IT Security Updates Issue 6

The latest news from the sector sees the British Airways become the latest hacking data breach victim, the CBI held its annual Cyber Security conference which was headlined by the head of the National Cyber Security Centre among other sector alumni, and more…

In Case You’ve been Living Under a Rock … Hackers Caused A Major British Airways Data Theft Disruption…

British Airways recently announced a major data breach of their online and app-based platforms. The company stated: “We are investigating, as a matter of urgency, the theft of customer data between 22:58 BST August 21 2018 until 21:45 BST September 5 2018 from our website, ba.com, and our mobile app. The stolen data included personal and financial details of customers making bookings and changes on ba.com and the airline’s app. The data did not include travel or passport details.

The theft has been reported to the authorities and our website is now working normally.”

What can people do if they think they’ve been a victim of this BA ‘hack’? BA asks customers to check their bank accounts and contact their banks if there is a fraudulent transaction due to the disruption.

The ICO have been made aware:“An ICO spokesperson said: ‘British Airways has made us aware of an incident and we are making enquiries’.”
The breach has affected nearly 380,000 customer booking transactions during the period under investigation in August and September 2018. No passport or ID-based data was breached. Analysts believe the company was a victim of a Magecart scam that targets entry forms for credit card payments. The investigation is on-going.

Marketing Agency fined £60,000 after 1.4 million emails sent without the “proper consent”

The Information Commissioner’s Office has issued a £60,000 fine to Stevenage-based Everything DM Ltd, a marketing company selling email marketing services.

The company, between May 2016 and May 2017, sent non-consented emails to 1.42 million clients without due regard for recipient opt-in consent.

The ICO released a statement: “Firms providing marketing services to other organisations need to double-check whether they have valid consent from people to send marketing emails to them. Generic third party consent is not enough and companies will be fined if they break the law.”

The ICO investigation revealed that by relying on third-party consent, i.e. buying email addresses with a presumed consent guarantee, and more importantly failing to verify the consent parameters by contacting the email base before commercial usage, the company fell foul of the Privacy and Electronic Communications Regulations (PECR) data compliance laws.

The ICO argues that companies need to verify consumer email data and to make sure they adhere with PECR and GDPR before allowing commercial usage.

Only 34% of UK citizens trust companies managing their personal information

The glum figure comes courtesy of the ICO’s annual Original Benchmark Research programme. The annual audit of public perception on cyber security found that trust and confidence in businesses storing and using personal data had increased from 21% in 2017 to 34% in 2018.

However, trust in digital and social media platforms fell to one in seven respondents – 15%. This was, in all probability, a response by consumers due to the Cambridge Analytica Russian interference news continuing to rumble on.

The ICO argued that the new research highlights the importance of transparency and accountability when dealing with private data: “Across the world people have woken up to the importance of personal data and how it’s used. Personal data has become the currency by which society does business, but advances in technology should not mean organisations racing ahead of people’s rights. Individuals should be the ones in control and organisations must demonstrate their accountability to the public.

It’s certainly positive news that more people now trust organisations with their data and the GDPR and the new Data Protection Act 2018 will have played a part in this. Many businesses, charities, and public bodies have actively taken the time to explain the new rules and have actively taken on board new obligations to protect personal data.”

The ICO also published a full report, with the full findings. The release coincided with the launch of the ICO’s “Your Data Matters” campaign which will help increase the public’s awareness of data rights and commercial obligations.

CBI Cyber Security Conference 2018 – Round-up

The Conferderation of British Industry (better known as the CBI) ran its annual Cyber Security Conference in London this week. The event, designed ‘to give you real solutions to cyber issues’ had headline conference speeches by the head of the National Cyber Security Centre (a GCHQ division) and the ICO.

The NCSC’s head, Ciaran Martin stated that whilst the headlines rightly focus on Russian hackers, there is a whole world of cyber criminality focussed on the UK:

“There is a lot more to the cyber security challenge facing the UK than just Russia – serious and sustained though that threat is.

There are other nation states attacking us too.

And large scale criminal cyber activity is, sadly, ubiquitous.

Russia’s elite hackers may target us, but customer data sets may be targeted by another country or criminals. Businesses need to understand that threat.

That’s why we – the NCSC – publish as much as we can about the threat, so you can make judgements about what matters most to your business.”

The ICO’s Deputy Commissioner James Dipple-Johnstone discussed the changing developments within data privacy and their impact on the UK: “Data security and data privacy have always been linked. Privacy depends on security. No obligation to provide privacy will be meaningful if the data to be protected are accessed or stolen by unauthorised third parties. As a result, all modern data protection principles include an obligation to protect information and security and that has been recognised in every significant codification of data protection, including the EU General Data Protection Regulation and the new Data Protection Act.”

The conference will, in due course, publish a full report which will be available on the CBI website. So, keep a look out for the latest insight into the UK’s cyber attack landscape on the CBI website.

Cyber criminals are “outspending” businesses in the on-going cyber security battleground, according to cyber security software company

Carbon Black, a cyber security software provider, has published research on the UK cyber security market which argues that cyber criminals are spending nearly a $1 trillion dollars a year on cyber attacks whereas businesses are spending a ‘mere’ $100 billion on cyber security solutions worldwide.

Whilst the cynic in us all could argue that the ‘research’ is somewhat questionable in that a software company using stats to sell software isn’t necessarily a “new invention. However, this research needs to be listened too!

The research found the following ‘pressure points’ caused the biggest cyber vulnerabilities in the UK:

  • Phishing
  • Ransomware
  • Weak security protocols
  • Out-of-date software
  • Commodified malware
  • Crypto-jacking
  • Supply chain attacks

The report also noted: “The news is not all bleak, though. Two thirds of UK organisations in the survey said they have pro-actively conducted threat hunting in the past year to strengthen their defences. Within companies that actively threat hunt, more than 90% said threat hunting had toughened their defences.

The stats clearly show that defenders are not keeping up with attackers’ spending,” said Tom Kellermann, Chief Cybersecurity Officer, Carbon Black. “The fact that 92% of UK companies have experienced a breach in the last year and nearly half have been breached multiple times is sobering. It’s critical to educate UK businesses on the threats they face and how these threats can be mitigated.”

The report concluded that good cyber security hygiene along with sound organisational culture working alongside a ‘trusted’ cyber security software partner, could help mitigate the wider cyber security threat.