Category Archives: GDPR

Mac Virus: Apple and personal data, plus Android issues

ZDNet: Apple to US users: Here’s how you can now see what personal data we hold on you – “Apple’s privacy tools now go beyond Europe, so more now get to download the personal data it has collected….he move brings the four countries in line with Europe, where Apple began offering a simpler way to download a copy of user data in May, just before the EU’s strict GDPR privacy legislation came into effect.”

Less positively:

Security Boulevard: Inside Safari Extensions | Malware’s Golden Key to User Data – “A 2-part series looking at the technology behind macOS browser extensions and how malicious add-ons can steal passwords, banking details and other sensitive user data”

And some Google/Android issues:

  • John E. Dunn for Sophos: Is Google’s Android app unbundling good for security? – “…Google’s licensing compelled device makers to install apps such as Search and Chrome if they wanted to install … the Play Store. In July 2018, the European Commission (EC) concluded this was a ploy to give Google Search a monopoly on Android, fined the company €4.34 billion ($5.1 billion) on anti-trust grounds.”
  • The Register: Decoding the Google Titan, Titan, and Titan M – that last one is the Pixel 3’s security chip – “Chocolate Factory opens lid, just a little, on secure boot and crypto phone coprocessor”

David Harley

Advertisements




Mac Virus

Dublin Information Sec 2018: take note of this advice to embed lessons from a data breach

When assembling an incident response team, it’s worth including someone whose job is to take notes. It might seem like a small point, but it’s a big help for communicating during a breach, and learning lessons afterwards.

Maybe it’s because I write things down for a living, but for me, that was one of the key takeaways from Brian Honan’s presentation at Dublin Information Sec 2018 this week. “Have someone on your team who is a scribe, who will take notes of timelines, of who did what, and who will brief senior management about what’s happening,” he said.

All the president’s men

Brian made the remarks during a presentation about how to manage data breaches in light of GDPR’s stringent reporting regime. Organisations that suffer a breach involving personal data must report it to the designated data protection authority within 72 hours. Such a tight timeframe puts incredible pressure on incident response teams. It’s important to plan ahead, and identify the key roles and responsibilities in advance. The team could include specialists in data protection, information security, operations, human resources, legal, public relations and facilities management.

The designated note-taker can be an invaluable buffer between the technical teams scrambling to investigate the incident, and management who will want regular progress reports. Without that buffer, the need for regular updates might distract the investigation team from their work. Accurate notes can form the basis of open communication to an organisation’s staff, customers, media or other stakeholders. “Communicate throughout every part of this process,” Brian said.

Total recall

Having contemporaneous notes also provides a valuable record for when it’s time to take a fresh look at what happened. “Always review and measure, see where you can improve and how you can make things better,” Brian said.

He recommended conducting a review within 24 hours of an incident. That’s the ideal timeframe because memories fade – we’re only human after all. The longer the time lag between the incident and the review, the less reliable everyone’s recollection will be. But if the review stage is postponed for any reason, good notes are the next best thing.

Brian Honan, speaking at Dublin Information Sec 2018 conference at the RDS

 

The post Dublin Information Sec 2018: take note of this advice to embed lessons from a data breach appeared first on BH Consulting.

GDPR Fear is Stifling Employees, Here’s How to Fix It

More than three months after GDPR came into effect, businesses have found themselves between a rock and a hard place – taking every step possible to correct protocols, policies and

The post GDPR Fear is Stifling Employees, Here’s How to Fix It appeared first on The Cyber Security Place.

Top cybersecurity facts, figures and statistics for 2018

Looking for hard numbers to back up your sense of what’s happening in the cybersecurity world? We dug into studies and surveys of the industry’s landscape to get a sense

The post Top cybersecurity facts, figures and statistics for 2018 appeared first on The Cyber Security Place.

Heathrow Airport escapes hefty GDPR fine; gets only £120,000 (under 1998 DPA) for 2017 privacy breach incident

The UK Information Commissioner’s Office has fined Heathrow Airport Limited (HAL) £120,000 for failing to ensure that the personal data on its network was properly secured.

The circumstances that led to the fine circulated widely in the media in October of last year, when the mishap (to put it lightly) occurred. The (long) story (short) went like this: a HAL employee lost a USB drive containing 2.5GB of highly sensitive information; a person found the drive and viewed its contents at a public library, then passed it to a national newspaper which copied the data before giving the stick back to HAL.

The drive, containing 76 folders and over 1,000 files, was not encrypted or password protected.

“Although the amount of personal and sensitive personal data held on the stick comprised a small amount of the total files, of particular concern was a training video which exposed ten individuals’ details including names, dates of birth, passport numbers, and the details of up to 50 HAL aviation security personnel,” the ICO said.

However, when The Mirror caught wind of the blunder, the paper said the contents of the USB drive were far more sensitive than the ICO notes in its press release. The contents reportedly also included:

  • The exact route the Queen takes when using the airport, and security measures used to protect her.
  • Files disclosing every type of ID needed – even those used by covert cops – to access restricted areas.
  • A timetable of patrols used to guard the site against suicide bombers and terror attacks.
  • Maps pinpointing CCTV cameras and a network of tunnels and escape shafts linked to the Heathrow Express.
  • Routes and safeguards for Cabinet ministers and foreign dignitaries.
  • Details of the ultrasound radar system used to scan runways and the perimeter fence.

The ICO’s focus on only a fraction of the compromised data is due to its personal nature. It’s that set of personal details that the 1998 Data Protection Act (DPA) seeks to protect (as does the GDPR, more recently).

“The case was dealt with under the provisions and maximum penalties of the Data Protection Act 1998, and not the 2018 Act which has replaced it, because of the date of the breach,” the ICO noted.

Of note, HAL’s penalty would have likely been much higher under the newer General Data Protection Regulation (had the breach occurred after it took effect May 25), which deals fines of up to 20 million euros’ worth, or 4% of the company’s annual turnover, whichever is higher.

ICO Director of Investigations, Steve Eckersley had this to say about the body’s decision to fine HAL:

“Data Protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise. Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them.”

During its investigation, the ICO also found that only a scant 2% of the 6,500 staff employed by HAL had been trained in data protection. Furthermore, the ICO condemned the widespread use of removable media, which violates the airport’s own policies. It also identified what it called “ineffective controls preventing personal data from being downloaded onto unauthorised or unencrypted media.”

To its credit, the airport quickly took action after it caught word of the breach. This included reporting the matter to police, acting to contain the incident and engaging a third-party specialist to monitor the internet and dark web for any leaks, the ICO said.

The State of Security: A Practical Guide to CCPA for U.S. Businesses

Inspired by Europe’s General Data Protection Regulation (GDPR), the State of California has set a new precedent with the passage of the California Consumer Privacy Act (CCPA). The major data incidents last year have driven citizens into a frenzy about securing their data, and states have rushed to developing and passing policies and legislation. California […]… Read More

The post A Practical Guide to CCPA for U.S. Businesses appeared first on The State of Security.



The State of Security

A Practical Guide to CCPA for U.S. Businesses

Inspired by Europe’s General Data Protection Regulation (GDPR), the State of California has set a new precedent with the passage of the California Consumer Privacy Act (CCPA). The major data incidents last year have driven citizens into a frenzy about securing their data, and states have rushed to developing and passing policies and legislation. California […]… Read More

The post A Practical Guide to CCPA for U.S. Businesses appeared first on The State of Security.

The Effects of GDPR’s 72-Hour Notification Rule

The EU's GDPR regulation requires companies to report a breach within 72 hours. Alex Stamos, former Facebook CISO now at Stanford University, points out how this can be a problem:

Interesting impact of the GDPR 72-hour deadline: companies announcing breaches before investigations are complete.

1) Announce & cop to max possible impacted users.
2) Everybody is confused on actual impact, lots of rumors.
3) A month later truth is included in official filing.

Last week's Facebook hack is his example.

The Twitter conversation continues as various people try to figure out if the European law allows a delay in order to work with law enforcement to catch the hackers, or if a company can report the breach privately with some assurance that it won't accidentally leak to the public.

The other interesting impact is the foreclosing of any possible coordination with law enforcement. I once ran response for a breach of a financial institution, which wasn't disclosed for months as the company was working with the USSS to lure the attackers into a trap. It worked.

[...]

The assumption that anything you share with an EU DPA stays confidential in the current media environment has been disproven by my personal experience.

This is a perennial problem: we can get information quickly, or we can get accurate information. It's hard to get both at the same time.

How Businesses Can Overcome the Challenges Saas Presents to Compliance

After the GDPR deadline passed in May, we would hope that organizations made substantial progress towards achieving compliance. However, as organizations of all sizes and sectors continue to ramp up

The post How Businesses Can Overcome the Challenges Saas Presents to Compliance appeared first on The Cyber Security Place.

You gotta fight, for your right, to erasure

According to Article 17 of the European Union’s General Data Protection Regulation (GDPR), all personal data that is no longer necessary must be removed and deleted. This aspect of the law, also known as “the right to erasure,” grants any user or customer the right to request that an organization deletes all data related or associated to them without undue delay, within 30 days. Moreover, the regulation carries heavy fines if a business does not … More

The post You gotta fight, for your right, to erasure appeared first on Help Net Security.

Facebook: How to minimize the risk of vulnerabilities

Facebook: how to avoid the risks of vulnerabilities

In the last few months, the world’s most popular social network has faced several problems when it comes to data protection. In July of this year, the Information Commissioner’s Office (ICO) in the UK imposed a £500,000 fine on Facebook for its implication in the Cambridge Analytica case. This was the maximum possible fine, given that the incident occurred before the implementation of the GDPR.

Now, a new data protection scandal has rocked the Internet giant. Last Friday, as Guy Rosen, VP of Product Management explained, almost 50 million accounts were exposed to an attack that happened on Tuesday September 25. The attack was made possible thanks to a vulnerability in the video uploading function that also affected the “View as” function, that allows people to see what their own profile looks to other users. This vulnerability would have allowed the attackers to steal users’ access tokens – a kind of key that means that users don’t have to reenter their passwords every time they access the site. Theoretically, with these tokens, an attacker could gain access to any third-party app that uses Facebook to log in.

Facebook, the initial response to the attack

It didn’t take long for Facebook to react – they notified the Data Protection Commission (DPC) in Ireland, where the company’s European headquarters are located. Under the rules of the GDPR, a company is obliged to inform of a data breach within 72 hours of its discovery. However, the DPC has said that it needs more information about the attack, such as the number of European users affected and the risk that they face, in order to carry out their investigation.

Since the incident happened after the GDPR came into force, the social network could face a fine of up to 4% of the annual worldwide turnover of the preceding financial year, which, in the case of Facebook, would be $1.63 billion (€1.4 billion). But this economic sanction isn’t the only repercussion; we can also add the reputational damage that the firm will suffer, another key aspect in this kind of incident. Many users will lose confidence in the company thanks to this data breach, and this loss of confidence may turn into a loss of clients and money.

Personal data, fuel for companies

There’s no doubt that personal information is power, and means serious money. How companies process and use this data is varied and sophisticated, and is very lucrative. Business of this kind is very simple: we hand over information in return for a service. But the service is paid for with our personal data. And organizations are responsible for looking out for our safety when it comes to possible cybercrimes whose ultimate goal is to compromise our privacy, such as phishing, digital identity theft, or the exploitation of unpatched vulnerabilities, as was the case in this latest incident.

With all of this in mind, it seems that it is now easier than ever to be the victim of a cyberattack. While this is true to a certain extent, it is also true that prevention, detection, response and remediation systems are more and more efficient. Combining, as is the case with Panda Adaptive Defense, solutions and services to optimize protection, reduce the attack surface, and minimize the impact of these threats.

And the fact is that, with the number of documented glitches and vulnerabilities –  now up to 20,000 cases, a 38% increase compared to five years ago –  the first thing to bear in mind is limiting the attack surface. At tech giants such as Facebook, this may seem like a pipe dream. But keeping confidential information safe from theft or data kidnapping – even if it’s an exorbitant amount, as is the case with the 50 million Facebook profiles – today it is possible thanks to solutions such as Panda Patch Management, the new module of Adaptive Defense, that reduces the complexity of managing patches and updates in operating systems and hundreds of third party applications.

What’s more, Panda Patch Management helps companies to comply with the accountability principle. Many regulations such as GDPR, HIPAA and PCI, force organizations to take the appropriate technical and organizational measures to ensure proper protection of the sensitive data under their control, as is the case with Facebook. Thanks to real time updates, this module provides visibility of the health of endpoints in terms of pending vulnerabilities and updates for the system, allowing it to get ahead of exploits of these vulnerabilities.

How to protect your company

  • Hackers exploit vulnerabilities in unpatched programs. Keep your software and devices up-to-date.
  • Having an automatic vulnerability detection solution reduces the possibility of suffering a security breach by up to 20%.
  • Get absolute control of personal data and protect your pocket: with the GDPR, correct, speedy management by the DPO will save you economic sanctions and reputational damage.
  • The ability to efficiently and quickly compile detailed reports with the information about an incident of this type – how, when, and how much – is very important to facilitate the work of data protection agencies. The module Panda Data Control allows you to discover, audit and monitor unstructured personal data on the endpoints in your company.

The post Facebook: How to minimize the risk of vulnerabilities appeared first on Panda Security Mediacenter.

Facebook faces a whopping €1.4 billion penalty under GDPR for Sept. 30 data breach

Facebook, which revealed last week that a massive data breach compromised 50 million accounts, is facing a potential $1.63 billion / €1.4 billion penalty under new European regulations.

A Facebook investigation revealed that attackers exploited a vulnerability in the “View As” feature that lets people see what their own profile looks like to external parties.

“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” the company said in a breach notice signed by its VP of Product Management, Guy Rosen.

Facebook discovered the breach Tuesday, Sept. 25, and complied with the EU’s General Data Protection Regulation’s requirement that entities report a breach within 72 hours of the moment they learned of it. The company offered few details about the hack, but promised to take the incident extremely seriously and offer updates as investigators learn more about what happened.

Facebook’s lead privacy regulator in Europe, Ireland’s Data Protection Commission, is ready to fine the social network up to $1.63 billion / €1.4 billion for this incident, under the European Union’s GDPR.

In an emailed statement, the regulator told the press it was “concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts but Facebook is unable to clarify the nature of the breach and the risk for users at this point.”

“Under GDPR, companies that don’t do enough to safeguard their users’ data risk a maximum fine of EUR20 million ($23 million), or 4% of a firm’s global annual revenue for the prior year, whichever is higher. Facebook’s maximum fine would be $1.63 billion using the larger calculation,” reports MarketWatch.

Since then, Facebook has issued several updates with clarifications about the breach, though the situation remains virtually unchanged – users’ whose accounts have fallen in the wrong hands before Facebook’s auto-logout could be compromised.

If you’ve found yourself logged out of Facebook after the news hit the wires, Facebook says there’s no need to change your password. But if you’re having trouble logging back into your account, the company says you should learn what you can do at this address.

Busting myths and misconceptions around GDPR and security

For better or worse, GDPR and security are often wedded together, when the relationship in fact is slightly more complicated. Sarah Clarke, a specialist in privacy, security, governance risk and compliance with BH Consulting, has picked apart some myths and misconceptions around the subject. She kindly gave us permission to use material she published in her excellent Infospectives blog. It’s well worth reading for anyone whose role involves data protection or security.

In part one, she outlines the media backdrop (clickbait headlines and all). She then goes into detail about what the GDPR really says about security and covers security as a source of privacy risks.

Confusion and misunderstanding

Sarah decided to write the blog partly out of frustration from seeing discussions about privacy, GDPR, and the role of security, where facts were in short supply. “Confusion stems from security vendors and security experts misunderstanding the GDPR, not filtering out their security bias, or willingly leveraging GDPR furore to drive a security-centric agenda,” she wrote.

Privacy experts often note that just one principle in GDPR specifically references security. As Sarah argues, the picture is more nuanced. In the daily reality of many organisations, this works a little differently. Security and data protection intersect where people, process, or technical controls are necessary to minimise the risk of harm to data subjects resulting from a personal data breach – or business as usual processing. The two also meet where a security function’s own people, process, or technical controls involve processing personal data. What’s more, both need to work together when security teams must assess, oversee, and/or pay for GDPR-related change.

Minimising risk to data subjects

“If I had to draw out one fact from everything above that needs to be drilled into the heads of many security practitioners (including me in the early days), it’s this: Data Protection is NOT just about minimising the probability and impact of breaches. Data Protection IS about minimising the risk of unfair impact on data subjects resulting from historical data processing, processing done today, and processing you and your third parties might do in future.”

The second part of Sarah’s blog looks at three myths about GDPR. First, is that the regulation makes encryption mandatory, or whether using the technology negates other controls. Secondly, she tackles the assumption that being certified to ISO27001 effectively ensures compliance with GDPR. Third, she asks whether existing security-related risk management is fit for privacy purposes.

Encryption mandated nowhere

Expanding on the first point, Sarah says encryption is a vital tool but not a mandatory one. “The GDPR doesn’t mandate ANY specific controls. It mentions a couple, like pseudonymisation and encryption, but it is all about control selection based upon your local risks… Rendering data unintelligible is an incredibly effective mitigation for post breach data related harm to both data subjects and the organisation, but it in no way negates the need to apply other security and data protection controls.”

Next, she dismisses the idea that becoming certified to the information security standard ISO27001 is the same as GDPR compliance. However she adds that certification helps this way. “The Information Security Management System (ISMS), described in ISO27001, represents a robust way to scope, assess, articulate, document, and manage risks associated with all aspects of organisational security, including personal data security.

Assessing security risk from a privacy perspective

Lastly, Sarah debunks the misconception that security-related risk management is suitable for privacy purposes. The reason being that “the assessment of security related risk is pretty poor in general”. Outside certain fields like the military, healthcare, or energy, few consider the impact on individuals or groups of data subjects. As we’ve seen above, this consideration is central to GDPR.

Sarah outlines “unavoidable and critical steps” to determining the rights and freedoms of data subjects. Finally, she wraps up the post with seven practical steps for organisations to review where security, data processing, and privacy meet. Whether you work in a security role or on the privacy side, we encourage you to read the full posts. Both go into great detail and include helpful external links to other resources and discussion points. Our thanks to Sarah for sharing the material with us. You can read her blogs at www.infospectives.co.uk or follow her on Twitter.

The post Busting myths and misconceptions around GDPR and security appeared first on BH Consulting.

AggregateIQ Faces First GDPR Enforcement Over Data-Privacy Dispute

AggregateIQ, one of the companies at the heart of the Facebook unauthorized data-sharing scandal, could be one of the first companies to face penalties under the European Union’s recently implemented General Data Protection Regulation (GDPR). The United Kingdom’s (UK’s) Information Commissioner’s Office (ICO) quietly...

Read the whole entry... »

Related Stories

Equifax fined £500,000 for ginormous 2017 breach

More than a year after hackers breached credit reporting agency Equifax to steal 146 million customer records, the UK Information Commissioner’s Office (ICO) has issued the company with a £500,000 fine – a small penalty for a such a monumental blunder.

You might wonder why the UK and not the US (where Equifax is based) has fined the agency. The answer comes in the third paragraph of the ICO’s press release, where it is mentioned that, “although the information systems in the US were compromised, Equifax Ltd was responsible for the personal information of its UK customers.”

It was still the US parent company that processed UK customer data, but the UK arm (Equifax Ltd.) failed to take appropriate steps to ensure Equifax Inc was protecting the information, hence the fine.

The investigation was carried out under the Data Protection Act (DPA) from 1998, which the GDPR replaced this year. However, since the breach occurred before GDPR went into effect, the fine was issued under the older legislation.

Under the DPA, Equifax reportedly contravened five out of eight data protection principles, including failure to secure personal data, poor retention practices, and lack of legal basis for international transfers of UK citizens’ data.

“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,” said Elizabeth Denham, Information Commissioner. “This is compounded when the company is a global firm whose business relies on personal data.”

“We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law,” added Denham.

HOTforSecurity: Equifax fined £500,000 for ginormous 2017 breach

More than a year after hackers breached credit reporting agency Equifax to steal 146 million customer records, the UK Information Commissioner’s Office (ICO) has issued the company with a £500,000 fine – a small penalty for a such a monumental blunder.

You might wonder why the UK and not the US (where Equifax is based) has fined the agency. The answer comes in the third paragraph of the ICO’s press release, where it is mentioned that, “although the information systems in the US were compromised, Equifax Ltd was responsible for the personal information of its UK customers.”

It was still the US parent company that processed UK customer data, but the UK arm (Equifax Ltd.) failed to take appropriate steps to ensure Equifax Inc was protecting the information, hence the fine.

The investigation was carried out under the Data Protection Act (DPA) from 1998, which the GDPR replaced this year. However, since the breach occurred before GDPR went into effect, the fine was issued under the older legislation.

Under the DPA, Equifax reportedly contravened five out of eight data protection principles, including failure to secure personal data, poor retention practices, and lack of legal basis for international transfers of UK citizens’ data.

“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,” said Elizabeth Denham, Information Commissioner. “This is compounded when the company is a global firm whose business relies on personal data.”

“We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law,” added Denham.



HOTforSecurity

Keeping Your Personal Information Safe

By Vasilii Chekalov EveryCloud, According to a study by Statista in March of 2018, 63% of respondents expressed concern that they would be hacked in the next five years. 60%

The post Keeping Your Personal Information Safe appeared first on The Cyber Security Place.

The State of Security: The Challenges of Artificial Intelligence (AI) for Organisations

Governments, businesses and societies as a whole benefit enormously from Artificial Intelligence (AI). AI assists organisations in reducing operational costs, boosting user experience, elevating efficiency and cultivating revenue. But it also creates a number of security challenges for personal data and forms many ethical dilemmas for organisations. Such challenges for information security professionals mean re-calibration […]… Read More

The post The Challenges of Artificial Intelligence (AI) for Organisations appeared first on The State of Security.



The State of Security

The Challenges of Artificial Intelligence (AI) for Organisations

Governments, businesses and societies as a whole benefit enormously from Artificial Intelligence (AI). AI assists organisations in reducing operational costs, boosting user experience, elevating efficiency and cultivating revenue. But it also creates a number of security challenges for personal data and forms many ethical dilemmas for organisations. Such challenges for information security professionals mean re-calibration […]… Read More

The post The Challenges of Artificial Intelligence (AI) for Organisations appeared first on The State of Security.

ICO Receiving 500 Breach-Related Calls a Week Since GDPR Took Effect

The United Kingdom’s Information Commissioner’s Office (ICO) has been receiving 500 calls pertaining to data breaches since the European Union’s General Data Protection Regulation (GDPR) took effect. Speaking before hundreds of senior business leaders at the Confederation of British Industry’s (CBI’s) fourth annual Cyber Security Conference, ICO deputy commissioner James Dipple-Johnstone revealed that of the […]… Read More

The post ICO Receiving 500 Breach-Related Calls a Week Since GDPR Took Effect appeared first on The State of Security.

British Airways Hack Update: Caused by Injected Script & PCI DSS Non-Compliance is Suspected

On Friday (7th September 2018), British Airways disclosed between 21st August 2018 and 5th September 2018, 380,000 BA customer's payment card transactions were compromised by a third party through its website and mobile app. This data included the customer's full name, email address, debit\credit card 16 digit number (PAN), expiry date and card security code i.e. CVV, CV2

Details of how the hack was orchestrated have now come to light. In a blog post RiskIQ researchers have claimed to have found evidence that a web-based card skimmer script was injected into the BA website, very similar to the approach used by the Magecard group, who are believed to be behind a similar attack against the Ticketmaster website recently. Web-based card skimmer script attacks have been occurring since 2015.

In this case, once the customer has entered their payment card details and then submits the payment either on a PC or on a touchscreen device, the malicious script executes and captures their payment card data, sending it to a virtual (VPS) server hosted in Romania. The server was hosted on a domain called baways.com and was certified (https) by Comodo to make it appear legit within the website html (code). The server domain was registered 6 days before the breach started, this obviously went undetected by BA's security, perhaps the domain registration could have been picked up by a threat intelligence service.

Other Researchers have also claimed the BA website wasn't PCI DSS compliant. Marcus Greenwood found files loaded from 7 external domains onto the BA website, and crucially said the BA payment page wasn't isolating the card payment entry within an iframe, which would prevent any third-party scripts (and XSS attacks) from being able to read the payment card form fields. The Payment Card Industry Data Security Standard (PCI DSS) is required by all organisations which accept, process, store and/or transmit debit and credit cards.

Here is the advice from CEO of global cybersecurity specialist SonicWall, Bill Conner:

"Organizations and government entities carry a responsibility to consumers and civilians alike to guard their most valuable information at all cost. While the British Airways breach may not have been as detrimental as I’m sure its culprits would have liked it to be, it should serve as a wake-up call to CTOs, CIOs and CISOs. The fact is, it is early days, and the true damage done is yet to be seen. Personal information that does not change as easily as a credit card or bank account number drive a high price on the Dark Web. This kind of Personally Identifiable Information is highly sought after by cybercriminals for monetary gain. Companies should be implementing security best practices such as a layered approach to protection, as well as proactively updating any out of date security devices, as a matter of course."

My view mass credit\debit card data (cardholder data) complete with the security code has always been targeted by cyber crooks as it is very easily sellable on the dark web, as the data only can be used in cardholder-not-present transaction fraud, where credit card holder is not physically present i.e. online, app, phone. The finger can be pointed at lack of PCI DSS compliance by merchants like BA, however, I think it is about time technology was used to improve the security of all cardholder-not-not present transactions, namely Multi-factor authentication (MFA).  While MFA on all cardholder-not-present is not a silver bullet, there is no 100% security, enforced usage across all industries would certainly devalue debit\credit card data considerably.

GDPR lands at British Airways: How did the hackers manage to get in?

Data Breach GDPR

A few days after British Airways suffered the worst cyberattack in its history, the airline still hasn’t revealed any technical details about the breach – beyond the official apology – to the over 380,000 users whose data was compromised after making purchases on BA’s website. As well as the ensuing official notification to the appropriate authorities and all the affected clients

Names, email addresses, and credit card details – including numbers, expiry dates and CVV security codes – have been stolen. A few hints that have allowed cybersecurity experts, such as Professor Alan Woodward, to get an idea of how the hackers were able to sneak onto BA’s website and app between August 21 and September 5. This was an attack similar to the one recently suffered by Ticketmaster, after a customer service chatbot was labeled as the potential cause of an infraction that affected over 40,000 users in the UK. In fact, in the last few hours, information has emerged that suggests that the perpetrators of this attack may also be behind the British Airways hack.

Money has wings…

Until a few months ago, companies would shrug their shoulders when faced with attacks of this type. The greatest concern during previous cyberattacks was the potential damage to reputations. But now, with the new General Data Protection Regulation and the fines that infringing it can lead to, there is a new threat for the coffers of companies that fall victim to security breaches like this, affecting both clients’ and investors’ pockets. And BA’s case has been no exception.

The most immediate consequence? Shares in IAG, the parent company of British Airways, fell around 3% on the Ibex and on the FTSE after the attack and its scope were revealed. This meant a 456 million Euro drop in in its market value on Friday, after it emerged that hackers had stolen the payment details of 380,000 clients.

British Airways’ chairman and CEO, Álex Cruz, hasn’t explained how the data was stolen, though he has denied that the attackers had managed to breach the company’s encryption. “There were other methods, very sophisticated methods, that criminals used to obtain that data,” he said in an interview with the BBC

However, Professor Woodward, in his statements, said, “You can put the strongest lock you like on the front door, but if the builders have left a ladder up to a window, where do you think the burglars will go?” The controversy is here.

How to avoid the fines

While it can’t be 100% categorically stated that it was a script attack that compromised British Airways’ security services, it does seem to be the most likely cause. However, other theories even talk about an expert within the company manipulating the website with malicious intent. The fact is that the airline is going through a rough patch as far as its IT system is concerned.

This incident has been a lesson, and has also underlined the need to invest in cybersecurity in order to demonstrate that enough is being done to safeguard sensitive data. Because the only way to avoid paying economic sanctions is to keep these security breaches from happening.

It has recently been shown that the difficulty experienced by large companies when it comes to locating the unstructured data in their systems could be a question of volume. In fact, 65% of companies collect so much data that they’re unable to categorize or analyze it.  If we take into account the nature of British Airways, the largest European airline, we can get an idea of the sheer amount of personal data managed by their systems.

These days, there are advanced cybersecurity solutions specifically designed to provide support for the whole IT team, with the aim of avoiding situations like the one that BA has gone though. One such solution is Panda Data Control.

What will happen with those clients who decide to request to have their data permanently deleted from one of these platforms? In this case, the companies must have a highly detailed inventory of where all their data is, a perfect chart of this information, and almost notarial control in order to be able to prove the complete deletion of the data from all systems. All of this is offered by Panda Data Control, to ensure that users can exercise their right to be forgotten with total transparency and be able to certify it.

This data protection solution, which is integrated into Panda Adaptive Defense, allows you to discover, audit and monitor unstructured personal and sensitive data on your company’s endpoints: from data at rest, to data in use and data in motion.

It identifies the files that contain personal data (PII) and records any kind of access to it, alerting in almost real time about leaks, use, and suspicious or unauthorized traffic.

Total visibility of files, users, devices and servers that access this information, so you can supervise any action carried out on the personal information that you store.

Because the most important thing when it comes to mitigating the risks related to data is to be extremely careful with how personal information is dealt with, and it is vital to know where data is stored and to know who has access to it.

The post GDPR lands at British Airways: How did the hackers manage to get in? appeared first on Panda Security Mediacenter.

British Airways Customer Data Stolen in Website and Mobile App Hack

In a statement, British Airways stated: "From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on ba.com and the airline’s app were compromised." The airline said they will be notifying affected customers, and if anyone has been impacted to contact their bank or credit card providers.
The Telegraph reported 380,0000 payments were compromised, and that BA customers had experienced payment card fraud as a result before the BA breach disclosure, which strongly suggests unencrypted debit\credit cards were stolen.

There are no details about the data theft method at the moment, but given the statement said the BA website and BA mobile app was compromised, I think we could be looking at another example of an insecure API being exploited, as per the Air Canada breach and the T-Mobile breach last month.

We'll see what comes out in the wash over the next few days and weeks, but thanks to the GDPR, at least UK firms are quickly notifying their customers when their personal and financial data has been compromised, even if there is little detail reported about how. Without knowing how the data was compromised, customers cannot be truly assured their private data is safe. It also will be interesting to learn whether the BA systems were compliant with the Payment Card Industry Data Security Standard (PCI DSS), required by all organisations that accept, process, store and/or transmit debit and credit cards.

Update: 
A spokesperson at BA said "hackers carried out a sophisticated, malicious criminal attack on its website" and impacted BA customers would be compensated. 

380,000 card payment transactions were confirmed as stolen, specifically:
  • Full Name
  • Email address
  • Payment card number (PAN)
  • Expiration date
  • Card Security Code [CVV] - typically a 3 digit authorisation code written on the back of the debit\credit card
BA insists it did not store the CVV numbers, these are not allowed to be stored after payment card authorisation under PCI DSS. This suggests the card details may have been intercepted during the payment transaction, perhaps by a maliciously injected or compromised third party website plugin, as opposed to data theft from the database, as often seen with SQL injections attacks against web apps.

BA have published help and FAQs to anyone that is impacted by this data breach.
https://www.britishairways.com/en-gb/information/incident/data-theft/latest-information

British Airways is owned by IAG, their share price dropped by more than 4%, which equates to a £500m+ value loss in the company.

Update on the Attack Method (11 Sept 2018)
In a blog post RiskIQ researchers have claimed to have found evidence that a web-based card skimmer script was injected into the BA website, very similar to the approach used by the Magecard group, who are believed to be behind a similar attack against the Ticketmaster website recently. Web-based card skimmer script attacks have been occurring since 2015.

In this case, once the customer entered their payment card details and submitted the payment either on a PC or on a touchscreen device, the malicious script captured their data and sent it to a virtual (VPS) server hosted in Romania. The server was hosted on a domain called baways.com and was certified (https) by Comodo to make it look legit. The server domain was registered 6 days before the breach started, this obviously went undetected by BA's security, perhaps the rogue domain registration could have been picked up by a threat intelligence service.

Researchers have also claimed the BA website wasn't PCI DSS. They found 7 scripts running on the BA website, but crucially said the BA payment page wasn't isolating the card payments within an iframe, which would prevent third-party scripts (and XSS attacks) from being able to read the payment card form fields.

Bill Conner, CEO SonicWall said "Organizations and government entities carry a responsibility to consumers and civilians alike to guard their most valuable information at all cost. While the British Airways breach may not have been as detrimental as I’m sure its culprits would have liked it to be, it should serve as a wake-up call to CTOs, CIOs and CISOs. The fact is, it is early days, and the true damage done is yet to be seen. Personal information that does not change as easily as a credit card or bank account number drive a high price on the Dark Web. This kind of Personally Identifiable Information is highly sought after by cybercriminals for monetary gain. Companies should be implementing security best practices such as a layered approach to protection, as well as proactively updating any out of date security devices, as a matter of course."

Official Cardi B website plagued by spammers

We come bearing tidings of proper website maintenance and general housekeeping for singer Cardi B (or rather, for her web development team). At first glance, it appeared as though her website had been hacked a few days ago. But a look under the hood told a different story.

We were surprised to see the following lurking on the official Cardi B website:

Cardi spam

Click to enlarge

Ignore the privacy policy pop-up. Websites can’t get enough of those these days, thanks to GDPR. No, what we’re talking about is the peculiar blast of messed up spam text all over the page. Had it been compromised? Or was something else to blame?

Click to enlarge

Things certainly didn’t look great. Even worse for the singer, the front page of her site was touting similar spammy vids:

Video spam

Click to enlarge

I could be wrong, but I don’t think her fans are particularly interested in clickthroughs to fake movie streams and a football match involving Stoke City and Wigan Athletic. The spam links also found their way onto the photos page:

photo spam

Click to enlarge

Those are definitely photos, but not so much of a singer singing. What happened here?

It seems the site allows people to sign up as registered users, then post comments. Somewhere along the line, this feature has attracted the ire of spammers who figured out a way to not only plaster individual pages with spam links, but also feed said spam onto various main sections of the site as a whole.

We’ve posted at length regarding the correct treatment of user-posted comments, and we’ve also taken a look at how things can go wrong with plugins and third-party tools. When it comes to our own site, we keep a sharp eye on spam, moderate comments, and close comments sections after a certain amount of time. With the amount of junk floating around the web, you can’t afford to be lax where keeping a tidy online presence is concerned.

While the rogue pages in question seem to have been taken down, simply searching for the Cardi B website in Google reveals the damage done to the site’s search results:

google results

Click to enlarge

Spammy results such as the above can take a long time to filter out of search engines, and it isn’t great to have things like that sitting at the top of the searches alongside legitimate results.

more spam

Click to enlarge

There’s been a cleanup since Cardi B fans started talking about it on social media. Though you can still access the login page for existing user accounts on the site, it looks as though new sign-ups have been disabled so the site admins can bring everything back under control.

registration

Click to enlarge

While a spam outbreak is never good, especially when it spills onto your home page, it appears the scammers had nothing but spam in mind—so no malware links were forthcoming. What was in evidence, however, was any number of cookie-cutter links to video streaming sites and YouTube clips.

movie stream site

Click to enlarge

With so many links spammed, and tedious work to be done to check each one individually, there’s no way to guarantee final destinations were entirely free from harm. If you think you might have ended up on something other than a YouTube video or movie sign-up page via any of these links, then it’s a good idea to run some anti-malware scans on your PC and ensure you’re clean.

As for Cardi B, hopefully the site admins will be able to keep a lid on the kind of spam outbreaks they’ve experienced over the last couple of days. Social features for users of your site are great, but those services need to be balanced with tight moderation and a limit on where said features can take you—even if it is Stoke City versus Wigan Athletic.

The post Official Cardi B website plagued by spammers appeared first on Malwarebytes Labs.

Creating Ripples: The Impact and Repercussions of GDPR, So Far

“GDPR is coming, GDPR is coming!” For months this was all we heard – everyone was discussing GDPR’s impending arrival on May 25th, 2018, and what they needed to do to prepare for the new privacy regulation. GDPR – the General Data Protection Regulation – first came to fruition on April 14th, 2016, as a replacement for the EU’s former legislation, Data Protection Directive. At its core, GDPR is designed to give EU citizens more control over their personal data. But in order for that control to be placed back in consumers’ hands, organizations have to change the way they do business. In fact, just three months after the implementation date, we’ve already seen GDPR leave an impact on companies. Let’s take a look at the ramifications that have already come to light because of GDPR, and how the effects of the legislation may continue to unfold in the future.

Even though the EU gave companies two years to ensure compliance, many waited until the last minute to act. Currently, no one has been slapped with the massive fines, but complaints are already underway. In fact, complaints have been filed against Google, Facebook, and its subsidiaries, Instagram and WhatsApp. Plus, Max Schrem’s None of Your Business (NOYB) and the French association La Quadrature du Net have been busy filing complaints all around Europe. However, the ramifications are not just monetary, as the regulation has already affected some organizations’ user bases, as well as customer trust.

Take Facebook for example – the social network actually attributes the loss of 1 million monthly active users to GDPR, as reported in their second quarter’s earnings. Then there’s British Airlines, who claims in order to provide online customer service and remain GDPR compliant, their customers must post personal information on social media. Even newspapers’ readership has been cut down due to the legislation, as publications such as the Los Angeles Times and Chicago Tribune stopped allowing European readers access to their sites in order to avoid risk.

GDPR has had tactical repercussions too; for instance, it has changed the way the IT sector stores customer data. A consumer’s ‘right to be forgotten’ means organizations have to clearly explain how a customer’s data has been removed from internal systems when they select this option, but also ensure a secure backup copy remains. GDPR also completely changes the way IT encrypts and anonymizes data.

What’s more — according to Don Elledge, guest author for Forbes, GDPR is just the tip of the iceberg when it comes to regulatory change. He states, “In 2017, at least 42 U.S. states introduced 240 bills and resolutions related to cybersecurity, more than double the number the year before.” This is largely due to the visibility of big data breaches (Equifax, Uber, etc.), which has made data protection front-page news, awakening regulators as a result. And with the all the Facebook news, the Exactis breach, and the plethora of data leaks we’ve seen this so far this year, 2018 is trending in the same direction. In fact, the California Consumer Privacy Act of 2018, which will go into effect January 1st, 2020, is already being called the next GDPR. Additionally, Brazil signed a Data Protection Bill in mid-August, which is inspired by GDPR, and is expected to take effect in early 2020. The principles are similar, and potential fines could near 12.9 million USD. And both China and India are currently working on data protection legislation of their own as well.

So, with GDPR already creating ripples of change and new, similar legislation coming down the pipeline, it’s important now more than ever that companies and consumers alike understand how a piece of data privacy legislation affects them. Beyond that, companies must plan accordingly so that their business can thrive while remaining compliant.

To learn more about GDPR and data protection, be sure to follow us at @McAfee and @McAfee_Business, and check out some of our helpful resources on GDPR.

The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.

The post Creating Ripples: The Impact and Repercussions of GDPR, So Far appeared first on McAfee Blogs.

Many UK SMBs still lax in data protection, new study unveils

Strict new regulations set in place by the European Union this year are being treated rather superficially by some small and medium businesses (SMBs) in the UK, even though noncompliance can attract fines of up to 20 million euros, or 18 million pounds.

Although Britain is soon to separate itself from the EU, the country still has to obey the Union’s new law (GDPR) regarding data protection until Brexit time. Only 35% of SMBs have company storage centralized with on-site servers, while 29% use cloud-based storage solutions, and 23% of SMB employees reportedly use portable storage (such as USB drives) as their primary way to store company data, according to a poll by storage solutions maker Seagate.

Not only is storing company data in disparate locations highly risky, Seagate warns, it’s also time-consuming for staff sifting through documents to find what they need. As a case in point, the survey found 49% of UK SMB employees who work remotely report difficulty accessing work files out of the office. And 46% of staff at companies with 50-99 employees run out of space for data at least once per month.

Backup-wise, British SMBs seem quite conscientious. Backups occur on average 15.4 times per month (about once every two days), and 28% of those surveyed said they back up their data at least once per day.

Still, SMBs could do more to protect their data, Seagate found. 52% of workers at companies with 10-249 employees delete unused items from their work computers only once per month. 44% of UK SMB workers either aren’t sure of their company’s GDPR policy, or say it doesn’t have one.

15% said their company has suffered a data breach or cyberattack at some point in time, and 23% said their company has no incident response plan in place. Well over a third (37%) didn’t even know if there was such a plan in place.

Seagate advises lagging SMBs to communicate to their employees “the importance of following agreed procedures to ensure data is handled safely and effectively.”

At the other end of the spectrum, technology giants like IBM know all too well the dangers of carrying sensitive corporate data on portable media. In a new, company-wide policy instated earlier this year, the company began banning all removable storage, seeking to avoid potential financial and reputational damage stemming from a misplaced or misused USB drive.

Static vs Dynamic Data Masking: Why Are We Still Comparing the Two?

Earlier this month a leading analyst released their annual report on the state of Data Masking as a component of the overall Data Security sector; which included commentary on what’s known as ‘static’ data masking and an alternative solution known as ‘dynamic’ data masking. And these two solutions have been considered in unison for some time now within the industry overall. The question is, should they be?

Dynamic certainly sounds good, but is it what I need?

At face value, the word ‘dynamic’ certainly sounds a lot more exciting than “static” — I mean, who wouldn’t rather purchase a dynamic television, a dynamic smartphone, or a dynamic bicycle, if the alternative was a “static” version?

The problem is, these are not comparable or alternative options. In the world of data masking, dynamic and static solutions continue to be treated as alternative solutions, with vendors being assessed as to whether they offer one or the other or both.  The reality is, the two solutions certainly support data security, but only static data masking actually ‘de-identifies’ or ‘masks’ data. Dynamic masking provides a cursory replacement of data in transit but leaves the original data intact and unaltered.

So, the point here is that both tools offer a solution to organizational challenges around securing data; but they are completely different technologies, solving completely different challenges, and with completely different use-cases and end users involved.

So, what’s the difference between dynamic and static solutions?

Let’s take a closer look at the two technologies. First, what is the definition of data masking? A quick Google search will lead you to a variety of closely aligned definitions, all of which reference the notion of de-identifying specific sensitive data elements within a database. So, how does this differ between Static and dynamic varieties?

Static data masking (SDM) permanently replaces sensitive data by altering data at rest within database copies being provisioned to DevOps environments.  Dynamic data masking (DDM) aims to temporarily hide or replace sensitive data in transit leaving the original at-rest data intact and unaltered. There are use cases for both solutions, but comparing them as alternative options and/or calling them both ‘masking’ is clearly a misnomer of sorts.

SDM is primarily used to provide high quality (i.e., realistic) data for development and testing of applications within the non-production or DevOps environments, without disclosing sensitive information. Realism, rich data patterns, and high utility of the masked data is critical as it enables end-users to be more effective at conducting tests, completing analytics, and/or identifying defects earlier in the development cycle, therefore driving down costs and increasing overall quality. Leveraging SDM also provides critical input into privacy compliance efforts with standards and regulations such as GDPR, PCI, HIPAA, that require limits on the use of data that identifies individuals. By leveraging SDM, the organization reduces the volume of ‘real’ sensitive data within their overall data landscape, thereby reducing the risks and costs associated with a data breach while simultaneously supporting compliance efforts.

So, SDM clearly has a role in supporting overall data security efforts and in securing the DevOps environment, but what about DDM? How do they compare? Well, as previously mentioned… they don’t.

The reality is, DDM is primarily used to apply role-based (object-level) security for databases or applications in production environments, and as a means to apply this security to (legacy) applications that don’t have a built-in, role-based security model or to enforce separation of duties regarding access. It’s not intended to permanently alter sensitive data values for use in DevOps functions like SDM.

Okay, how does it work? At a high level, sensitive data remains within the reporting database that is queried by an analyst with DDM. All SQL issued by the analyst passes through the database proxy which inspects each packet to determine which user is attempting to access which database objects. The SQL is then modified by the proxy before being issued to the database so that masked data is returned via the proxy to the analyst. To that end, the complexities involved in preventing masked data from being written back to the database essentially mean DDM should really only be applied in read-only contexts such as reporting or customer service inquiry functions.

Ok, I get the differences, but dynamic still sounds intriguing- why wouldn’t I start there when looking to mask my data?

First, it’s complex and complicated. It’s not as simple as installing a software application and running it. The organization must undertake a detailed mapping of applications, users, database objects and access rights required to configure masking rules; and maintaining this matrix of configuration data requires significant effort.

Second, it can be risky. Some organizations we’ve worked with are hesitant to adopt DDM given the inherent risk of corruption or adverse production performance. In addition, relative to SDM, DDM is a less mature technology for which customer success stories are not as well known and use-cases are still being defined.

Finally, the fact remains that the underlying production values and sensitive fields are not actually de-identified or masked, meaning the risk of exposure remains; particularly if the organization in question is leveraging this data to provision to DevOps without a static masking solution in place. So, if your goal is to increase data security efforts relative to data breach risks and/or compliance support efforts, you’re no further ahead with dynamic masking.

All this is not intended to suggest DDM does not have a role in data security, or that it is not as effective as SDM. The point is that they are two fundamentally different solutions operating in differing environments, for varying purposes. The key question organizations must ask is simple: what is the business problem or data security challenge we are trying to solve? That question will help determine which solution makes the most sense.

At the end of the day… can’t both options just get along?

We’ve covered the basics of both dynamic and static data masking with the intent of outlining the unique aspects of the solutions and business challenges they aim to solve; in hopes of supporting the argument that the terms and solutions should not be used interchangeably or compared head-to-head in any sort of meaningful way. Both solutions offer value to organizations in solving different business challenges, and both — if properly implemented — deliver significant data support as part of a layered security strategy.

At the end of the day, however, data de-identification via static data masking is a data security solution recommended by industry analysts as a must-have protection layer in reducing your data risk footprint and the risk of breach by inside or outside threats. Dynamic data masking acts more like a role-based access security layer within the production environment and for internal user privilege requirements- and there are options available within other solutions to achieve this end-goal.

While terminology varies across the industry, the term data masking typically involves verbiage involving the replacement of sensitive data with a realistic fictional equivalent for the purpose of protecting DevOps data from unwanted disclosure and risk. So, it might be the right time to stop the unwanted and inaccurate comparisons between “dynamic” and “static” solutions, and get back to focusing on solving an access challenge in real-time production environments (i.e., the dynamic world); and addressing sensitive data exposure and compliance risks among users in DevOps environments (i.e., the static world).

Contact us to learn more about Imperva’s industry-leading data masking capabilities and our broader portfolio of data security solutions that support data security within both production and non-production environments… additionally, feel free to test-drive SCUBA, our free database vulnerability scanner tool, and/or CLASSIFIER, our free data classification tool.

Latest on the Currys PC World Data Breach Impacting 10 Million Customers

Following further investigations, Currys PC World today confirmed 10 million of their customer personal details may have been stolen by hackers, a revised number from the 1.2 million customers and 5.9 million payment cards it advised back in June.

In June 2018, the company said there was "an attempt to compromise" 5.8 million credit and debit cards but only 105,000 cards without chip-and-pin protection had been leaked after hackers attempted access to company's payment processing systems.

The hack was said to have occurred nearly a year before it was disclosed, so it either went undetected, which is common where there is inadequate security monitoring in place, or the business knew about the breach but choose not to disclose it to their impacted customers.

The Information Commissioner's Office (ICO) fined the Dixons Carphone £400,000 for a data in 2015 breach, however, Currys PC World stated the incidents were not connected.

The business stressed it has now improved its security measures including enhanced controls, monitoring, and testing to safeguard customer information, and "trebling their investment in cybersecurity". Unfortunately, no details have been disclosed explaining how the hackers were able to access such large quantities of personal data. The company "security improvement" statement suggests their IT security was rather underfunded and not at a sufficient standard to adequately secure their business operations and customer data.

The ICO (statement) and the NCSC (statement) both have released statements in June about the breach. So we'll see what the ICO makes of it, but I think the business is likely to be fined again, although not the potentially massive GDPR penalties, as this data breach occurred before the GDPR came into force in May.

Customer statement by Currys PC World to their customers today

On June 13, we began to contact a number of our customers as a precaution after we found that some of our security systems had been accessed in the past using sophisticated malware.

We promptly launched an investigation. Since then we have been putting further security measures in place to safeguard customer information, increased our investment in cyber security and added additional controls. In all of this we have been working intensively with leading cyber security experts.

Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017. This unauthorised access to data may include personal information such as name, address, phone number, date of birth and email address.

While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and we have no confirmed instances of customers falling victim to fraud as a result. We are continuing to keep the relevant authorities updated.

As a precaution, we are letting our customers know to apologise and advise them of protective steps to take to minimise the risk of fraud. These include:

If you receive an unsolicited email, letter, text or phone call asking for personal information, never reveal any full passwords, login details or account numbers until you are certain of the identity of the person making the request. Please do not click on any links you do not recognise.


If you think you have been a victim of fraud you should report it to Action Fraud, the UK’s national fraud and internet crime reporting centre, on 0300 123 2040*.

We also recommend that people are vigilant against any suspicious activity on their bank accounts and contact their financial provider if they have concerns.
You can find more information here


We take the security of your data extremely seriously and have previously announced that we have taken action to close off this access and have no evidence it is continuing. Nevertheless, we felt it was important to let customers know as soon as possible.

We continue to make improvements and investments to our security systems and we’ve been working round the clock to put this right. We’re extremely sorry about what has happened – we’ve fallen short here. We want to reassure you that we are fully committed to protecting your data so that you can be confident that it is safe with us.

Onwards and Upwards: Our GDPR Journey and Looking Ahead

At Imperva, our world revolves around data security, data protection, and data privacy.  From our newest recruits to the most seasoned members of the executive team, we believe that customer privacy is key.

For the better part of the last two years, Imperva has laid the foundation for our compliance with the EU General Data Protection Regulation (GDPR).  At roughly ninety pages with 173 recitals and 99 articles, it’s a massive regulation that fundamentally shifts the data privacy and data protection universe.

Also read: Monitoring Data & Data Access to Support Ongoing GDPR Compliance

We at Imperva are proud of what we’ve accomplished in this time.  As the lead for Imperva’s Privacy Office, I can candidly say that our success has been made possible only through the combined efforts of the entire organization. Thank you to our many Privacy Champions that have actively engaged within their departments and teams.

And a special thanks to our many critical internal partners, including our CMO David Gee, for his humorous evangelizing of data privacy initiatives, our Director of InfoSec, Noam Lang, our CIO, Bo Kim, who was also our first-ever privacy champion, and our CEO, Chris Hylen, for all having supported and prioritized data privacy initiatives within Imperva.

Just the beginning

Our work to comply with GDPR represents only the start of Imperva’s journey to protect, and to create products that protect the data privacy of our customers and their users.  Already, Imperva is proactively building on our GDPR work and looking to ‘infinity and beyond’. Part of that ‘beyond’ is our monitoring and preparation for other game-changing regulations such as the EU ePrivacy Regulation and California’s Consumer Protection Act.

A Successful Launch

Imperva has launched significant enhancements to our data privacy and data security programs and environments to account for new obligations under GDPR.

  • Governance: We have formalized and expanded the governance structure of the data privacy function within Imperva, including the creation of a dedicated Privacy Office.  This updated governance structure has been integrated into our annual third-party certification audits and reviews.
  • DPIAs:  We have expanded our standard internal Privacy Impact Assessment process to trigger additional Data Protection Impact Assessments when appropriate.
  • Security Environments: We have long maintained several common certification frameworks via third-party audits, including ISO 27001, the PCI Data Security Standard, and SOC 2 Type II reporting.  As part of ensuring that our robust environments remain secure, we mapped our GDPR infosec obligations to our existing control frameworks to ensure we meet all GDPR obligations on an ongoing basis.
  • Updated Privacy Notices:  We updated the privacy policies on our web properties to reflect the changes we’ve adopted under GDPR. Additionally, we’ve refreshed our cookie consent banners and cookie policies for those in the European Union.
  • Customer Agreements: In order to facilitate streamlined customer onboarding, we’ve created ready-to-sign Data Processing Agreements (DPAs) that provide details about what personal data an Imperva product or service collects in order to provide that service.  These DPAs utilize the controller-processor model clauses approved by the EU Commission and address customer concerns about how cross-border data transfers are GDPR-compliant.
  • Data Subject Requests: We’ve rolled out a new data subject request portal on our web properties.  Additionally, we’ve worked with each Imperva department to ensure smooth operational processing of data subject rights, including access, rectification, and erasure.

To Infinity

We here at Imperva have not been satisfied by merely meeting our obligations.  We are making data privacy a priority. As a security company, data privacy is mission critical.  It’s part of earning and maintaining the trust of our customers and employees.

Even Better Products: Our Product teams have worked hard to re-architect infrastructure to enable regional storage of logs.  This new feature makes compliance with GDPR far easier for customers or their subsidiaries operating primarily within a single geographic region by reducing cross-border data transfers.  Additionally, regional log storage enables genuine conformity with data localization and residence laws, such as those in China, Canada, Germany, Russia, and South Korea.

Embedded Privacy Champions: We’ve ramped up our program to embed mini privacy subject matter experts within each department. Today, three percent of our workforce are privacy champions thinking about how to protect your personal data. And that number is growing.

Privacy Guidance Down to Departments: The Privacy Office has worked with each department to create individual departmental policies and operational guidance to ensure that Imperva employees in every role know how to safeguard and protect personal data.

Vendor Management: We’ve reviewed dozens of vendors across all product lines to ensure we have the appropriate data privacy and security provisions, data processing agreements, and standards in place to safeguard our customers’ personal data.  Our subprocessors page on our web properties provides additional information about third-party service providers.

And Beyond!

Imperva has aimed high when it comes to the obligations created by GDPR, but we’re also looking far beyond.

In particular, Imperva is keeping a close eye on new data privacy laws and updates coming down the line that could impact our customers’ data privacy obligations, and therefore our obligations to you—such as the EU ePrivacy Regulation, which updates the 2009 ePrivacy Directive, as well as the California Consumer Privacy Act, which becomes enforceable on January 1, 2020.

GDPR is a significant milestone in the data privacy universe and so too in Imperva’s journey, yet it’s important to recognize it as a milestone and not as an endpoint.  GDPR represents only the start of Imperva’s journey to protect and to create products that protect the data privacy of our customers and their users.

Reaching GDPR: A Partner Approach

As Raj Samani, Chief Scientist and Fellow at McAfee says, “It’s critical that businesses do everything they can to protect one of the world’s most valuable assets: data.” Whether your organization achieved compliance with General Data Protection Regulation (GDPR) by the enforcement date on May 25, or still has a way to go, data will continue to play a large and evolving role in every sector and at every company. Samani explains, “The good news is that businesses are finding that stricter data protection regulations benefit both consumers and their bottom line. However, many have short-term barriers to overcome to become compliant, for example, to reduce the time it takes to report a breach.”

With the high cost to achieve compliance standards and even steeper fines if the rules are not met, complying with GDPR can seem daunting. If your organization is still working on meeting the base level regulation, McAfee and our partners have a wide range of materials to assist, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework and a site with all you need to prepare for GDPR requirements. Additionally, McAfee Skyhigh has a detailed action guide to help organizations interpret the legislation and provide guidance on actions that need to be taken regarding data in the cloud.

McAfee doesn’t work alone in our commitment to GDPR and data security. Thanks to McAfee’s Security Innovation Alliance (SIA), we can quickly and effectively help more customers protect their data. These 125+ SIA vendors are committed to working together with our integrated ecosystem to help businesses reach and maintain GDPR standards.

While reaching compliance is the important first step, going beyond the data security fundamentals will quickly become critical to every organization, from commercial to healthcare. It is important to keep in mind that complying with GDPR does not mean you will not be breached. A genuine culture of privacy needs to be created as a core value within each organization. Consumers are increasingly aware of how companies are keeping their data secure and businesses cannot afford to lose customer confidence in relation to data security. Securing consumer’s personal data in a transparent manner can serve as a differentiating factor for any company.

As cybersecurity professionals, it is up to us at McAfee and our Partners to provide the most pertinent GDPR information to each of our customers and help instill the culture of data privacy. The advent of GDPR is the best opportunity in a generation to bring data security up to every customer’s C-Suite and introduce meaningful and lasting change in data security. Together, we can support our customers to achieve GDPR compliance and beyond!

The post Reaching GDPR: A Partner Approach appeared first on McAfee Blogs.

Cyber Security Roundup for May 2018

I'm sure the release of the GDPR on 25th May hasn't escaped anyone's attention. After years of warnings about the EU parliament's intended tough stance on enforcing the human right to privacy in the digital realm, a real 'game changer' of a global privacy regulation has finally landed, which impacts any organisation which touches EU citizen personal data. 

The GDPR's potential hefty financial penalties for breaching its requirements is firmly on the radar of directors at large enterprises and small businesses alike, hence the massive barrage of emails we have all have received in recent weeks, on changes to company privacy statements and requesting consent, many of which I noted as not being GDPR compliant as obtaining "explicit consent" from the data subject. So there is a long way to go for many organisations before they become truly GDPR compliant state based on what I've seen so far in my mailbox.

Cybercriminals have been quick to take advantage of the GDPR privacy emails deluge, using the subject matter in their phishing attacks to cheat access to accounts and con victims.
On a positive GDPR note, also on 25th May, IBM developerWorks released a three-part guidance series written by myself, aimed at helping Application Developers to develop GDPR compliant applications.

Developing GDPR Compliant Applications Guidance

Overshadowed by the GDPR coming in force, was the release of new NHS Data Security and Protection Toolkit, aimed at the NHS and their service providers, and the European NIS Directive (for telecom providers) went under the radar, but they are significant to those working in those industries.

Always make sure your Broadband Router\Hub does not permit remote administrative access (over the internet) and is always kept up-to-date with the latest security patches, otherwise, it will be at serious risk of being hacked and remotely controlled by cyber-criminals. As evidenced with month, after a DNS flaw in over 800,000 Draytek Routers has allowed hackers to take them over, malware called VPNFilter has infected 500,000 routers, and serious vulnerabilities has been reported in TP-Link EAP controllers.

IBM made headlines after banning its workers from using USB sticks, which I think is a good and reasonable policy. As quite frankly any modern enterprise, whether large or small, with a decent IT infrastructure and cloud services, staff shouldn't need to use USB devices to move data either internally or externally with third parties, so I see this as a rather smart business and security move to ban all USB devices, as it forces staff to use the more secure and more efficient technology made available.

As my @securityexpert twitter account crossed the 10,000 follower threshold Twitter advised 300 million users to reset their passwords after internal error. Apparently, the passwords for the Twitter accounts were accidentally stored in a database in their "plain text" value instead of using a hashed value for the password, as per best practice. I always strongly recommend Twitter users to take advantage and use the multi-factor authentication system Twitter provides, which reduces the risk of account hacking.

Breaches of note in May included a T-Mobile website bug which exposed personal customer data, Coca-Cola said an insider breached 8,000 accounts, and BMW cars were found to have over a dozen security vulnerabilities.

As always a busy month of new security patch releases, with Microsoft, Adobe, PHP, PGP, Google, Git, and Dell all releasing critical security updates to fix significant security flaws. Click the links for the full details.

Analysis of DDoS Attacks at Cloudflare, has revealed that while organisations in the UK have certainly upped their spending on DDoS mitigation, cyber-criminals are now responding by switching to Layer 7 based DDoS attacks
Some interesting articles about the Welsh Cyber Security Revolution and a review of the NHS a year on from the WannaCry outbreak

Reports of interest this month include the Thales Data Threat Report, which found UK businesses to be the most breached in Europe. The LastPass Psychology of Passwords Report which found 59% of people surveyed used the same passwords across multiple accounts, despite 91% of them knowing that using the same password for multiple accounts is a security risk. The 2017 Cylance Report stated the number of cyber-attacks on industries such as healthcare, manufacturing, professional services, and education rose by about 13.4% between 2016 and 2017.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Application Development GDPR Compliance Guidance

Last week IBM developerWorks released a three-part guidance series I have written to help 
Application Developers develop GDPR compliant applications.

Developing GDPR Compliant Applications Guidance

The GDPR
The General Data Protection Regulation (GDPR) was created by the European Commission and Council to strengthen and unify Europe's data protection law, replacing the 1995 European Data Protection Directive. Although the GDPR is a European Union (EU) regulation, it applies to any organizations outside of Europe that handle the personal data of EU citizens. This includes the development of applications that are intended to process the personal information of EU citizens. Therefore, organizations that provide web applications, mobile apps, or traditional desktop applications that can indirectly process EU citizen's personal data or allow EU citizens sign in are subject to the GDPR's privacy obligations. Organizations face the prospect of powerful sanctions should applications fail to comply with the GDPR.

Part 1: A Developer's Guide to the GDPR
Part 1 summarizes the GDPR and explains how the privacy regulation impacts and applies to developing and supporting applications that are intended to be used by European Union citizens.

Part 2: Application Privacy by Design
Part 2 provides guidance for developing applications that are compliant with the European Union’s General Data Protection Regulation. 

Part 3: Minimizing Application Privacy Risk

Part 3  provides practical application development techniques that can alleviate an application's privacy risk.

How prepared is your business for the GDPR?

The GDPR is the biggest privacy shakeup since the dawn of the internet and it is just weeks before it comes into force on 25th May. GDPR comes with potentially head-spinning financial penalties for businesses found not complying, so it really is essential for any business which touches EU citizen's personal data, to thoroughly do their privacy rights homework and properly prepare.

Sage have produced a nice GDPR infographic which breaks down the basics of the GDPR with tips on complying, which is shared below.

I am currently writing a comprehensive GDPR Application Developer's Guidance series for IBM developerWorks, which will be released in the coming weeks.


The GDPR: A guide for international business - A Sage Infographic

Cyber Security Roundup for February 2018

February saw over 5,000 websites infected by cryptocurrency mining malware after a popular accessibility plugin called ‘BrowseAloud’ was compromised by hackers. This led to several UK Government and Councils websites going offline, including the Information Commissioner's Office, the Student Loans Company, and Manchester City, Camden and Croydon Council website. Symantec Researchers also announced that 'Crytojacking' attacks had increased 1,200% in the UK. Cryptojacking once involved the installation of cryptocurrency mining malware on users computers, but now it is more frequently used in-browser, by hacking a website and execute a malicious mining JavaScript as the user visits the compromised website, as with the case with the 'BrowseAloud' incident.

More than 25% of UK Councils are said to have suffered a breach in the last five years according to the privacy group Big Brother Watch, who said UK Councils are unprepared for Cyber Attacks.

There was a  fascinating report released about Artificial Intelligence (AI) Threat, written by 26 leading AI experts, the report forecasts the various malicious usages for AI, including with cybercrime, and manipulation of social media and national news media agendas.

GDPR preparation or panic, depending on your position, is gaining momentum with less than 100 days before the privacy regulation comes into force in late May. Here are some of the latest GDPR articles of note.

Digital Guardian released an interactive article where you can attempt to guess the value of various types of stolen data to cybercriminals -.Digital Guardian: Do you know your data's worth?

Bestvpns released a comprehensive infographic covering the 77 Facts About Cyber Crime we should all know about in 2018.

February was yet another frantic month for security updates, which saw Microsoft release over 50 patches, and there were new critical security updates by Adobe, Apple, Cisco, Dell, and Drupal.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

GDPR Material and Territorial Scopes

The new EU General Data Regulation will enter into force 25 May of this year. The GDPR contains rules concerning the protection of natural persons when their personal data are processed and rules on the free movement of personal data. The new regulation is not revolutionary but an evolution from the previous Data Protection Act 1998 […]

GDPR Preparation: Recent Articles of Note

Company preparations for GDPR compliance are (or should be!) in full swing with the 25th May enforcement date fast looming on the horizon. With that in mind, I found the following set of recent GDPR articles a decent and interesting read. The list was compiled by Brian Pennington of Coalfire, he has kindly allowed me to repost.

If you are after further GDPR swatting up, you could always read the actual regulation EU General Data Protection Regulation (EU-GDPR), and don't forget to read all the Recitilies.

If you have any offer GDPR related articles or blogs of note, please post in the comments.

Cyber Security Roundup for January 2018

2018 started with a big security alert bang after Google Security Researchers disclosed serious security vulnerabilities in just about every computer processor in use on the planet. Named 'Meltdown' and 'Spectre’, when exploited by a hacker or malware, these vulnerabilities disclose confidential data. As a result, a whole raft of critical security updates was hastily released for computer and smartphone operating systems, web browsers, and processor drivers. While processor manufacturers have been rather lethargic in reacting and producing patches for the problem, software vendors such as Microsoft, Google and Apple have reacted quickly, releasing security updates to protect their customers from the vulnerable processors, kudos to them.

The UK Information Commission's Office (ICO) heavily criticised the Carphone Warehouse for security inadequacies and fined the company £400K following their 2015 data breach, when the personal data, including bank details, of millions of Carphone Warehouse customers, was stolen by hackers, in what the company at the time described as a "sophisticated cyber attack", where have we heard that excuse before? Certainly the ICO wasn't buying that after it investigated, reporting a large number Carphone Warehouse's security failures, which included the use of software that was six years out of day,  lack of “rigorous controls” over who had login details to systems; no antivirus protection running on the servers holding data, the same root password being used on every individual server, which was known to “some 30-40 members of staff”; and the needless storage of full credit card details. The Carphone Warephone should thank their lucky stars the breach didn't occur after the General Data Protection Regulation comes into force, as with such a damning list of security failures, the company may well have been fined considerably more by ICO, when it is granted vastly greater financial sanctions and powers when the GDPR kicks in May.

The National Cyber Security Centre warned the UK national infrastructure faces serious nation-state attacks, stating it is a matter of a "when" not an "if". There also claims that the cyberattacks against the Ukraine in recent years was down to Russia testing and tuning it's nation-state cyberattacking capabilities. 

At the Davos summit, the Maersk chairman revealed his company spent a massive £200m to £240m on recovering from the recent NotPeyta ransomware outbreak, after the malware 'totally destroyed' the Maersk network. That's a huge price to pay for not regularly patching your systems.

It's no surprise that cybercriminals continue to target cryptocurrencies given the high financial rewards on offer. The most notable attack was a £290k cyber-heist from BlackWallet, where the hackers redirected 700k BlackWallet users to a fake replica BlackWallet website after compromising BlackWallet's DNS server. The replica website ran a script that transferred user cryptocurrency into the hacker's wallet, the hacker then moved currency into a different wallet platform.

In the United States, 
the Federal Trade Commission (FTC) fined toy firm VTech US$ 650,000 (£482,000) for violating a US children's privacy laws. The FTC alleged the toy company violated (COPPA) Children's Online Privacy Protection Rule by collecting personal information from hundreds of thousands of children without providing direct notice.

It was reported that a POS malware infection at Forever21 and lapses in encryption was responsible for the theft of debit and credit card details from Forever21 stores late last year. Payment card data continues to be a high valued target for cyber crooks with sophisticated attack capabilities, who are willing to invest considerable resources to achieve their aims.

Several interesting cybersecurity reports were released in January,  the Online Trust Alliance Cyber Incident & Breach Trends Report: 2017 concluded that cyber incidents have doubled in 2017 and 93% were preventable. Carbon Black's 2017 Threat Report stated non-malware-based cyber-attacks were behind the majority of cyber-incidents reported in 2017, despite the proliferation of malware available to both the professional and amateur hackers. Carbon Black also reported that ransomware attacks are inflicting significantly higher costs and the number of attacks skyrocketed during the course of the year, no surprise there.  

Malwarebytes 2017 State of Malware Report said ransomware attacks on consumers and businesses slowed down towards the end of 2017 and were being replaced by spyware campaigns, which rose by over 800% year-on-year. Spyware campaigns not only allow hackers to steal precious enterprise and user data but also allows them to identify ideal attack points to launch powerful malware attacks. The Cisco 2018 Privacy Maturity Benchmark Study claimed 74% of privacy-immature organisations were hit by losses of more than £350,000, and companies that are privacy-mature have fewer data breaches and smaller losses from cyber-attacks.

NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS

Cyber Security Roundup for November 2017

One of the most notable data breaches disclosed this month was by Uber, given the company attempted to cover up the breach by paying off hackers. Over a year ago the transport tech firm was said to have paid £75,000 to two hackers to delete 57 million Uber account records which they had stolen. Uber revealed around 2.7 million of the stolen records were British riders and drivers. As a UK Uber rider, this could mean me, I haven't received any notification of the data breach from Uber as yet. The stolen information included names, email addresses, and phone numbers. Uber can expect enforcement action from regulators on both sides of the pond, the UK Information Commissioner's Office (ICO) said it had "huge concerns" about the breach and was investigating.

Jewson, Cash Converters, and Imgur all reported losing data due to hacks this month, while Equifax has reported suffering significant negative financial losses following their high profile hack of personal customer data. Equifax reported their net income had dropped by £20 million due to the hack, and their breach bill was coming in at a whopping £67 million.

November was a very busy month for security patches releases, with Microsoft, Apple, Adobe, Oracle, Cisco and Intel releasing a raft of patches to fix critical vulnerabilities. Apple even had to quickly release an emergency patch at end of November to fix a root access flaw reported in macOS High Sierra version 10.13.1. So just keep patching everything IT to ensure you and your business stays ahead of enterprising cybercriminals, the Equifax breach is a prime example of what can go wrong if system patching is neglected.

November also saw Open Web Application Security Project (OWASP) finally released an updated version to its Top Ten application vulnerabilities list, which is a ‘must know’ secure coding best practice for all software developers and security testers, especially considering that Akamai reported web application attacks had increased by 69% in the third quarter of 2017. Look out for an updated OWASP Top Ten IBM DeveloperWorks Guidance from me in December to reflect the updated list.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS