Category Archives: British Airways

Cyber Security Roundup for July 2019

July was a month of mega data privacy fines. The UK Information Commissioners Office (ICO) announced it intended to fine British Airways £183 million for last September's data breach, where half a million BA customer personal records were compromised. The ICO also announced a £100 million fine for US-based Marriot Hotels after the Hotel chain said 339 million guest personal data records had been compromised by hackers. Those fines were dwarfed on the other side of the pond, with Facebook agreeing to pay a US Federal Trade Commission (FTC) fine of $5 billion dollars, to put the Cambridge Analytica privacy scandal to bed. And Equifax paid $700 million to FTC to settle their 2017 data breach, which involved the loss of at least 147 million personal records. Big numbers indeed, we are seeing the big stick of the GDPR kicking in within the UK, and the FTC flexing some serious privacy rights protection punishment muscles in the US. All 'food for thought' when performing cybersecurity risk assessments.

Through a Freedom of Information request, the UK Financial Conduct Authority (FCA) disclosure a sharp rise of over 1000% in cyber-incidents within UK financial sector in 2018. In my view, this rise was fueled by the mandatory data breach reporting requirement of the GDPR, given it came into force in May 2018. I also think the finance sector was reluctant to report security weakness pre-GDPR, over fears of damaging their customer trust. Would you trust and use a bank if you knew its customers were regularly hit by fraud?

Eurofins Scientific, the UK's largest forensic services provider, which was taken down by a mass ransomware attack last month, paid the cybercrooks ransom according to the BBC News. It wasn't disclosed how much Eurofins paid, but it is highly concerning when large ransoms are paid, as it fuels further ransomware attacks.

A man was arrested on suspicion of carrying out a cyberattack against Lancaster University. The UK National Crime Agency said university had been compromised and "a very small number" of student records, phone numbers and ID documents were accessed. In contrast, the FBI arrested a 33 old software engineer from Seattle, she is alleged to have taken advantage of a misconfigured web application firewall to steal a massive 106 million personal records from Capital One. A stark reminder of the danger of misconfiguring and mismanaging IT security components.

The Huawei international political rhetoric and bun fighting has gone into retreat. UK MPs said there were no technological grounds for a complete Huawei banwhile Huawei said they were 'confident' the UK will choose to include it within 5G infrastructure. Even the White House said it would start to relax the United States Huawei ban. It seems something behind the scenes has changed, this reversal in direction is more likely to be financially motivated than security motivated in my rather cynical view.

A typical busy month for security patch releases, Microsoft, Adobe and Cisco all releasing the expected barrage of security updates for their products. There was security updates released by Apple as well, however, Google researchers announced six iPhone vulnerabilities, including one that remains unpatched.

BLOG
NEWS
VULNERABILITIES AND SECURITY UPDATES
HUAWEI NEWS AND THREAT INTELLIGENCE

Learning from the Big Data Breaches of 2018

Guest article by Cybersecurity Professionals

What can we learn from the major data breaches of 2018?
2018 was a major year for cybersecurity. With the introduction of GDPR, the public’s awareness of their cyber identities has vastly increased – and the threat of vulnerability along with it. The Information Commissioner’s Office received an increased number of complaints this year and the news was filled with reports of multi-national and multi-millionaire businesses suffering dramatic breaches at the hand of cybercriminals.

2018 Data Breaches
Notable breaches last year include:

5. British Airways
The card details of 380,000 customers were left vulnerable after a hack affected bookings on BA’s website and app. The company insists that no customer’s card details have been used illegally but they are expected to suffer a major loss of money in revenue and fines as a result of the attack.

4. T-Mobile
Almost 2 million users had their personal data, including billing information and email addresses accessed through an API by an international group of hackers last August.

3. Timehop
A vulnerability in the app’s cloud computing account meant that the names and contact details of 21 million users were affected on Timehop. The company assured users that memories were only shared on the day and deleted after, meaning that the hackers were not able to access their Facebook and Twitter history.

2. Facebook & Cambridge Analytica
One of the most sensationalised news stories of the last year, Facebook suffered a string of scandals after it was released that analytics firm Cambridge Analytica had used the Facebook profile data of 87 million users in an attempt to influence President Trump’s campaign and potentially aid the Vote Leave campaign in the UK-EU referendum.

1. Quora
After a “malicious third party” accessed Quora’s system, the account information, including passwords, names and email addresses, of 100 million users was compromised. The breach was discovered in November 2018.

GDPR
As the UK made the switch from the Data Protection Act to GDPR, businesses and internet users across the country suddenly became more aware of their internet identities and their rights pertaining to how businesses handled their information.

With the responsibility now firmly on the business to protect the data of UK citizens, companies are expected to keep a much higher standard of security in order to protect all personal data of their clients.

How many complaints to the ICO?
Elizabeth Denham, the UK’s Information Commissioner, said that the year 2017-18 was ‘one of increasing activity and challenging actions, some unexpected, for the office’.

This is shown in an increase in data protection complaints by 15%, as well as an increase in self-reported breaches by 30%. Since this is the first year of GDPR, it is expected that self-reported breaches have increased as businesses work to insure themselves against much higher fines for putting off their announcement.

The ICO also reports 19 criminal prosecutions and 18 convictions last year and fines totalling £1.29 million for serious security failures under the Data Protection Act 1998. The office has assured that they don’t intend to make an example of firms reporting data breaches in the early period of GDPR but as time goes on, leniency is likely to fade as businesses settle into the higher standards.

What does it mean for SMEs?
With 36% of SMEs having no cybersecurity plan, the general consensus is that they make for unpopular targets. However, with the GDPR, the responsibility is on the business to protect their data so being vulnerable could result in business-destroying costs. Considering the cost to businesses could total the higher of 2% of annual turnover or €10 million, data protection is of paramount importance to small businesses.

How exposed are we in the UK?
At 31%, our vulnerability rating is higher than the Netherlands, Germany, Estonia (30%) and Finland (29%), but the UK is a more likely target for cybercriminals looking to exploit high tech and financial services industries, which are some of the most vulnerable across Great Britain.

Despite a higher level of vulnerability, the UK has one of the largest cyber security talent pools, showing there is time and manpower being dedicated to the protection of our data online.

https://www.cybersecurity-professionals.com/blog/2019/03/01/cybercrime-in-the-uk-infographic/