Hi again Jon and welcome to our latest ‘Essential IT Security Updates’ newsletter : essential reading for IT security and data protection leaders like you wanting to stay ahead of developments and news in this ever-changing sector. Feel free to use this content in your marketing or simply to keep abreast for yourself and your team.

This issue features news that the ICO has published a report on the abuses of personal information by political campaigns, Lloyds Bank has started to hand out new debit cards to people affected by the Ticketmaster or BA cyber-crime event, the shadow home secretary has fallen foul of a cyber security good practice by becoming the latest victim in a major phishing scam and more…

ICO Publishes Landmark Report On Data Analytics Abuse in Political Campaigning in the UK

The Information Commissioners’ Office has published a new report investigating the role played by data analytics in political campaigns. The “behind the scenes” algorithms, that the ICO argue are vacuuming up personal information has created an unregulated and invisible process that is harming the wider body politic.

The ICO states:

“Throughout our enquiries we found a disturbing disregard for voters’ personal privacy by players across the political campaigning eco-system — from data companies and data brokers to social media platforms, campaign groups and political parties.

Where there have been breaches of the law we have acted. We have issued monetary penalties – including the maximum £500,000 (under the previous law) to Facebook – and enforcement notices that compel companies and campaigns to comply with the law. We’ve instigated criminal proceedings against SCL Elections Ltd and referred issues to other regulators and law enforcement agencies. And where we have found no evidence of illegalities, we have shared those findings openly too.

But it’s not just about enforcement action. We are at a crossroads. Trust and confidence in the integrity of our democratic processes risks being disrupted because the average person has little idea of what is going on behind the scenes.”

The “scant regard” for personal data has eroded trust and confidence in the UK, and global, political experience. The self-regulatory frameworks currently in place, the ICO argues, don’t provide guaranteed protection and consistency. The ICO’s report concludes with a call for a new “code of conduct” to help legitimise political algorithm usage whilst protecting the political arena from fraud.

Shadow Home Secretary Falls For Phishing Scam

If the bookies are right, the next Home Secretary of the United Kingdom, Diane Abbott MP, was the latest victim of an email phishing scam. The Shadow Minister is responsible for data security, cyber-crime and intelligence gathering was taken in by an IT tech support email phishing scam. She is the MP for Hackney North and Stoke Newington.

The latest high-profile scam victim highlights the brutal truth that phishing scams can affect everyone from the lowliest to the highest offices of state.

The Register did try to get a reply from the Shadow Minister:

“As Home Secretary – note that Ladbrokes offers 4-1 on Labour being the next government – Ms Abbott would be responsible for cybersecurity, as well as crime and policing. She would also have to decide whether Britain implements an identity card system, an idea currently being revived in the context of “digital government”. We asked her office if Ms Abbott would consider helping to publicise the menace of PC Support fraud. Perhaps as its public face?”

Clearly, education is at the heart of phishing prevention. The National Cyber Security Centredoes provide UK businesses with educational resources and support to help protect your business from email phishing attacks.

Run a Small or Micro Business? Need Advice on IT Security? The Register Has Published an SMB-Friendly Guide

Hiscox, the insurer, has found that nearly 50% of SMB’s believe their business are not realistic targets for cyber-crime. This is a worry. The Ponemon Institute found that employee negligence was the root cause of the majority of cyber crime incidents. Furthermore, 47% of SME/SMB businesses have been targeted. These could be elaborate ransomware attacks to email phishing breaches, all of which are real threats to SMB’s in today’s digital landscape.

Five Steps to SMB Cybersecurity Excellence

  1. Maintain Your Software Patch Updates – SMEs tend to forget about patch updates as they have a billion and one things to do. However, to help protect your software, always update with the latest security patches – in fact build a weekly regime by creating a patch update culture that becomes a sound business habit.
  2. Responsible User Admin Rights Deployment – A small business could have three staff (including the owner). They could have three computers all connected to the same shared cloud drive. The problem here is that if the proper admin privileges have been wrongly assigned all your staff can access your data. You need to apply admin privilege rights to the right people thus helping you to protect your business.
  3. Backup and Recovery Systems – All businesses need a fail-safe. Research, noted above, has found that 51 percent of micro businesses do not have adequate backup procedures. If your business is attacked by ransomware, a full backup could protect your business.
  4. Staff Education Campaigns – Always promote good (and on-going) cyber-security culture. By education staff, highlighting the threat and educating staff about the correct process, cyber crime incidences can be reduced.
  5. Use private, not public, WIFI for business – Always educate your staff and if they’re on the road, give them the means to buy protected security so they can avoid public WIFI space. Public WIFI is constantly attacked and malicious code could help bring down your IT structure. Always educate users about the importance of safe and secure broadband connectivity.

CISCO Outs Exploit Code In Investor Conference Call

The network services giant, CISCO, has accidentally outed an exploit within its communications platforms and products. The so-called Dirty Cow flaw within Linux varieties creates an Apache vulnerability that impacts on Cisco TelePresence Video Communications services.

CISCO has announced: “On November 5, 2018, the Apache Struts Team released a security announcement urging an upgrade of the Commons FileUpload library to version 1.3.3 on systems using Struts 2.3.36 or earlier releases. Systems using earlier versions of this library may be exposed to attacks that could allow execution of arbitrary code or modifications of files on the system. The issue is caused by a previously reported vulnerability of the Apache Commons FileUpload library, assigned to CVE-2016-1000031.

The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by submitting crafted data to an affected system. A successful exploit could allow the attacker to execute arbitrary code or manipulate files on the targeted system. This advisory will be updated as additional information becomes available.”

The company therefore promotes the download of new validation vulnerability patches and fixes. The move, as stated above, affects a range of Cisco products.

HSBC Confirms Major US Data Breach

HSBC was affected by a major hack in October 2018, unveiled this week by the company. The hack only affected 1% of the entire bank’s client base. The bank has started to contact all those impacted by the news. The company announced:

“HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously,” the bank said in a statement. We have notified those customers whose accounts may have experienced unauthorised access, and are offering them one year of credit monitoring and identify theft protection service.”

According to security experts, the hack seems to be a “credential surfing” hack, a process that harvests personal data to gain unauthorised access. The company has setup a website to help customers affected by the news along with the wider press. The US regulators have also been informed and will begin their own preliminary investigation.

Bank Replaces Debit Cards After Series Of Cyber Attacks on Personal Banking Products

Lloyds Bank has started replacing debit cards for certain customers. Those who were affected by the British Airways hack and the Ticketmaster attack are being given new debit cards to help minimise the impact of cyber-crime.

The BBC reports:

“In the case of debit cards, the bank immediately issues a new card if it detects fraud. But when it comes to credit cards, Lloyds first writes to customers telling them that it intends to reissue their cards, and customers are given the option to opt out.

Lloyds said it had already written to customers affected by the Ticketmaster breach, which made up about 1% of all credit card customers. Barclays Bank has confirmed that in the event of a data breach, it would replace the debit cards of customers who may have been affected as a precautionary measure.”.

A representative for HSBC told the BBC:

“Protecting our customers and their money is an absolute priority for us, which is why we have put in place additional monitoring on cards that may have been affected by recent issues, but we are happy to replace a customer’s card if that is their preference.”

Until next time …