause a knee-jerk reaction in the recipient i.e. the alarming or urgent nature of the subject makes the recipient react without thinking.

Increase In Malicious Intent Emails

The FireEye study also highlighted the fact that there has been an increase over the last 6 months in the emails sent to us that have malicious intent. For example, the latest study showed that one in every 101 emails had malicious intent, whereas this figure was one in every 131 in the previous 6 months.

Biggest Vulnerability

As FireEye noted after seeing the findings of their research, email is the most popular vector for cyber attacks, and it is this that makes email the biggest vulnerability for every organisation.

What Does This Mean For Your Business?

It is very worrying that we can only really trust less than one third of emails being sent to businesses as being ‘clean’ enough and free enough of obvious criminal intent to be allowed through to the company inbox. It is, of course, important to have effective anti-virus / anti-malware protection in place on email programs, but phishing emails are able to get past this kind of protection, along with other methods such as impersonation attacks like CEO fraud. Organisations, therefore, need to focus on making sure that staff are sufficiently trained and educated about the threats and the warning signs, and that there are clear procedures and lines of responsibility in place to be followed when emails relating to e.g. transfer of money (even to what appears to be the CEO) are concerned.

Cyber-criminals are getting bolder and more sophisticated, and companies need to ensure that there is no room for weak ‘human error’ links of the front line.