by Bob | Nov 7, 2016 | Views
It’s been very quiet on the data breach front of late; that’s not to say that data breaches aren’t occurring, simply that the breaches haven’t been detected. As Eva Velasquez, president and CEO of America’s Identity Theft Resource Center has said: “There are two kinds of consumers — those who know they’ve been breached, and those who don’t,”. According the the BBC News website (here) today (November 9th) there are around 9,000 more UK consumers who have learned first hand about data breaches; they’re the customers of Tesco Bank who have had funds illegally taken from their current accounts.That’s down from the initial estimates of 20,000 compromised accounts, and Tesco say that they’ve refunded £2.5m to customers whose accounts siphoned. Another 20,000 accounts are reported to have been compromised; that’s 29,000 of around 136,000 current accounts operated by Tesco Bank – around 21% of current accounts compromised. Obviously this is embarrassing for Tesco Bank, but to their credit they locked their systems down before the second tranche of accounts were exploited, despite the fraudulent transactions taking place ‘out of hours’ when bank offices are likely to be understaffed. Customers have reported the theft of amounts between twenty and six hundred pounds. At the time of writing the vector for the attack has yet to be identified, but the scale of the breach – both in terms of numbers and geography – suggests that the bank details had been harvested from a database rather than from individual transactions – such as card skimmers on cashpoints. Speculation in the media on Tuesday November 8th (here) suggested the fraud may have originated...
by Bob | Oct 23, 2016 | Views
While we at Compliance3 continue to work with companies in the UK and Europe to ‘take risk off the table’ by taking card data out of their data environments, criminals continue to probe other markets to find potential chinks in the armour of payment card security. The latest data breach to come to our attention – it may not have registered on your radar – is on the Indian sub-continent. The BBC ran a story last week (here) that suggested that “fears that the security of more than 3.2 million debit cards has been compromised”. The compromise appears to have emanated from an ATM network infected with malware. Okay, so 3.2 million cards only represents half of one per cent of all cards issued in India (there are some 700 million debit cards issued in India); and to date fraudulent transactions have only totalled around $195,000 (13 million rupees) – mainly in China and the US – but that’s still a lot of cards at risk, and potential damage to India’s newly emerging card based economy. Indian banks are struggling to get cashless transactions accepted; with only 10 digital transactions per head per annum, compared to around 260 per head per annum in the UK; and data compromises like this will not help foster trust. Shaktikanta Das, the Department of Economic Affairs Secretary of the Indian Government said “There is no cause for alarm. The integrity of IT system of banks is robust and whatever action is required, the government will take promptly,” Mohit Bahl Head of Forensic Services at KPMG India suggested that while “Indian Banks have cyber...
by Bob | Oct 17, 2016 | Views
While much of the country continues to debate the ramifications of June’s ‘Brexit’ vote, there are some pieces of European legislation that will remain in force post ‘Brexit’. Key among these is the upcoming General Data Protection Regulation (GDPR). GDPR is the proposed wholesale reform of the data protection and data privacy laws across the EU. Many of these are no longer fit for purpose; the UK’s Data Protection Act came into force in 1998 – that’s six years before the launch of FaceBook and eight years before Twitter. The implications of Brexit are that UK companies wishing to deal with EU citizens and organisations would be required to adopt ‘adequate’ data protections – at least as stringent as GDPR. And the clock is ticking, GDPR comes into force on the 25th May, 2018. That’s just four hundred working days from today – October 17th 2016. There’s much for organisations to do, but understanding the implications is always a good start. Compliance3 has partnered with New Leaf, and we believe that together we can provide what we consider the “Gold Standard” in preparing companies for GDPR or its equivalent. We’ve produced a Briefing Note that can be downloaded from our ‘Resources’ section, or from here. Take a look and get in touch, we can help your GDPR...
by Bob | Oct 6, 2016 | Views
Yesterday (October 5th) saw two interesting news reports, one made headlines, the other didn’t. The first report was the fine of £400,000 imposed on Talk Talk following their data breach last October, we first reported on it here. The fine, the largest imposed by the Information Commissioners Office (ICO) was slightly less than the maximum that they could have levied, and is small change compared to the £42million – and the loss of 101,000 customers – that Talk Talk admit that the breach has so far cost them. The ICO’s full announcement is here and states that name and address, telephone number and email addresses of 156,656 Talk Talk customers were accessed. Also that some 10% of those customer details included bank sort codes and account numbers. The stolen data was stored on a database of customers that joined Talk Talk when, in 2009, it acquired the UK operations of Tiscali. The data was accessed by using the relatively simple technique of SQL Injection into a web page. Talk Talk had already suffered two similar cyber attacks in 2015 that should have highlighted system vulnerabilities. The Information Commissioner Elizabeth Denham said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.” “Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.” While it was initially thought that the data breach had been committed by cyber terrorists, six people – all under 21 – have been...
by Bob | Sep 28, 2016 | Views
It’s often said that there are only four different scams in the world, and all scams are a variation on those. By far the most common, particularly in our electronic age, is for the scammer to impersonate an authority figure – bank, HMRC, police – and convince an individual to hand them money. The BBC, last week, claimed (here) that a financial scam is successfully committed – in the UK – every fifteen seconds. That’s an increase of 53% over the previous year. Well, there’s a new scam you need to be aware of, because it purports to represent a different, but still authoritative body – the DVLA. You might recall that earlier this year the DVLA scrapped the paper counterpart to the driving licence; the scammers email or send text messages to drivers informing them that they need to logon to the DVLA website and pay a fee to verify their driving licence. The link, of course, takes the driver to a fake site that looks very similar to the genuine DVLA site to make the ‘verification’ payment. There are then two phases to the scam, firstly the ‘verification’ payment is taken and the scammers have taken the driver’s money; secondly and more importantly they now have the driver’s payment details and are free to either empty the bank account or sell the details on to other criminals. There’s a similar scam going round that preys on drivers who are aged seventy or over – when driving licences need to be renewed. The fake website, inevitably, charges for a service that DVLA provide for free. Some victims of this...
by Bob | Sep 23, 2016 | Views
YAHOO! today confirmed that the personal details of ‘up to 500 million users’ may have been stolen, back in 2014, by a data breach that Yahoo believes initiated by “state-sponsored actor”. That’s a stunning data breach, potentially compromising one in fifteen people worldwide. Rumours of the breach started back in August when a hacker called ‘Peace’ claimed to be selling data from 200 million Yahoo clients. At that time Yahoo dismissed the claims, saying that the data probably related to a 2012 data breach when a mere 400,000 of its user accounts were compromised. In 2012 Yahoo said “At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products.” The timing of the announcement of this breach couldn’t be worse for Yahoo!, as they negotiate sale of their core business to Verizon for $4.8 billion. Nordic cybersecurity expert Per Thorsheim – who broke the news of the 2012 LinkedIn data breach – described the latest Yahoo! data breach as “massive” adding “It will cause ripples online for years to come.” Perhaps more telling are the comments from U.S. Senator Richard Blumenthal who is calling for tougher legislation to “make sure companies are properly and promptly notifying consumers when their data has been compromised.” Senator Blumenthal said in a statement “If Yahoo knew about the hack as early as August, and failed to coordinate with law enforcement, taking this long to confirm the breach is a blatant betrayal of their users’ trust.” Yahoo! Were at pains to point out that no payment card data was compromised...
by Bob | Aug 23, 2016 | Views
Anybody with an interest in the internet or blogging will be aware of WordPress; it’s now estimated that that over 26% of websites use the WordPress ‘engine’. The underlying content management system (based on a MySQL database) is free and relatively simple to deploy, and some unexpectedly large corporate websites run on the WordPress platform. Indeed this website runs on WordPress, albeit using a proprietary ‘theme’. Another advantage of the WordPress platform is the number of plugins that have been and continue to be developed to enhance the publishing or reading experience. Best estimates suggest that there are over 30,000 plugins available, many of them free. And sometimes, free can prove costly. As Robert E Heinlein famously wrote (in ‘The Moon is a Harsh Mistress’ in 1966) “There ain’t no such thing as a free lunch.” – often acronymised as ‘TANSTAAFL’. Which brings is to reading the small print. Recently the WordPress security firm ‘Wordfence’ – who offer both free and premium WordPress security plugins – reported some dubious code in a popular plugin; they’d been called in to investigate a ‘hacked’ WordPress site that was displaying links to payday loan companies. The plugin in question had been installed on over 70,000 WordPress sites. In common with many similar plugins, the T&Cs used text from the standard GNU public licence, but had hidden at the bottom of the text “By clicking the button here below, you agree to the terms and conditions and give permission to place text links on your website when search engine crawlers access it.” Now while, as Wordfence suggest, ‘no sane webmaster would sign up to that‘,...
by Bob | Jul 26, 2016 | Views
Now here’s an interesting data breach, it’s perhaps indicative of changing approaches by hackers. As companies thankfully become more savvy about protecting data, so hackers are having to become more creative. They augment stolen data by accessing more publicly available data sources – such as social media – to create more robust data sets that they can sell on to the criminal fraternity on the ‘dark net’. We reported here earlier in July that fraudster are harvesting details from social media accounts to create fraudulent duplicate identities; a technique known as ‘credential stuffing’. The BBC claimed on the Victoria Derbyshire programme on July 26th that “O2 customer data is being sold by criminals on the dark net” (here) However O2 deny that they’ve suffered a data breach. The initial credentials are likely to have been stolen in a data breach back in November 2013 from the gaming website Xsplit and the hackers have subsequently ‘stuffed’ those credentials with information sourced elsewhere. Those new ‘stuffed’ credentials would then be tried against various online services. The BBC reported that some victims have had accounts hacked on multiple sites – such as Gumtree and eBay. The message for consumers is a familiar one, don’t use the same password for multiple accounts – tempting though it might be – as hackers will try any passwords they acquire against any and every online services. And the message for businesses is equally familiar, you have a responsibility to your customers if you store their personal or payment data. Compliance3 can help businesses meet their personal and payment data obligations, get in touch and see how we...
by Katrina Greenwood | Jul 25, 2016 | Uncategorised
The Problem Since Microsoft’s release of Windows 10, in July 2015, excessive amounts of personal and usage data have been harboured from its users. Despite customers turning off all settings that may allow Microsoft to send data to their server in the US, user still have no control over this. Windows 10 harbours this information through their Cortana and Bing products. Windows 10 manages to do this by sending any ‘home searches’, ‘live tile’ searches as well as Internet inquiries via an unencrypted http data channel ‘threshold.appcache’. This is worrying as customers are not asked to consent to this. They aren’t even able to turn this feature off. There is also the issue of the unencrypted channel that leaves customers open to malicious actors. CNIL and Microsoft Since the French Data Protection Authority (CNIL) became aware of this seven online observations were carried out in April and June 2016. They have since questioned Microsoft Corporation on this. Microsoft interestingly said nothing to defend or deny the excessive data collection of Windows 10. They responded saying they were happy to comply with the CNIL and “understand the agency’s concerns fully and to work toward solutions that it will find acceptable.” Microsoft also address the reason behind the data being send back to the company’s US servers. They stated it was under the previously applicable ‘Safe Harbour Agreement’. Knowing now these regulations are no longer required they have said they will work towards the new requirements of the ‘Privacy Shield’ Despite these statements, the Chair of the Commission Nationale de l’Informatique et des Libertés (CNIL) issued a formal notice to Microsoft on...
by Bob | Jul 11, 2016 | Views
We read constantly of data breaches and of sensitive data being made available for sale on the ‘dark web’ – indeed as I reported here in February sometimes not even on the dark web. While we at Compliance3 tend to concentrate on the security of, and potential threats to, card data; the recent report from CIFAS suggested that any personal data can be used by criminals in creating identity theft profiles. For example, we learned recently that the online dating site ‘Muslim Match’ has been breached and some 150,000 log-ins have been made available for sale online, along with nearly 800,000 potentially very private messages between users. The data, which has been confirmed as genuine, includes Skype handles. And, given the sensitivity of some of the breached data, along with potential religious and cultural taboos, the risk of hacked users receiving blackmail threats are potentially higher than for other similar compromises at more ‘western’ sites like Ashley Madison, Match.com or Plenty of Fish. That said, the Daily Mail reported back in August 2015 (here) that some leaked Ashley Madison clients had been driven to commit suicide. And, once again, the breach at Muslim Match doesn’t look to have been too sophisticated, possibly a relatively simple SQL injection. One user of the site told the website Motherboard “I feel disappointed, but the site didn’t seem to be secure in the first place. They never used https.” At the time of writing, the Muslim Match site is down showing a message “We have been made aware of an alleged security breach and are reviewing our systems as we work to remedy the situation...
