Oops!

The media has been awash with sensationalist stories of ‘cyber attacks on the NHS’. This is, of course a misrepresentation of the facts. NHS trusts have fallen victim of a piece of insidious ‘ransomware’ that, according to Europol – and reported on the BBC News website here – have infected more than two hundred thousand victims in one hundred and fifty countries. Other reports suggest as many as nine million computers in nearly two hundred countries. The malware – known as ‘Wannacry exploited a ‘back door’  known as ‘EternalBlue’ that the New York Times described as “a vulnerability that was discovered and developed by the National Security Agency (NSA).” Microsoft issued security patches to its current operating systems a few months ago when ‘EternalBlue’ had been leaked by a hacking group known as the Shadow Brokers. Of course, as we have reported here in the past, older operating systems such as Windows XP, Server 2003 and Vista are no longer publicly supported, and so no fixes were offered. On Saturday May 13th Microsoft took the unexpected step of releasing  an ‘out of bounds patch’ for unsupported operating systems such as Windows XP and Server 2003 meaning that people now are able to patch rather than having to attempt upgrades to newer system in order to be secured against this worm. Sunday’s British newspapers reported that a British InfoSec specialist – Malware Tech – had halted the initial attack by identifying and activating a ‘kill switch’ that sought a hitherto unregistered domain. Somewhat worryingly, ‘Wannacry2’ has been identified ‘in the wild’ that has no such kill switch. The threat remains. Lessons to...

BCC’s digital survey results

The British Chambers of Commerce (BCC)  today published the results of its digital survey that suggested that, of the more than 1,200 businesses surveyed across the UK, some 20% had been hit by a cyber-attack in the last 12 months. It further reported that 42% of larger firms (those with over 100 staff) had been the victim of a cyber attack, compared with 18% of smaller ones. The BCC’s survey revealed that 21% of businesses believe the threat of cyber-crime is preventing their company from growing, while fewer than a quarter (24%) of businesses have cyber security accreditations in place.   Dr Adam Marshall, Director General of the British Chambers of Commerce (BCC), said: “Firms need to be proactive about protecting themselves from cyber-attacks. Accreditations can help businesses assess their own IT infrastructure, defend against cyber-security breaches and mitigate the damage caused by an attack. It can also increase confidence among the businesses and clients who they engage with online.” Referring to next year’s GDPR legislation Dr Marshall added: “Businesses should also be mindful of the extension to data protection regulation coming into force next year, which will increase their responsibilities and requirements to protect personal data. Firms that don’t adopt the appropriate protections leave themselves open to tough penalties.” Compliance3 have been working with businesses to ‘devalue data‘ and ‘take risk off the table‘. Data Security can be complicated and expensive, and the hackers are both clever and motivated. By effective de-scoping, even if your company is hacked, then personal and payment data need not be compromised. If you take payments online or over the telephone, we can...

Personal Data Breach at Wonga

It’s been a bit quiet of late on the data breaches front, although the suspicion has to be that, while data breaches are continuing, they just haven’t yet been detected. The Republic of Ireland’s Data Protection Commissioner – Helen Dixon – announced on April 11th that some 2,224 data security breaches were reported in 2016. That’s an average of more than six breaches reported per day, in a nation of just over four and a half million people. Here in the UK, it was announced on April 9th, that the payday loan company Wonga had suffered “illegal and unauthorised access to the personal data of some of our customers”. It’s thought that the personal details of around 245,000 UK customers and 25,000 polish customers may have been compromised. Wonga’s website (here)claims that they are “still working to establish the full details. However, we believe it may include one or more of the following: your name, e-mail address, home address, phone number, the last four digits of your card number (but not the whole number) and/or bank account details and sort code.” The fact that full payment card details were not compromised means that Wonga will escape card scheme penalties under PCI DSS, but they are likely to face a hefty penalty from the UK Information Commissioner. Talk Talk were fined a record £400,000 in 2015 for a data breach that affected almost 157,000 customers. Under next year’s GDPR legislation – which is still coming, regardless of Brexit – the penalty would have been up to 4% of the previous year’s global turnover. That would amount to just over £3m –...

End of Support for Windows Vista

Microsoft have announced (here) that, after April 11th this year, “Windows Vista customers will no longer receive new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates from Microsoft.” Microsoft Vista was released on 30th January 2007; to put that date in perspective, Amy Winehouse ‘Back to Black’ was the number one album. Vista came five years after the release of Windows XP, and was in turn replaced in October 2009 by Windows 7. At its peak some 19% of Windows Users were running Vista, while XP retained 63% of the desktop market. Today, Vista’s market share remains around 0.78%, but that’s still nearly 10 million PCs worldwide. Of course, the PCI DSS Standard has this covered in sections 6, 11.2 and 11.3. The PCI Security Standards Council – when Windows XP reached End of Service (EOS) in 2014 – stated that “PCI DSS Requirements 6.1 and 6.2 address the need to keep systems up to date with vendor-supplied security patches in order to protect systems from known vulnerabilities. Where operating systems are no longer supported by the vendor, OEM or developer, security patches might not be available to protect the systems from known exploits, and these requirements would not be able to be met.” The PCI Security Standards Council’s FAQ can be found here: As Microsoft themselves said in July 2014 “Payment Card Industry (PCI) policies will not be met with an operating system that is EOS.” All this, of course, relates to a Merchant’s Cardholder Data Environment. We at Compliance3 specialise in helping our customers de-scope their data environments by ensuring that customers’ card...

Data Breach at Dailymotion

As we approach the end of 2016, the rate of data breach – or more accurately data breach discoveries – doesn’t appear to be slowing. The BBC reported on Tuesday (here) that the Dailymotion subsidiary of French media company Vivendi had details of more than 85 million users stolen, including usernames, email addresses and passwords, although the passwords had been encrypted using the Bcrypt algorithm. Dailymotion said the impact of the breach was limited and no personal information had been lost. It’s perhaps worrying that Daily Motion were advised of the breach by an external agency – Leakedsource. It said: “It has come to our attention that a potential security risk, coming from outside Dailymotion may have comprised the passwords for a certain number of accounts.” Mark James, a security specialist at security firm ESET commented: “Check and change your passwords on this site, if you have used that same password on any other site then change those immediately and possibly consider a password manager if you’re not already using one.” He added: “Without further information about what was or was not stolen, we won’t know the extent of the damage – but needless to say more data being added to your already overflowing online profile floating around the web is not good for any of us.” The BBC added, scarily – “This year has seen a series of massive data breaches, with experts saying there are now 1.5 billion stolen credentials available to hackers and attackers online.” And, once again, let’s look at the potential post GDPR fines, had personal data been leaked – Vivendi’s revenue last year was €10.76...

Major Data Breach in Japan

We’ve seen a number of high profile data breaches over the last couple of years, but it’s rare to hear of data breaches in the Asia Pacific region. Last Friday (December 5th) the Japanese Cosmetics firm Shisheido reported that the online store operated by their subsidiary IPSA Co. may have leaked the details of 420,000 customers. Stolen data includes Customer Names and Addresses, but more worryingly the payment card information of 56,000 customers may have been leaked. Those are customers who made purchases at the online store between December 14th 2011 and November 4th 2016 – that’s over five years. This serves to emphasise Price Waterhouse’s 2015 report (here) that said “Nearly 9 out of 10 large organisations surveyed now suffer some form of security breach – suggesting that these incidents are now a near certainty. Businesses should ensure they are managing the risk accordingly.” Shisheido learned of the data leak on November 4th, when they received a report from a payment agency, they’ve suspended their online store and notified the Japanese Police and the Ministry of Economy, Trade and Industry. Once again, we reiterate the words of Stephen Orphei, the chairman of the PCI Standards Council, the safest path for any business is to “take risk off the table”. If you’re not storing card or sensitive data then, even if your organisation is breached, there’s nothing for the bad guys to steal, and your company’s public reputation remains untarnished. We at Compliance3 can help you, get in...

It could be you?

The BBC reported this morning (here) that Camelot, the operator of the UK’s National Lottery, had suffered a data breach. Some 26,500 of the National Lottery’s 9.5 million online customers had had their account – comprising transaction history, date of birth, bank sort code, and the last four digits of their bank account number, compromised. Of those 26,500 –  50 of them “had some activity take place. It’s to Camelot’s credit that they locked down their systems on Monday after noticing suspicious activity, even though they don’t “hold full debit card or bank account details in National Lottery players’ online accounts“. Customers whose accounts may have been compromised have been forced to change their passwords. It has been suggested that these accounts were accessed using passwords sourced elsewhere and re-used; once again highlighting the dangers of using the same password on multiple sites. It is also another potential ‘padding’ attack, with hackers building a database of customer details that they might use to create fake identities. While data breaches continue to be revealed with a scary frequency, the number of data breaches involving financial information are becoming scarce. That’s a good sign in that Merchants are taking the security of payment card data seriously, the hackers are now turning their attention to ‘softer’ targets, and sourcing personal rather than financial data. Once again, we stress the need to be careful with online passwords and not re-use them across different online accounts. There are a number secure password ‘vault’ applications that store complex passwords; these might be worth considering if you have a large number of online accounts. It’s also...

Data Breach at Madison Square Garden.

  It was revealed recently that the Madison Square Garden Company (MSGC) has suffered a data breach at five of its venues. In a statement, the company wrote that it has notified customers that an investigation found “external unauthorized access to MSG’s payment processing system” at Madison Square Garden, the Theatre at Madison Square Garden, Radio City Music Hall, Beacon Theatre, and the Chicago Theatre in the past year. The data breach appears to have originated through compromised ‘swipe card’ machines, the older version of PED (Pin Entry Devices)  – as the use of ‘Chip and Pin’ is still not widespread in the United States. According to the MSGC statement “Data contained in the magnetic stripe on the back of payment cards swiped in person to purchase merchandise and food and beverage items at Madison Square Garden, the Theater at Madison Square Garden, Radio City Music Hall, Beacon Theater, and Chicago Theater between November 9, 2015 and October 24, 2016 may have been affected, including credit card numbers, cardholder names, expiration dates and internal verification codes. Not all cards used during this time frame were affected. This incident did not involve cards used on MSG websites, at the venues’ Box Offices, or on Ticketmaster.” That’s nearly a year before the compromise was detected, and during that period those venues hosted hundreds of  concerts and sporting events. Madison Square Garden alone held three Kanye West ‘events’, six sell-out concerts by Adele, two Radiohead concerts, and a long term residency by Billy Joel. And every card used to purchase merchandise, hot dogs or popcorn at those events might be compromised. It’s easy, here in...

Three Mobile Data Breach

It was announced this morning that three men had been arrested for a data breach at Three Mobile. The men were thought to have accessed a Customer Database at Three Mobile using ‘authorised logins’. This was not an external attack. Once in the database the perpetrators identified customers who were eligible for handset upgrades, ordered eight ‘high value handsets’ and then intercepted them prior to delivery. Dave Dyson, Three’s CEO said “I can now confirm that the people carrying out this activity were also able to obtain some customer information. In total, information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question.”  Dave Dyson’s full statement can be found here. As well as the intercepted upgrades a further 400 ‘high value handsets’ have been stolen through burglaries – presumably targeted by the compromised Customer Data. Given that the iPhone 7 starts at £600, then 400 of those represents a potential loss of a quarter of a million pounds. Less than the cost of recent Tesco Bank breach, but hardly loose change. It’s not clear when the data was fraudulently accessed, or whether it was extracted and subsequently sold on. Customer data could be used for ‘credential stuffing’ and future identity theft – as we described here after the data breach that O2 reported this summer. Three claims to have strengthened its data controls, but Three customers should exercise caution, and consider changing their Three password, and the password on any other sites where they might reuse the password. Obviously it’s best practice...

Every Little Helps – Tesco Bank Data Breach

It’s been very quiet on the data breach front of late; that’s not to say that data breaches aren’t occurring, simply that the breaches haven’t been detected. As  Eva Velasquez, president and CEO of America’s  Identity Theft Resource Center has said: “There are two kinds of consumers — those who know they’ve been breached, and those who don’t,”. According the the BBC News website (here) today (November 9th) there are around 9,000 more UK consumers who have learned first hand about data breaches; they’re the customers of Tesco Bank who have had funds illegally taken from their current accounts.That’s down from the initial estimates of 20,000 compromised accounts, and Tesco say that they’ve refunded £2.5m to customers whose accounts siphoned. Another 20,000 accounts are reported to have been compromised; that’s 29,000 of around 136,000 current accounts operated by Tesco Bank – around 21% of current accounts compromised. Obviously this is embarrassing for Tesco Bank, but to their credit they locked their systems down before the second tranche of accounts were exploited, despite the fraudulent transactions taking place ‘out of hours’ when bank offices are likely to be understaffed. Customers have reported the theft of amounts between twenty and six hundred pounds. At the time of writing the vector for the attack has yet to be identified, but the scale of the breach – both in terms of numbers and geography – suggests that the bank details had been harvested from a database rather than from individual transactions – such as card skimmers on cashpoints. Speculation in the media on Tuesday November 8th (here) suggested the fraud may have originated...