Every Little Helps – Tesco Bank Data Breach

It’s been very quiet on the data breach front of late; that’s not to say that data breaches aren’t occurring, simply that the breaches haven’t been detected. As  Eva Velasquez, president and CEO of America’s  Identity Theft Resource Center has said: “There are two kinds of consumers — those who know they’ve been breached, and those who don’t,”. According the the BBC News website (here) today (November 9th) there are around 9,000 more UK consumers who have learned first hand about data breaches; they’re the customers of Tesco Bank who have had funds illegally taken from their current accounts.That’s down from the initial estimates of 20,000 compromised accounts, and Tesco say that they’ve refunded £2.5m to customers whose accounts siphoned. Another 20,000 accounts are reported to have been compromised; that’s 29,000 of around 136,000 current accounts operated by Tesco Bank – around 21% of current accounts compromised. Obviously this is embarrassing for Tesco Bank, but to their credit they locked their systems down before the second tranche of accounts were exploited, despite the fraudulent transactions taking place ‘out of hours’ when bank offices are likely to be understaffed. Customers have reported the theft of amounts between twenty and six hundred pounds. At the time of writing the vector for the attack has yet to be identified, but the scale of the breach – both in terms of numbers and geography – suggests that the bank details had been harvested from a database rather than from individual transactions – such as card skimmers on cashpoints. Speculation in the media on Tuesday November 8th (here) suggested the fraud may have originated...

GDPR – Four Hundred Days

While much of the country continues to debate the ramifications of June’s ‘Brexit’ vote, there are some pieces of European legislation that will remain in force post ‘Brexit’. Key among these is the upcoming  General Data Protection Regulation (GDPR). GDPR is the proposed wholesale reform of the data protection and data privacy laws across the EU. Many of these are no longer fit for purpose; the UK’s Data Protection Act came into force in 1998 – that’s six years before the launch of FaceBook and eight years before Twitter. The implications of Brexit are that UK companies wishing to deal with EU citizens and organisations would be required to adopt ‘adequate’ data protections – at least as stringent as GDPR. And the clock is ticking, GDPR comes into force on the 25th May, 2018. That’s just four hundred working days from today – October 17th 2016. There’s much for organisations to do, but understanding the implications is always a good start. Compliance3 has partnered with New Leaf, and we believe that together we can provide what we consider the “Gold Standard” in preparing companies for GDPR or its equivalent. We’ve produced a Briefing Note that can be downloaded from our ‘Resources’ section, or from here. Take a look and get in touch, we can help your GDPR...

Read the small print!

Anybody with an interest in the internet or blogging will be aware  of WordPress; it’s now estimated that that over 26% of websites use the WordPress ‘engine’. The underlying content management system (based on a MySQL database) is free and relatively simple to deploy, and some unexpectedly large corporate websites run on the WordPress platform. Indeed this website runs on WordPress, albeit using a proprietary ‘theme’. Another advantage of the WordPress platform is the number of plugins that have been and continue to be developed to enhance the publishing or reading experience. Best estimates suggest that there are over 30,000 plugins available, many of them free. And sometimes, free can prove costly. As Robert E Heinlein famously wrote (in ‘The Moon is a Harsh Mistress’ in 1966) “There ain’t no such thing as a free lunch.” – often acronymised as ‘TANSTAAFL’. Which brings is to reading the small print. Recently the WordPress security firm ‘Wordfence’ – who offer both free and premium WordPress security plugins – reported some dubious code in a popular plugin; they’d been called in to investigate a ‘hacked’ WordPress site that was displaying links to payday loan companies. The plugin in question had been installed on over 70,000 WordPress sites. In common with many similar plugins, the T&Cs used text from the standard GNU public licence, but had hidden at the bottom of the text “By clicking the button here below, you agree to the terms and conditions and give permission to place text links on your website when search engine crawlers access it.” Now while, as Wordfence suggest, ‘no sane webmaster would sign up to that‘,...

CNIL Hit Microsoft with a Formal Notice

The Problem Since Microsoft’s release of Windows 10, in July 2015, excessive amounts of personal and usage data have been harboured from its users. Despite customers turning off all settings that may allow Microsoft to send data to their server in the US, user still have no control over this. Windows 10 harbours this information through their Cortana and Bing products. Windows 10 manages to do this by sending any ‘home searches’, ‘live tile’ searches as well as Internet inquiries via an unencrypted http data channel ‘threshold.appcache’. This is worrying as customers are not asked to consent to this. They aren’t even able to turn this feature off. There is also the issue of the unencrypted channel that leaves customers open to malicious actors. CNIL and Microsoft Since the French Data Protection Authority (CNIL) became aware of this seven online observations were carried out in April and June 2016. They have since questioned Microsoft Corporation on this. Microsoft interestingly said nothing to defend or deny the excessive data collection of Windows 10. They responded saying they were happy to comply with the CNIL and “understand the agency’s concerns fully and to work toward solutions that it will find acceptable.” Microsoft also address the reason behind the data being send back to the company’s US servers. They stated it was under the previously applicable ‘Safe Harbour Agreement’. Knowing now these regulations are no longer required they have said they will work towards the new requirements of the ‘Privacy Shield’ Despite these statements, the Chair of the Commission Nationale de l’Informatique et des Libertés (CNIL) issued a formal notice to Microsoft on...

GDPR and the Brexit Campaign

The EU’s General Data Protection Regulations (GDPR) are some of the most important regulations in terms of data security.  Christopher Graham, The UK Information Commissioner, stated the following at the ICO’s annual Data Protection Practitioners’ Conference in March 2016. “The EU data protection reforms promise to be the biggest shake up for consumers’ data protection rights for three decades.” The regulations are expected to harmonise data protection legislation across Europe, as well as increasing the shock of failing to comply. The GDPR will raise the level of fines for companies who have data breaches to heights of  €20m or up to 4% of annual global turnover. These regulations are a way off however, they have been released now and are given a 2year transition period, which means they are not becoming legally binding until latest summer 2018. This is to allow companies to adjust and prepare before these fines could blow up businesses that fail to comply. “Now, now,” you might be saying, “What if we leave Europe?“. What will they have over British companies then? Unfortunately we won’t be escaping that easily. Any company that engages with European customers will be forced to comply with European legislation. So the choice is to exclude one of the most accessible markets to us today, or to abide by these regulations. Luckily for businesses that handle card data there are some simple solutions to compliantly handling payment card and personal data. If you are worried how these regulations will affect your company then feel free to get in touch with us at Compliance3. We are here to guide you through every step of the...