by Bob | May 14, 2017 | Views
The media has been awash with sensationalist stories of ‘cyber attacks on the NHS’. This is, of course a misrepresentation of the facts. NHS trusts have fallen victim of a piece of insidious ‘ransomware’ that, according to Europol – and reported on the BBC News website here – have infected more than two hundred thousand victims in one hundred and fifty countries. Other reports suggest as many as nine million computers in nearly two hundred countries. The malware – known as ‘Wannacry exploited a ‘back door’ known as ‘EternalBlue’ that the New York Times described as “a vulnerability that was discovered and developed by the National Security Agency (NSA).” Microsoft issued security patches to its current operating systems a few months ago when ‘EternalBlue’ had been leaked by a hacking group known as the Shadow Brokers. Of course, as we have reported here in the past, older operating systems such as Windows XP, Server 2003 and Vista are no longer publicly supported, and so no fixes were offered. On Saturday May 13th Microsoft took the unexpected step of releasing an ‘out of bounds patch’ for unsupported operating systems such as Windows XP and Server 2003 meaning that people now are able to patch rather than having to attempt upgrades to newer system in order to be secured against this worm. Sunday’s British newspapers reported that a British InfoSec specialist – Malware Tech – had halted the initial attack by identifying and activating a ‘kill switch’ that sought a hitherto unregistered domain. Somewhat worryingly, ‘Wannacry2’ has been identified ‘in the wild’ that has no such kill switch. The threat remains. Lessons to...
by Bob | Apr 18, 2017 | Views
The British Chambers of Commerce (BCC) today published the results of its digital survey that suggested that, of the more than 1,200 businesses surveyed across the UK, some 20% had been hit by a cyber-attack in the last 12 months. It further reported that 42% of larger firms (those with over 100 staff) had been the victim of a cyber attack, compared with 18% of smaller ones. The BCC’s survey revealed that 21% of businesses believe the threat of cyber-crime is preventing their company from growing, while fewer than a quarter (24%) of businesses have cyber security accreditations in place. Dr Adam Marshall, Director General of the British Chambers of Commerce (BCC), said: “Firms need to be proactive about protecting themselves from cyber-attacks. Accreditations can help businesses assess their own IT infrastructure, defend against cyber-security breaches and mitigate the damage caused by an attack. It can also increase confidence among the businesses and clients who they engage with online.” Referring to next year’s GDPR legislation Dr Marshall added: “Businesses should also be mindful of the extension to data protection regulation coming into force next year, which will increase their responsibilities and requirements to protect personal data. Firms that don’t adopt the appropriate protections leave themselves open to tough penalties.” Compliance3 have been working with businesses to ‘devalue data‘ and ‘take risk off the table‘. Data Security can be complicated and expensive, and the hackers are both clever and motivated. By effective de-scoping, even if your company is hacked, then personal and payment data need not be compromised. If you take payments online or over the telephone, we can...
by Bob | Apr 12, 2017 | Views
It’s been a bit quiet of late on the data breaches front, although the suspicion has to be that, while data breaches are continuing, they just haven’t yet been detected. The Republic of Ireland’s Data Protection Commissioner – Helen Dixon – announced on April 11th that some 2,224 data security breaches were reported in 2016. That’s an average of more than six breaches reported per day, in a nation of just over four and a half million people. Here in the UK, it was announced on April 9th, that the payday loan company Wonga had suffered “illegal and unauthorised access to the personal data of some of our customers”. It’s thought that the personal details of around 245,000 UK customers and 25,000 polish customers may have been compromised. Wonga’s website (here)claims that they are “still working to establish the full details. However, we believe it may include one or more of the following: your name, e-mail address, home address, phone number, the last four digits of your card number (but not the whole number) and/or bank account details and sort code.” The fact that full payment card details were not compromised means that Wonga will escape card scheme penalties under PCI DSS, but they are likely to face a hefty penalty from the UK Information Commissioner. Talk Talk were fined a record £400,000 in 2015 for a data breach that affected almost 157,000 customers. Under next year’s GDPR legislation – which is still coming, regardless of Brexit – the penalty would have been up to 4% of the previous year’s global turnover. That would amount to just over £3m –...
by Bob | Dec 8, 2016 | Views
As we approach the end of 2016, the rate of data breach – or more accurately data breach discoveries – doesn’t appear to be slowing. The BBC reported on Tuesday (here) that the Dailymotion subsidiary of French media company Vivendi had details of more than 85 million users stolen, including usernames, email addresses and passwords, although the passwords had been encrypted using the Bcrypt algorithm. Dailymotion said the impact of the breach was limited and no personal information had been lost. It’s perhaps worrying that Daily Motion were advised of the breach by an external agency – Leakedsource. It said: “It has come to our attention that a potential security risk, coming from outside Dailymotion may have comprised the passwords for a certain number of accounts.” Mark James, a security specialist at security firm ESET commented: “Check and change your passwords on this site, if you have used that same password on any other site then change those immediately and possibly consider a password manager if you’re not already using one.” He added: “Without further information about what was or was not stolen, we won’t know the extent of the damage – but needless to say more data being added to your already overflowing online profile floating around the web is not good for any of us.” The BBC added, scarily – “This year has seen a series of massive data breaches, with experts saying there are now 1.5 billion stolen credentials available to hackers and attackers online.” And, once again, let’s look at the potential post GDPR fines, had personal data been leaked – Vivendi’s revenue last year was €10.76...
by Bob | Dec 5, 2016 | Views
We’ve seen a number of high profile data breaches over the last couple of years, but it’s rare to hear of data breaches in the Asia Pacific region. Last Friday (December 5th) the Japanese Cosmetics firm Shisheido reported that the online store operated by their subsidiary IPSA Co. may have leaked the details of 420,000 customers. Stolen data includes Customer Names and Addresses, but more worryingly the payment card information of 56,000 customers may have been leaked. Those are customers who made purchases at the online store between December 14th 2011 and November 4th 2016 – that’s over five years. This serves to emphasise Price Waterhouse’s 2015 report (here) that said “Nearly 9 out of 10 large organisations surveyed now suffer some form of security breach – suggesting that these incidents are now a near certainty. Businesses should ensure they are managing the risk accordingly.” Shisheido learned of the data leak on November 4th, when they received a report from a payment agency, they’ve suspended their online store and notified the Japanese Police and the Ministry of Economy, Trade and Industry. Once again, we reiterate the words of Stephen Orphei, the chairman of the PCI Standards Council, the safest path for any business is to “take risk off the table”. If you’re not storing card or sensitive data then, even if your organisation is breached, there’s nothing for the bad guys to steal, and your company’s public reputation remains untarnished. We at Compliance3 can help you, get in...
by Bob | Nov 30, 2016 | Views
The BBC reported this morning (here) that Camelot, the operator of the UK’s National Lottery, had suffered a data breach. Some 26,500 of the National Lottery’s 9.5 million online customers had had their account – comprising transaction history, date of birth, bank sort code, and the last four digits of their bank account number, compromised. Of those 26,500 – 50 of them “had some activity take place. It’s to Camelot’s credit that they locked down their systems on Monday after noticing suspicious activity, even though they don’t “hold full debit card or bank account details in National Lottery players’ online accounts“. Customers whose accounts may have been compromised have been forced to change their passwords. It has been suggested that these accounts were accessed using passwords sourced elsewhere and re-used; once again highlighting the dangers of using the same password on multiple sites. It is also another potential ‘padding’ attack, with hackers building a database of customer details that they might use to create fake identities. While data breaches continue to be revealed with a scary frequency, the number of data breaches involving financial information are becoming scarce. That’s a good sign in that Merchants are taking the security of payment card data seriously, the hackers are now turning their attention to ‘softer’ targets, and sourcing personal rather than financial data. Once again, we stress the need to be careful with online passwords and not re-use them across different online accounts. There are a number secure password ‘vault’ applications that store complex passwords; these might be worth considering if you have a large number of online accounts. It’s also...