Every Little Helps – Tesco Bank Data Breach

It’s been very quiet on the data breach front of late; that’s not to say that data breaches aren’t occurring, simply that the breaches haven’t been detected. As  Eva Velasquez, president and CEO of America’s  Identity Theft Resource Center has said: “There are two kinds of consumers — those who know they’ve been breached, and those who don’t,”. According the the BBC News website (here) today (November 9th) there are around 9,000 more UK consumers who have learned first hand about data breaches; they’re the customers of Tesco Bank who have had funds illegally taken from their current accounts.That’s down from the initial estimates of 20,000 compromised accounts, and Tesco say that they’ve refunded £2.5m to customers whose accounts siphoned. Another 20,000 accounts are reported to have been compromised; that’s 29,000 of around 136,000 current accounts operated by Tesco Bank – around 21% of current accounts compromised. Obviously this is embarrassing for Tesco Bank, but to their credit they locked their systems down before the second tranche of accounts were exploited, despite the fraudulent transactions taking place ‘out of hours’ when bank offices are likely to be understaffed. Customers have reported the theft of amounts between twenty and six hundred pounds. At the time of writing the vector for the attack has yet to be identified, but the scale of the breach – both in terms of numbers and geography – suggests that the bank details had been harvested from a database rather than from individual transactions – such as card skimmers on cashpoints. Speculation in the media on Tuesday November 8th (here) suggested the fraud may have originated...

Indian Debit Cards Compromised

While we at Compliance3 continue to work with companies in the UK and Europe to ‘take risk off the table’ by taking card data out of their data environments, criminals continue to probe other markets to find potential chinks in the armour of payment card security. The latest data breach to come to our attention – it may not have registered on your radar – is on the Indian sub-continent. The BBC ran a story last week (here) that suggested that  “fears that the security of more than 3.2 million debit cards has been compromised”. The compromise appears to have emanated from an ATM network infected with malware. Okay, so 3.2 million cards only represents half of one per cent of all cards issued in India (there are some 700 million debit cards issued in India); and to date fraudulent transactions have only totalled around $195,000 (13 million rupees) – mainly in China and the US – but that’s still a lot of cards at risk, and potential damage to India’s newly emerging card based economy. Indian banks are struggling to get cashless transactions accepted; with only 10 digital transactions per head per annum, compared to around 260 per head per annum in the UK; and data compromises like this will not help foster trust. Shaktikanta Das, the Department of Economic Affairs Secretary of the Indian Government said “There is no cause for alarm. The integrity of IT system of banks is robust and whatever action is required, the government will take promptly,” Mohit Bahl Head of Forensic Services at KPMG India suggested that while “Indian Banks have cyber...

GDPR – Four Hundred Days

While much of the country continues to debate the ramifications of June’s ‘Brexit’ vote, there are some pieces of European legislation that will remain in force post ‘Brexit’. Key among these is the upcoming  General Data Protection Regulation (GDPR). GDPR is the proposed wholesale reform of the data protection and data privacy laws across the EU. Many of these are no longer fit for purpose; the UK’s Data Protection Act came into force in 1998 – that’s six years before the launch of FaceBook and eight years before Twitter. The implications of Brexit are that UK companies wishing to deal with EU citizens and organisations would be required to adopt ‘adequate’ data protections – at least as stringent as GDPR. And the clock is ticking, GDPR comes into force on the 25th May, 2018. That’s just four hundred working days from today – October 17th 2016. There’s much for organisations to do, but understanding the implications is always a good start. Compliance3 has partnered with New Leaf, and we believe that together we can provide what we consider the “Gold Standard” in preparing companies for GDPR or its equivalent. We’ve produced a Briefing Note that can be downloaded from our ‘Resources’ section, or from here. Take a look and get in touch, we can help your GDPR...

Two interesting news stories

Yesterday (October 5th) saw two interesting news reports, one made headlines, the other didn’t. The first report was the fine of £400,000 imposed on Talk Talk following their data breach last October, we first reported on it here. The fine, the largest imposed by the Information Commissioners Office (ICO)  was slightly less than the maximum that they could have levied, and is small change compared to the £42million – and the loss of 101,000 customers –  that Talk Talk admit that the breach has so far cost them. The ICO’s full announcement is here and states that name and address, telephone number and email addresses of 156,656 Talk Talk customers were accessed. Also that some 10% of those customer details included bank sort codes and account numbers. The stolen data was stored on a database of customers that joined Talk Talk when, in 2009, it acquired the UK operations of Tiscali. The data was accessed by using the relatively simple technique of SQL Injection into a web page. Talk Talk had already suffered two similar cyber attacks in 2015 that should have highlighted system vulnerabilities. The Information Commissioner Elizabeth Denham said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.” “Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.” While it was initially thought that the data breach had been committed by cyber terrorists, six people – all under 21 – have been...

DVLA Scam – beware

It’s often said that there are only four different scams in the world, and all scams are a variation on those. By far the most common, particularly in our electronic age, is for the scammer to impersonate an authority figure – bank, HMRC, police – and convince an individual to hand them money. The BBC, last week, claimed (here) that a financial scam is successfully committed – in the UK – every fifteen seconds. That’s an increase of 53% over the previous year. Well, there’s a new scam you need to be aware of, because it purports to represent a different, but still authoritative body – the DVLA. You might recall that earlier this year the DVLA scrapped the paper counterpart to the driving licence; the scammers email or send text messages to drivers informing them that they need to logon to the DVLA website and pay a fee to verify their driving licence. The link, of course, takes the driver to a fake site that looks very similar to the genuine DVLA site to make the ‘verification’ payment. There are then two phases to the scam, firstly the ‘verification’ payment is taken and the scammers have taken the driver’s money; secondly and more importantly they now have the driver’s payment details and are free to either empty the bank account or sell the details on to other criminals. There’s a similar scam going round that preys on drivers who are aged seventy or over – when driving licences need to be renewed. The fake website, inevitably, charges for a service that DVLA provide for free. Some victims of this...