IT SECURITY UPDATES ISSUE 7

Hi again Jon and welcome to our latest ‘Essential IT Security Updates’ newsletter : essential reading for IT security and data protection leaders like you wanting to stay ahead of developments and news in this ever-changing sector. Feel free to use this content in your marketing or simply to keep abreast for yourself and your team.
This issue features news that the ICO has been forced to withdraw a £60,000 fine to a company accused of spamming, McAfee publishes its latest celebrity scamming list – with Kim Kardashian dominating the top spot, and more…

ICO Rescinds £60,000 Fine For Alleged “Spam” Pay-day Loan Texts

The ICO has rescinded a £60,000 monetary penalty notice (MPN) which was issued on July 6th 2018. The company, STS Commercial Ltd, was alleged to have allowed its telecom lines to be used for spam text messages for a pay day lender. However, STS Commercial Ltd appealed to the First-tier Tribunal (Information Rights) court and as a result the ICO undertook a secondary investigation and found that the original case was baseless.
The ICO stated: “On 6 July 2018 the ICO announced it had imposed a fine of £60,000 on STS Commercial Ltd for allowing its lines to be used to send spam texts.“
STS Commercial Ltd appealed that penalty and upon considering the grounds of appeal, the ICO accepts that the appeal should be allowed and no monetary penalty should be imposed. The ICO apologises to STS Commercial Ltd.”
STS Commercial stated: “We are pleased to announce that at the appeal, when presented with our grounds, the ICO has agreed to dispose of the Monetary Penalty, and to apologise to us officially on their website for their conduct in the investigation. We’ve always maintained that we did not do anything wrong. The conduct of the ICO’s dealings fell short of what would be expected from an ICO investigation. The decision by the ICO to impose the Monetary Penalty was unreasonable in the circumstances and the conduct of her inquiries and the cavalier approach caused damage to our reputation, and could have resulted in the loss of up to 20 jobs to the Welsh economy.”
The announcement outlined a much misunderstood legal framework. The First-tier Tribunal is a regulatory division of the Ministry of Justice. The FTT undertakes appeals for a range of sectors from pensions to copyright, including ICO regulatory affairs. To find our more and to start an appeal you can visit this informative article highlighting the appeals process and more.

McAfee reports Kim Kardashian is the “most dangerous celebrity” online

The anti virus and threat analysis firm, McAfee has published a list of top celebrity search results linked to phishing and malicious website activity. Topping the poll in 2018 of the UK edition was Kim Kardashian, the entrepreneur and reality TV star, who was labelled the UK’s “most dangerous” online celebrity.

How is searching for celebrities dangerous?

McAfee found that criminals and fraudsters used celebrities to lure people into malicious websites and through a combination of different approaches would result in user data theft and more. The lust for celebrity news has become a major ‘market’ for cyber criminals looking to cash in on the technically unaware through the power of celebrity. McAfee warns people to use virus, malware and other internet protection methods and to use ‘trusted’ websites when uploading personal information.

Who are the top ten “dangerous” celebrities in the UK?

  1.  Kim Kardashian
  2.  Naomi Campbell
  3.  Kourtney Kardashian
  4.  Adele
  5.  Caroline Flack
  6.  Rose Byrne
  7.  Kem Cetinay
  8.  Emma Roberts
  9.  Ferne McCann
  10.  Britney Spears

Uber forced to pay $150 million over data breach ‘cover-up’ allegations

The now-infamous 2016 Uber data breach, which affected 57 million US citizens and the subsequent ‘cover-up’ from US regulations, was this month settled out-of-court for $148 million dollars. The story is in two parts. The first is an illegal cyber attack but the second part is a corporate cover-up that resulted in one of the most brand-damaging experiences ever faced by a digital platform.
The hack resulted in 57 million individuals data being accessed including nearly a million drivers licences. The failure to disclose the breach and the subsequent uncovering that Uber paid the hackers $100,000 to delete all evidence of the hack highlighted the negligence and criminality that was prevalent during this period of Uber’s development.
The case was brought against Uber by former drivers, customers along with the State of California, Cities of Los Angeles. The company admitted that it should have been more frank and forward with its customers. The company, now under new leadership, has strengthened reporting structures and introduced new processes.

Equifax fined by ICO after UK citizens hit by data breach

Equifax has been fined £500,000 by the Information Commissioner’s Office after the company failed in its duty to protect personal data after a major security breach affected the personal data of 15 million UK citizens.
The ICO stated: “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce.
This is compounded when the company is a global firm whose business relies on personal data.
We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”

Former Nurse Prosecuted for Unauthorised Access to Medical Records

A former nurse, who was employed by Southport and Ormskirk Hospital NHS Trust accessed 109 records belonging to 18 patients, including a child, between 2014 and 2016. The individual was fired in 2017 for gross misconduct.
The former nurse, Claire Lawson, a Staff Nurse in the Rehabilitation Centre of the hospital, made multiple attempts to access records of individuals outside of her nursing remit. The individual was charged with a breach of the 1998 Data Protection Act and was fined over £400.
On the verdict, the ICO stated: “This abuse of a position of trust has caused significant distress to a number of people. The laws on data protection are there for a reason and people have the right to know their highly sensitive personal information will be treated with appropriate privacy and respect.
The ICO will continue to take action against those who abuse their position and potentially jeopardise the important relationship of trust and confidentiality between patients and the NHS.”