IT Security Updates Issue 10

The latest news from the sector sees the ICO get a criminal locked up for six months under the Computer Misuse Act, Vision Direct has been hacked which has seen nearly 7,000 customer credit card details affected by the hack, the Met Police’s Gangs Matrix has been found in breach of data protection rules by the ICO and more …

ICO Bangs Up First “Computer Misuse Act” Criminal For Six Months

The Information Commissioner’s Office has brought a successful prosecution against Mustafa Kasim, resulting in a six-month prison sentence which represents a ‘first’ in relation to a successful prosecution under the Computer Misuse Act on behalf of the ICO.

The ICO Outlines the Story:

“Mustafa Kasim, who worked for accident repair firm Nationwide Accident Repair Services (NARS), accessed thousands of customer records containing personal data without permission, using his colleagues’ log-in details to access a software system that estimates the cost of vehicle repairs, known as Audatex.

He continued to do this after he started a new job at a different car repair organisation which used the same software system. The records contained customers’ names, phone numbers, vehicle and accident information.”

NARS contacted the ICO when they saw a spike in complaints about nuisance calls. As a responsible data protection advocate, they were a little surprised by the level of complaint. The ICO investigated and found Kasim was in the wrong. They decided to to use the Computer Misuse Act of 1990 over the Data Protection Acts of 1998 or 2018. The ICO concluded:

“People who think it’s worth their while to obtain and disclose personal data without permission should think again. Although this was a data protection issue, in this case we were able to prosecute beyond data protection laws resulting in a tougher penalty to reflect the nature of the criminal behaviour.

“Members of the public and organisations can be assured that we will push the boundaries and use any tool at our disposal to protect their rights.”

Met Police In Trouble For Breaching Data Protection Rules Over “Gangs Matrix” Database

London’s finest, the Metropolitan Police, have been investigated by the Information Commissioner’s Office who have found that their use and deployment of a so-called ‘Gangs Matrix was an egregious breach of current data protection laws.

According to the ICO:

“The investigation into the Gangs Matrix, a database that records intelligence related to alleged gang members, began in October 2017 after concerns were raised by Amnesty International.

The ICO found that, whilst there was a valid purpose for the database, the inconsistent way it was being used did not comply with data protection rules.
It has now issued an Enforcement Notice, compelling the MPS to ensure it complies with data protection laws in future and has given them six months to make these changes, which the MPS has accepted and already started to implement.”

The ICO stated that they didn’t think the database was inappropriate for the context of its use – they found that the access processes were flawed and needed overhauling.

ICO Appoints “AI” Policy Researcher To Explore The Threat of AI on Data Privacy

The Information Commissioner’s Office has appointed its first ‘Postdoctoral Research Fellow in Artificial Intelligence’. Dr Reuben Binns, a leading academic in this field, will according to the ICO explore the dynamics of AI and data protection through the context of framework planning.

The ICO stated:

“During his two-year term, Dr Binns will research and investigate a framework for auditing algorithms and conduct further in-depth research activities in AI and machine learning.

His appointment supports the ICO’s goal of developing and enhancing its expertise and work in this increasingly important area.
Dr Binns is currently a researcher in Computer Science at the University of Oxford. His research interests include technical, legal and ethical aspects of privacy, machine learning, and decentralised systems.”

The ICO hopes Dr Binns’ recruitment will help the UK’s data privacy regulator understand the fast-changing environment that is Artificial Intelligence and how misuse could be better regulated when massive AI change starts to affect the way personal data is deployed.

How British Veterans Are Re-Training And Upskilling As Cyber Security Pros?

A former British Army solider, Phil Kimpton, spoke to the BBC about how he landed on ‘civvy street’ with depression and without a plan for the future. However, undeterred, Phil embarked on a training and networking journey that led him to becoming a cyber security expert.

Phil outlined his thinking to the BBC:

“He became fascinated by IT security and says working to prevent cyber-attacks gave him a new purpose in life and filled the void he was left with on leaving the army.

“Coming from the military and having that experience with physical security, I soon realised that with some technical aptitude and learning, that I could also map that over to the industry in IT security where I’m at now,” he said.”

The remarkable journey can be seen via this BBC video link.

Vision Direct “Hack” Puts 16,300 Customer Records At Risk

Vision Direct has been a victim of a co-ordinated cyber breach courtesy of a hack attack. The company stated that nearly 6,000 customers credit card details used between November 3rd and 8th 2018 have been affected by this grotesque cyber crime.

According to the BBC:

“It said a fake Google Analytics script placed within its websites’ code was the apparent cause.

The company’s UK site was involved as well as local versions for Ireland, the Netherlands, France, Spain, Italy and Belgium.

A spokeswoman for Vision Direct told the BBC that 6,600 customers were believed to have had details including financial data compromised, while a further 9,700 people had had personal data but not card details exposed.

“This particular breach is known as Shoplift and was already known to our technology team, who installed a patch provided by our web platform provider to prevent this form of malware,” she added.”

Until next time …