Hi again and welcome to our latest ‘Essential IT Security Updates’ newsletter : essential reading for IT security and data protection leaders like you wanting to stay ahead of developments and news in this ever-changing sector. Feel free to use this content in your marketing or simply to keep abreast for yourself and your team.

The latest news from the sector sees Cathay Pacific hack affect 10 million customers, Facebook gets slammed with a £500,000 fine from the ICO, IT Governance provides a useful check-list for SMEs looking to protect themselves against data breach regulatory headaches and more…

Cathay Pacific Hack Affects 10 Million Passengers Worldwide

The personal identifiable information of nearly 10 million Cathay Pacific airline users have been accessed illegally. The breach is one of the biggest in global aviation history. The leak has resulted in a massive data breach – one that has seen email addresses, passport numbers, expired credit card details and other important personal information being released.

The company announced a data security ‘event’ on its blog. The ‘event’ was the discovery of a major unauthorized breach of its IT infrastructure. The company stated:

“We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves. We have no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised.”

Anyone affected has been asked to visit www.infosecurity.cathaypacific.com to find out more about what they need to do. The company can also contact the UK call centre if they have any worries.

ICO Issues Facebook With Maximum £500,000 Fine

The troubled social networking giant, Facebook, was this week hit by a gigantic £500,000 fine from UK data protection regulator, the Information Commissioner’s Office. The fine was due to serious data protection breaches and is the highest pre-GDPR fine possible.

The fine, whilst massive, will be a drop in the ocean for the social networking giant. The company could have been hit with a €20 million Euro fine if the breach had occurred during the new data protection regime that heralded the arrival of GDPR.

The ICO stated:

“The ICO’s investigation found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends’ with people who had.

Even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. In the case of SCL Group, Facebook did not suspend the company from its platform until 2018.”

A million UK Facebook users’ personal data was harvested and the length of time between discovery and the suspension (of the penetrators) raises questions and concerns about Facebook’s standards. This was a failure that resulted in the protection of privacy afforded under the Data Protection Act to be nil and void as Facebook failed to protect its users from rouge elements.

ICO Statement on British Airways Passenger Data Breach

The news that thousands of British Airways passenger information had been affected during a malicious cyber attack at the UK’s flag bearing airline. The firm reported itself to the Information Commissioner’s Office for investigation.

The interim statement is as follows:

“The ICO’s investigation into a cyber attack at British Airways is ongoing. Meanwhile, we advise people who may have been affected to be vigilant when checking their financial records and to follow the advice on the ICO, National Cyber Security Centre and Action Fraud websites about how they can protect themselves and their data online.”

The ICO will continue to investigate the breach.

UK’s National Cyber Security Centre Stops One Attack Every Day

The National Cyber Security Centre, the UK Government’s top cyber security agency, defeats around 10 attacks a week – more than one a day. The majority of attacks are from ‘state-sponsored’ cyber actors

The agency removed nearly 140,000 phishing sites from the UK and globally. It awarded nearly 10,000 Cyber Essentials Certificates – a ground breaking new certification scheme to help promote good cyber security hygiene and control standards in the UK.

However, to help counter this ever-growing threat. The NCSC has a strategy to help promote good practice:

“To improve information sharing with the cyber security industry, we are continuing to develop a suite of services which automate the processing and sharing of information and events. We have already launched a pilot that shares indicators of compromise with one of the UK’s leading internet service providers. This gives their customers better protection automatically at no extra cost.”

This drive and Government commitment to help improve cyber security will help construct a solid groundwork among cyber security practitioners that will help drive a new gold standard within the sector.

Symantec Opinion: “Not If, But When And By Whom” – The Centralised Thinking for IT Leaders

Symantec Corporation, one of the world’s biggest data security providers, argues that the ever-changing IT landscape means that network managers, IT leaders and business managers need to move away from theoretical “ifs” and instead focus on the probabilities of “when and by whom” their network infrastructure will be attacked maliciously.

Symantec argues:

“In a multi-platform environment, sensitive information may no longer be completely under our control. It could be on any device, shared in unauthorized locations, or accessed by the right people in the wrong way. This raises the need to manage every facet of what is being accessed, by whom, when, where, and how.”

They argue that data discovery, visibility of data flows, data classification, identify management, encryption, access control along with sound governance and compliance in collaboration will help protect businesses.

To find out more, why not read Symantec’s latest research here

Do You Know What To Do If Your Business Experiences A Data Breach?

IT Governance has provided a useful checklist for SME businesses looking for information on how companies, in this GDPR environment, need to respond and report data breaches. This is mandatory for businesses that interact with personal identifiable information as it underpins the GDPR legislation they must adhere to.

IT Governance argues there are 10 Points of Action:

1-Find  out what types of data are affected

2-Find out how many records are affected

3-Work out how the breach happened. Who and/or what was responsible?

4-Stop the breach from escalating

5-Instigate business continuity plan

6-Determine whether the ICO needs to be notified

7-Determine whether affected individuals need to be notified

8-Establish ways for affected individuals to contact you

9-Contact the ICO (if necessary)

10-Contact affected individuals (if necessary)

The IT Governance website also includes downloadable content including tests and quizzes to help you identify faults and to help remedy IT governance issues. As British Airways and Cathay Airlines can agree, sound IT data security protection is paramount but good IT governance is invaluable as the threats posed by cyber criminals grows daily.

Until next time …