Category Archives: GDPR

How much are the first fines for GDPR infringement?

First fine fines GDPR

2018 has been the year par excellence for data protection, when data leaks, exfiltrations, and abuses have made headlines all over the world. And against this backdrop of increased awareness about the challenges that working with sensitive data can entail, there is one regulation that has come to the fore: the GDPR (General Data Protection Regulation), which has been mandatory since May 25 this year.

Infringement of this regulation can incur fines of up to 4% of a company’s annual global turnover, or up to €20 million. It is therefore perhaps unsurprising that companies are now examining their data with a fine tooth comb in order to stay on the right side of the legislation. However, in spite of this exigency, to date, only 29% of organizations have implemented all measures necessary to comply with the GDPR.

The first infringement complaints came on May 25, as soon as it came into force, when the nonprofit organization noyb.eu presented four complaints against Facebook, Instagram, WhatsApp, and Android. Noyb argues that these companies forced their users to accept their new service terms, something that violates the GDPR’s requirement that this consent be given freely. Nevertheless, these cases are ongoing, and as such, we still have some time before we see the outcome.

In October, Giovanni Buttarelli, the European Data Protection Supervisor, said that he expected to see the first sanctions before the end of the year. And sure enough, he didn’t have to wait very long.

Sanctions start to appear

The first fine was issued in Austria at the start of October, and although it is not strictly related to personal data processing, it is a good illustration of the reach that the regulation can have. A betting shop received a €4,800 fine for a security camera that was recording part of the pavement outside, since large scale monitoring of public spaces is not permitted under the GDPR.

At the end of the same month, we saw the first fine related to the processing and storage of personal data. The Comissão Nacional de Protecção de Dados (National Data Protection Commission) in Portugal imposed three fines on the Hospital do Barreiro: two €150,000 sanctions and another of €100,000. As such, this set of sanctions has meant a total cost of €400,000 for the hospital.  The first two fines of €150,000 were for violation of the principle of data integrity and confidentiality, and violation of the principle of data minimization, which in theory prevents indiscriminate access to data. 985 physicians had active accounts on the system giving them access to clinical files, while the hospital had only 296 active doctors on the date of the inspection.

The third fine was related to the inability of the Hospital as data controller to ensure the confidentiality and integrity of the data of its clients and patients.

The most recent fine was issued in Germany in the middle of November. A German social network, Knuddels.de, received a €20,000 fine after a hack that caused 808,000 email addresses to be leaked, along with over 1.8 million usernames and passwords. This information was then published online with no encryption.

The social network reacted by saying that once the leak had been discovered, it immediately improved its security measures. After the incident, it was discovered that the website had no kind of protection on its sensitive information.

According to LfDI Baden-Württemberg, the German data protection agency responsible for handling this case, one of the reasons that the website received a “relatively low” fine was that it acted with transparency, and quickly implemented security improvements.

2019 will bring new figures

The economic sanctions that we have seen so far are clearly relatively conservative compared to the highest possible penalties, but with the recent spate of high profile data leaks – Marriott, British Airways, Quora – it won’t be long before harsher fines start to appear.

What can you do to avoid a fine – be it millions of Euros or more moderate? The most important thing to bear in mind is that prevention is better than a cure, and by having appropriate protection for the personal data that your company manages, you can avoid sanctions. Start by knowing exactly where this data is stored and who has access to it. To do so, it is vital to have advanced cybersecurity solutions.

Panda Data Control is a module of Panda Adaptive Defense that is specifically designed to help comply with data protection regulations. Discover, audit and monitor all unstructured personal data on your company’s corporate network. Only this way will you know where your company’s data is stored, who is handling it, and what actions they are performing on it.

The post How much are the first fines for GDPR infringement? appeared first on Panda Security Mediacenter.

NHS could face major cybersecurity threats due to lack of investment

FOI request finds lack of cybersecurity readiness in many NHS trusts.Redscan has asked NHS trusts about the cybersecurity readiness of its employees and the results show lack of trained staff, lack of

The post NHS could face major cybersecurity threats due to lack of investment appeared first on The Cyber Security Place.

Is 2019 Privacy Rights’ Break Out Year?

Whatever else it may bring, 2019 will be a breakout year for online privacy, as the EU’s GDPR takes root and legislation in other nations follow suit. But not everyone is on board with the new privacy regime. Who will be the privacy leaders and laggards in the New Year?

The post Is 2019 Privacy Rights’ Break Out Year? appeared first on ...

Read the whole entry... »

Related Stories

Not all data collection is evil: Don’t let privacy scandals stall cybersecurity

Facebook continues to be criticized for its data collection practices. The media is hammering Google over how it handles data. JPMorgan Chase & Company was vilified for using Palantir software to allegedly invade the privacy of employees. This past June marked the five-year anniversary of The Guardian’s first story about NSA mass surveillance operations. These incidents and many others have led to an era where the world is more heavily focused on privacy and trust. … More

The post Not all data collection is evil: Don’t let privacy scandals stall cybersecurity appeared first on Help Net Security.

Days After Massive Breach, Marriott Customers Await Details

Nearly a week after Marriott disclosed a massive breach of its Starwood reservation system, customers complain that the company has not communicated with them to tell them whether they are affected. Marriott says it is sending “rolling” emails to hundreds of millions of victims. An estimated 500 million Marriott International customers...

Read the whole entry... »

Related Stories

Measuring privacy operations: Use of technology on the rise

Critical privacy program activities such as creating data inventories, conducting data protection impact assessments (DPIA), and managing data subject access rights requests (DSAR) are now well established in large and small organizations in both Europe and the United States, according to TrustArc and the International Association of Privacy Professionals (IAPP). “Among our thousands of members, we know that privacy teams are now reporting on a regular basis to company leadership, and consequently they need to … More

The post Measuring privacy operations: Use of technology on the rise appeared first on Help Net Security.

Researchers: GDPR Already Having Positive Effect on Cybersecurity in EU

The General Data Privacy Regulation (GDPR) seems to already be having a positive effect on the state of cybersecurity in Europe less than seven months after it was enacted, showing that policy indeed can have a direct effect on organizations' security practices, security researchers said.

The post Researchers: GDPR Already Having Positive Effect...

Read the whole entry... »

Related Stories

Massive Marriott Breach Underscores Risk of overlooking Data Liability

The Marriott breach underscores how companies fail to price in the risk of poor data security. In the age of GDPR, that could be an expensive failure. 

The post Massive Marriott Breach Underscores Risk of overlooking Data Liability appeared first on The Security Ledger.

Related Stories

Marriott Hotels 4 Year Hack Impacts Half a Billion Guests!

A mammoth data breach was disclosed by hotel chain Marriott International today (30 Nov 18), with a massive 500 million customer records said to have been compromised by an "unauthorized party". 
Image result for marriott
The world's largest hotel group launched an internal investigation in response to a system security alert on 8th September 2018, and found an attacker had been accessing the hotel chain's "Starwood network" and customer personal data since 2014, copying and encrypting customer records. In addition to the Marriott brand, Starwood includes W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. 

Image result for starwood
You are at risk if you have stayed at any of the above hotel brands in the last 4 years

The Marriott statement said for around 326 million of its guests, the personal information compromised included "some combination" of, name, address, phone number, email address, passport number, date of birth, gender and arrival & departure information. The hotelier also said encrypted payment card data was also copied, and it could not rule out the encryption keys to decrypt cardholder data had not been stolen.

The hotel giant said it would notify customers affected and offer some a fraud detecting service for a year for free, so I expect they will be making contact with myself soon. In the meantime, Marriott has launched a website for affected customers and a free helpline for concerned UK customers 0808 189 1065.

The UK ICO said it would be investigating the breach, and warned those who believe they are impacted to be extra vigilant and to follow the advice on the ICO website, and by the National Cyber Security Centre
. The hotel chain could face huge fines under the GDPR, and possibly a large scale class action lawsuit by their affected guests, which could cost them millions of pounds. 

What I really would like to know is why the hotel chain had retained such vast numbers of guest records post their stay. Why they held their customer's passport details and whether those encryption keys were stolen or not. And finally, why the unauthorised access went undetected for four years.

Tom Kellermann, Chief Cybersecurity Officer for Carbon Black, said "It appears there had been unauthorised access to the Starwood network since 2014, demonstrating that attackers will get into an enterprise and attempt to remain undetected. A recent Carbon Black threat report found that nearly 60% of attacks now involve lateral movement, which means attackers aren’t just going after one component of an organisation - they’re getting in, moving around and seeking more targets as they go."

The report also found that 50% of today’s attackers now use the victim primarily for island hopping. In these campaigns, attackers first target an organisation's affiliates, often smaller companies with immature security postures and this can often be the case during an M&A. This means that data at every point in the supply chain may be at risk, from customers, to partners and potential acquisitions.”

Jake Olcott, VP of Strategic Partnerships at BitSight, said "Following the breaking news today that Marriott’s Starwood bookings database has been comprised with half a billion people affected, it highlights the importance of organisations undertaking sufficient security posture checks to avoid such compromises. Marriott’s acquisition of Starwood in 2016 allowed it to utilise its Starwood customer database. Therefore, proactive due diligence during this acquisition period would have helped Marriott to identify the potential cybersecurity risks, and the impact of a potential breach".

“This is yet another example of why it is critical that companies perform cybersecurity analysts during the due diligence period, prior to an acquisition or investment. Traditionally, companies have approached cyber risk in acquisitions by issuing questionnaires to the target company; unfortunately, these methods are time consuming and reflect only a “snapshot in time” view.

“Understanding the cybersecurity posture of an investment is critical to assessing the value of the investment and considering reputational, financial, and legal harm that could befall the company. After an investment has been made, continuous monitoring is essential.”

IT Security Expert Blog: Marriott Hotels 4 Year Hack Impacts Half a Billion Guests!

A mammoth data breach was disclosed by hotel chain Marriott International today (30 Nov 18), with a massive 500 million customer records said to have been compromised by an "unauthorized party". 
Image result for marriott
The hotel giant said an internal investigation launched in response to a system security alert, found an attacker had been accessing the hotel chain's "Starwood network" since 2014, copying and encrypting customer records. In addition to the Marriott brand, Starwood includes W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. 

The Marriott statement said for around 326 million of its guests, the personal information compromised included "some combination" of, name, address, phone number, email address, passport number, date of birth, gender and arrival & departure information. The hotelier also said encrypted payment card data was also copied, and it could not rule out the encryption keys to decrypt cardholder data had not been stolen.
Image result for starwood
Marriott said it would notify customers affected and offer some a fraud detecting service for a year for free, so I expect they will be making contact with myself soon. In the meantime, Marriott has launched a website for affected customers.

The UK ICO said it would be investigating the breach, and warned those who believe they are impacted, to be vigilant and to follow the advice by on the ICO website, and by the National Cyber Security Centre
. The hotel chain could help face huge fines under the GDPR, and possibly a large scale class action lawsuit by their affected guests, which could cost them millions of pounds. 

What I would like to know is why the hotel chain had retained such vast numbers of guest records post their stay, why they held their customer's passport details, whether those encryption keys were stolen. And why the unauthorised access went undetected for four years.

Tom Kellermann, Chief Cybersecurity Officer for Carbon Black, said "It appears there had been unauthorised access to the Starwood network since 2014, demonstrating that attackers will get into an enterprise and attempt to remain undetected. A recent Carbon Black threat report found that nearly 60% of attacks now involve lateral movement, which means attackers aren’t just going after one component of an organisation - they’re getting in, moving around and seeking more targets as they go."

The report also found that more than a third (36%) of today’s attackers now use the victim primarily for island hopping. In these campaigns, attackers first target an organisation's affiliates, often smaller companies with immature security postures and this can often be the case during an M&A. This means that data at every point in the supply chain may be at risk, from customers, to partners and potential acquisitions.”

Jake Olcott, VP of Strategic Partnerships at BitSight, said "Following the breaking news today that Marriott’s Starwood bookings database has been comprised with half a billion people affected, it highlights the importance of organisations undertaking sufficient security posture checks to avoid such compromises. Marriott’s acquisition of Starwood in 2016 allowed it to utilise its Starwood customer database. Therefore, proactive due diligence during this acquisition period would have helped Marriott to identify the potential cybersecurity risks, and the impact of a potential breach".

“This is yet another example of why it is critical that companies perform cybersecurity analysts during the due diligence period, prior to an acquisition or investment. Traditionally, companies have approached cyber risk in acquisitions by issuing questionnaires to the target company; unfortunately, these methods are time consuming and reflect only a “snapshot in time” view.

“Understanding the cybersecurity posture of an investment is critical to assessing the value of the investment and considering reputational, financial, and legal harm that could befall the company. After an investment has been made, continuous monitoring is essential.”


IT Security Expert Blog

GDPR “helps transparency” and “honesty”: Brendan Eich, Rafal Szymanksi and Sam Kim on Digital Advertising in 2018

When thinking of industries which could potentially benefit from decentralization and distributed ledger technology, digital advertising and marketing may not be the first to come to mind. When looking at a list created for Forbes by Bernard Marr entitled ‘Here Are 10 Industries Blockchain Is Likely To Disrupt’ published July 2018, for example, these sectors […]

The post GDPR “helps transparency” and “honesty”: Brendan Eich, Rafal Szymanksi and Sam Kim on Digital Advertising in 2018 appeared first on Hacked: Hacking Finance.

Facebook and Cambridge Analytica: what would have happened with GDPR in force?

Facebook and Cambridge Analytica: what would have happened with GDPR in force?

For some time now, protecting users’ data has been an obligation for companies all over the world. And not just a moral obligation, but a legal one too, since different regulations can impose all kinds of fines on any company that flouts these rules.

And some laws are harsher than others. There is one clear example of how these laws can work: public mistrust of Facebook came to the fore following the Cambridge Analytica scandal, a grave crisis that led to a £500,000 (around €560,000) fine in the United Kingdom. The Information Commissioner’s Office (ICO) in the UK has investigated around 30 companies in a similar situation to Facebook’s. According to their report, the social network founded by Mark Zuckerberg was not diligent in protecting its users’ data or privacy.

However, when all is said and done, how much can a £500,000 fine really hurt Facebook? In actual fact, not only is this sum barely a scratch on the surface of the company’s finances, it is probably something of a relief for Facebook, given that it was not fined after the General Data Protection Regulation (GDPR) came into force on May 25 of this year.

What would have happened with the GDPR?

If Facebook’s negligence had taken place with the GDPR in force, the consequences would have been markedly different. As well as the serious damage to the company’s reputation – something that did in fact happen – the economic sanctions would have been far more substantial.

In case of non-compliance with the GDPR, four levels of sanctions have been laid out: a warning, a reprimand, the suspension of data processing, and a fine. In the case of the fine, there are two different levels:

Level 1. A fine of €10 million or 2% of annual global turnover (whichever figure is higher).

Level 2. A fine of €20 million or 4% of annual global turnover (whichever figure is higher).

In this case, therefore, Facebook, which had earnings of €32.75 billion in 2017, could have had to face a fine of over €1.3 billion. While this sum still wouldn’t be enough to rattle the company financially, it would be far more detrimental.

Six months after the GDPR came into force, many companies are still struggling with it. And some are not going to have the same luck as Facebook, since their fines will now fall under the jurisdiction of the new regulation. This is what will happen with Exactis, which left a database containing 340 million records exposed, or Timehop, which exposed the personal data of 21 million users.

How to comply with the GDPR

Studying the intricacies of the new legislation shouldn’t be too much of a problem for companies like Facebook, given the teams and the resources available to them. There are, however, other companies that, whether because of their size, or because of the sector they work in, may have more trouble complying with the new rules.

So that the GDPR doesn’t become a headache, companies of all types and all sizes can follow these recommendations:

1.- Protect the company’s cybersecurity Cybersecurity has always been essential for companies, but now more so than ever. As well as being diligent in how they protect data and private information, they must also design action protocols for possible alerts. It’s also important to be cyber-resilient, keeping abreast of the latest strategies used in cyberattacks. If a company suffers a data breach, it must inform the data protection authorities within a maximum of 72 hours after it becomes aware of the breach.

2.- Technology solutions. No company can do all this work alone: some of the responsibilities must be delegated to an external tech solution. In this sense, Panda Data Control, the data protection module of Panda Adaptive Defense, categorizes and correlates all data about cyberthreats in order to carry out prevention, detection, response and remediation tasks, combined with reduction services. The solution monitors all of the company’s activity, detects possible risk situations and simplifies the management of this kind of task within the company.

3.- Protect users Cybersecurity isn’t just about conserving and protecting the company’s information: it is also about protecting the company’s employees, clients, providers, users, and so on. Companies need to protect the privacy of those with whom they have a relationship, as well as being transparent with them so that they know exactly what is being done with their data. To fulfill all of this, companies must also have a data protection delegate to oversee and lead this kind of task.

The post Facebook and Cambridge Analytica: what would have happened with GDPR in force? appeared first on Panda Security Mediacenter.

C-Suite: GDPR Could Lead to Greater Risk of Breaches

Almost a quarter of UK and German businesses (23%) believe the GDPR may have resulted in a greater risk of data breaches, six months after the legislation was introduced.  The

The post C-Suite: GDPR Could Lead to Greater Risk of Breaches appeared first on The Cyber Security Place.

Keeping data swamps clean for ongoing GDPR compliance

The increased affordability and accessibility of data storage over recent years can be both a benefit and a challenge for businesses. While the ability to stockpile huge volumes and varieties of data can deliver previously unattainable intelligence and insight, it can also result in ‘data sprawl’, with businesses unclear of exactly what information is being stored, where it’s being held, and how it’s being accessed. The introduction of the General Data Protection Regulation (GDPR) in … More

The post Keeping data swamps clean for ongoing GDPR compliance appeared first on Help Net Security.

UK fine against Uber for 2016 data breach would be 200 times bigger in 2018

Uber’s widely publicized data leak from two years ago has finally resulted in a fine from the UK Information Commissioner’s Office. The penalty would have been 203 times the amount if the leak had occurred this year, after the GDPR era took effect in May.

“The Information Commissioner’s Office (ICO) has fined ride sharing company Uber £385,000 for failing to protect customers’ personal information during a cyber attack,” reads the announcement. In US dollars, that figure translates into around $492,000.

As readers may remember, a series of flaws in Uber’s servers let hackers steal personal data of 2.7 million UK customers, as well as the records of almost 82,000 British drivers. The leak exposed full names, email addresses, phone numbers, journey info and even payment data. An investigation revealed that attackers used “credential stuffing” to access the data. As its name implies, the process involves “stuffing” credentials (leaked from a previous breach) into websites until they match existing accounts.

The ICO isn’t upset about the breach itself so much as it’s upset over Uber’s poor judgement in secretly paying the attackers money to have the data destroyed, a decision that made the case so controversial. Furthermore, those affected by the breach were not told about the incident until after a full year had passed. Whenever a company is breached, rapid disclosure is imperative so customers can take steps to protect themselves against fraud.

“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable,” said ICO Director of Investigations Steve Eckersley.

“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack. Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected,” Eckersley added.

The Netherlands has also fined Uber €600,000 through its local data protection authority, Autoriteit Persoonsgegevens.

Under the new General Data Protection Regulation, this blunder would have landed Uber a fine in the vicinity of 100 million US dollars (around £78 million) calculated at 4% of its last annual turnover of $2.7 billion. But because the breach occurred in the pre-GDPR era, the ICO has fined Uber close to the maximum penalty under the then-applicable 1996 Data Protection Act (DPA).

The ICO did the same last month when it fined Facebook the measly sum of £500,000 for the immensely controversial Cambridge Analytica scandal that was said to have helped Russia interfere with US elections. And a month earlier, the same fine was issued to Equifax for its monumental 2017 breach that resulted in exposure of 147 million customer records, the firing of two company executives overnight, and the sullying of its image beyond repair.

Privacy Law Is Growing More Extensive – Here’s What That Means For Healthcare

Regulations like the GDPR are changing both how we do business and how customers engage with their data. Healthcare is no exception to that rule. Even in light of strict frameworks like HIPAA, health organizations face a number of unique challenges where privacy laws are concerned. Here’s why – and how you can overcome them. […]… Read More

The post Privacy Law Is Growing More Extensive – Here’s What That Means For Healthcare appeared first on The State of Security.

GDPR’s impact: The first six months

GDPR is now six months old – it’s time to take an assessment of the regulation’s impact so far. At first blush it would appear very little has changed. There are no well-publicized actions being taken against offenders. No large fines levied. So does this mean its yet another regulation that will be ignored? Actually nothing could be farther from the truth. The day GDPR came into law complaints were filed by data subjects against … More

The post GDPR’s impact: The first six months appeared first on Help Net Security.

Chat app Knuddels fined €20k under GDPR regulation

The case is making the headlines, the German chat platform Knuddels.de (“Cuddles”) has been fined €20,000 for storing user passwords in plain text.

In July hackers breached the systems of the company Knuddels and leaked online its data.

In September, an unknown individual notified Knuddels that crooks published user data of roughly 8,000 members on Pastebin and much more data were leaked via Mega.nz.

Knuddels published a data breach notification and forced users into changing passwords, Knuddels also reported the incident to the Baden-Württemberg data protection authority.

The company duly notified its users and the Baden-Württemberg data protection authority.

“Hello dear ones, 
when you log into the chat, you are currently asked to change your password. 
That’s a precaution. Account data from Knuddels have been published on the internet. Although we are currently not aware of any third-party use, we have temporarily deactivated these accounts for their security.” reads a message published on the company forum.

“We are currently checking whether there is a security vulnerability on the platform. As soon as we have more information, we’ll let you know, of course. For problems and questions please contact our support at community@knuddels.de.
Please use the hint when logging in and change your password.”

According to the German Spiegel Online, hackers leaked over 800,000 email addresses and more than 1.8 million user credentials on Mega.nz.

“the company from Karlsruhe violated the obligation to ensure the security of personal data, informed the Baden-Wuerttemberg data protection commissioner Stefan Brink on Thursday in Stuttgart.” reported Spiegel Online.

“He told the company that after a hacker attack, it turned to the DPA and informed users immediately and extensively about the attack. According to the company, around 808,000 e-mail addresses and 1,872,000 pseudonyms and passwords were stolen by unknown persons and published on the Internet.”

At the time the company had verified 330,000 of the published emails. The chat platform violated GDPR regulation by storing passwords in clear text and for this reason, the regulator imposed its first penalty under the privacy regulation.

The fine is not higher because the company cooperated with the authorities.

“Due to a breach of the data security required by Art. 32 DS-GVO, the penalty office of LfDI Baden-Württemberg imposed a fine of EUR 20,000 by decision of 21.11.2018 against a Baden-Württemberg social media provider and – in constructive Collaboration with the company – ensuring significant improvements in the security of user data.” reads the Baden-Wuerttemberg data protection authority.

“By storing the passwords in clear text, the company knowingly violated its duty to ensure data security in the processing of personal data,” 

The authority’s State Commissioner for Data Protection and Freedom of Information, Stefan Brink, confirmed it avoided impose the highest possible fines, it doesn’t want bankrupting the company.

“The overall financial burden on the company was taken into account in addition to other circumstances,” the authority noted.

“The hacker attack was a real test of stress for Knuddels.” It was immediately clear that the trust of users could only be regained with transparent communication and an immediate noticeable improvement in IT security. “Knuddels is safer than ever.” declared the managing director of Knuddels GmbH & Co. KG, Holger Kujath.

Pierluigi Paganini

(Security Affairs – GDPR, data breach)

The post Chat app Knuddels fined €20k under GDPR regulation appeared first on Security Affairs.

What’s keeping Europe’s top infosec pros awake at night?

As the world adapts to GDPR and puts more attention on personal privacy and security, Europe’s top information security professionals still have doubts about the industry’s ability to protect critical infrastructure, corporate networks, and personal information. Black Hat Europe’s new research report entitled, Europe’s Cybersecurity Challenges, details the thoughts that are keeping Europe’s top information security professionals awake at night. The report includes new insights directly from more than 130 survey respondents and spans topics … More

The post What’s keeping Europe’s top infosec pros awake at night? appeared first on Help Net Security.

My precious: security, privacy, and smart jewelry

Emery was staring at her computer screen for almost an hour, eyes already lackluster as the full-page ad on Motiv looped once more. She was contemplating whether she’d give in and get her boyfriend Ben a new fitness tracker as a present for his upcoming marathon. The phone app he was currently using worked, but Ben never got used to wearing his iPhone on his arm. In fact, the weight of it distracted him.

Emery thought that something lightweight, sturdy, and inconspicuous was what he needs as a replacement. And the Motiv Ring—in elegant slate gray, of course—seemed to be the best option. But for $199, she immediately stepped back. Admittedly, the price tag tempted her to go back to cheaper options.

Reaching for her coffee mug, Emery was reminded of the weight of the Ela Bangle around her wrist. Ben had given it to her as a welcome-home present after her two-week medical mission. He had called it a smart locket, one you can’t wear around your neck. He knew she got homesick easily, so Emery was ecstatic when Ben had shown her photos and audio messages near and dear to her all saved on its rounded-square stone.

At least that was what the brochure said. In reality, her personal files were stored in the cloud associated with the Ela.

Although Emery could only rave about her smart locket, she couldn’t help but wonder if anyone else could see her files. She’s as techie as the next nurse in her ward, but stories of hacking, stolen information, and locked out files were frequently discussed at the hospital, making her realize that owning technology from a nascent industry can put one in a precarious position.


Emery and her current situation may be fictitious, but her dilemma is real. Smart jewelry has real appeal, but it doesn’t come without risks to security and privacy.

Whatever enamored them, potential buyers would be wise to consider this one, significant detail before they make up their minds: data. Mainly, what happens with the data they freely allow their smart jewels to monitor, collect, analyze, and store. Could these be accessed, retrieved, transported, or used by anyone who has the skills? Could data leak on accident or because of simple manipulation of certain elements (such as incrementing the user ID)? These are some questions we need to continue asking ourselves in this age of breaches.

Not only that, the data collected about a person’s health and well-being is yet another trove that should be under the protection of a statute like HIPAA—but isn’t. It’s no wonder that lawmakers and those working in the cybersecurity and privacy sectors have expressed concern regarding the evident lack of security of not just wearable technology, but the Internet of Things as a whole.

How smart jewelry works

Smart jewelry, or wearable jewelry, is a relatively new form of wearable technology (WT) capable of low-processing data. And like other WT, it’s generally not a stand-alone device. It requires an app to be paired with your smart jewelry so it can do what it’s designed to do. In a nutshell, this tandem is how smart jewelry—and wearables as a whole—works.

Wearable jewelry that acts as a fitness tracker usually follows the standard model below:

  • Tracking of data using sensors in the wearable, such as an accelerometer, gyroscope, tracker, and others.
  • Transmitting of data from the wearable to the smartphone via Bluetooth Low Energy (BLE) or ant plus (ANT+)
  • Aggregating, analyzing, processing, and comparing the data in the smartphone.
  • Syncing of data from the smartphone app to its cloud server via an Internet connection.
  • Presenting data to the user via the smartphone.

In-depth processing and data analysis also happen in the cloud. Manufacturers offer this additional service to users as an option. As you can tell, this is how service providers monetize the data.

Nowadays, smart jewelry is becoming more than just a pretty fitness tracker. Some already function as an extension of the smartphone, providing notifications on incoming calls and new text messages and emails. Others can be used for sleep or sleep apnea monitoring, voice recording, hands-free sharing and communication, unlocking doors, or paying for purchases. A small number of smart jewelry can even act as one’s personal safety device, train or bus pass, bank card, or smart door key.

But while the jewelry gets blingier and the processor—the wearable jewelry’s core computer—gets smarter with time, one is likely to ask: Is smart jewelry getting more secure? Is it protecting my privacy?

Unfortunately, the strong, resounding answer to both is “no.”

Security and privacy challenges faced by smart jewelry

Because of the processor’s size—a necessity to make wearables lightweight, relatively inexpensive, and fit for mass production—manufacturers are already limited from adding any security measure into it. This is an inherent problem in a majority of wearable devices.

In fact, it is safe to say that some vulnerabilities or security shortcoming we find in wearable devices can also be found in smart jewelry, too.

In the research paper entitled, “Wearable Technology Devices Security and Privacy Vulnerability Analysis,” Ke Wan Ching and Manmeet Mahinderjit Singh, researchers at the Universiti Sains Malaysia (USM), have presented several weaknesses and limitations within wearable devices that we have grouped into main categories. These are:

  • Little or lacking authentication. A majority of wearables have no way of authenticating or verifying that the person accessing or using them are who they claim they are. These devices are then susceptible to data injection attack, denial of service (DoS) attacks, and battery drain hacks. For gadgets that do have an authentication scheme in place, usually, the system isn’t secure enough. This could quickly be taken advantage of by brute force attacks.
  • Leaky BLE. Because of this, persons with ill intent can easily track users wearing smart jewelry. And if a location can be determined with ease, then privacy is compromised, too. Other Bluetooth attacks that can work against wearables are eavesdropping, surveillance, and man-in-the-middle (MiTM) attacks.
  • Information leakage. If one’s location can be determined with pinpoint accuracy, it’s possible that hackers can pick up personally identifiable information (PII) and other data just as easily. Information leakage also leads to other security attacks, such as phishing.
  • Lack of encryption. Some wearables are known to send and receive data to or from the app in plain text. It’s highly likely that smart jewelry is doing this, too.
  • Lack of or incomplete privacy policy. Some smart jewelry manufacturers make clear what they do to information they collect from users visiting their website. Yet, they hardly mention what they do to the more personal data they receive from their wearables and app. Their privacy policy does not (or seldom) say what is being collected, when is data collected, what will the data be used for, or how long the data can be kept.
  • Insecure session. Users can access their smart jewelry via its app, and its app saves user accounts. Account-based management is at risk if its weakness is in the way it manages sessions. Attackers would be able to guess user accounts to hijack sessions or access data belonging to the user.

It’s also important to note that, unlike smartphones and other mobile devices, smart jewelry owners have no way of tracking their wearable jewelry should they accidentally misplace or lose it.

How smart jewelry manufacturers are addressing challenges

The European Union’s introduction of the General Data Protection Regulation (GDPR) has created a tsunami effect on organizations across industries worldwide. Manufacturers of wearable devices are no exception. Owners of smartwatches, smart wristbands, and other wearable gadgets may already have noticed some tweaking to the privacy policies they agreed to—and this is a good thing.

When it comes to security and privacy, much to the surprise of many, they are not entirely absent from smart jewelry. Manufacturers recognize that wearables can be used to secure data and accounts. They also understand that their wearables need to be secured. And a small number of organizations are already taking steps.

Motiv, the example we used in our introductory narrative, has already incorporated in their devices biometric and two-factor authentication schemes, which they recently revealed in a blog post. The Motiv Ring now includes a feature called WalkID, a verification process that monitors a wearer’s gait. It runs continuously in the background, which means WalkID regularly checks for the wearer’s identity. The ring can also now serve as an added layer of protection to online accounts that are linked to it. In the future, Motiv has promised its users password-free logins, fingerprint scanning, and facial recognition.

Diamonds—and data—are forever

It was in January of this year that Ringly, a pioneer smart jewelry company, bid farewell to the wearable tech industry (probably for good) after only four years. Although it wasn’t revealed why, one mustn’t take this as a sign of a dwindling future ahead for wearable jewelry. On the contrary, many experts forecast an overwhelmingly positive outlook on wearable tech. However, the wearables industry must make a concerted effort to address the many weaknesses found in modern smart jewelry.

So, should you bite the bullet and splurge on some smart jewelry?

The answer still depends on what you need it for. And if you’re seriously intent on getting one, remember there are security measures you can do to minimize those risks. Regularly updating the app and the firmware, taking advantage of additional authentication modes if available, using strong passwords, never sharing your PIN, and turning the Bluetooth off when not needed are just some suggestions.

How to choose from smart jewelry options plays a key role in safety, too. Make sure that you select a brand that takes security seriously and shows this by continuously improving on the flaws and privacy concerns we mentioned above. First-generation tech is always insecure. What consumers must look out for are future improvements, not just on the look and functionalities, but also how it protects itself and your data.

Lastly, it’s okay to wait. Seriously. You don’t have to have the latest smart ring, necklace, or bracelet if it doesn’t take care of your data or leaves you open to hackers. It would be wise to settle for other alternatives that would address your needs, first and foremost, and make it coordinate with your attire second. After all, the smart jewelry industry is relatively young, so it still has a long way to go. And with every advancement, we can only hope that smart jewelry comes with beefier security measures and privacy-friendly policy implementations.

As for wearables in the business environmentwell, that’s another story.

The post My precious: security, privacy, and smart jewelry appeared first on Malwarebytes Labs.

Critical Flaw in GDPR Plug-In For WordPress

Hackers have been found exploiting a critical security vulnerability that affects a GDPR plug-in for WordPress to take control over vulnerable websites according to security researchers at Wordfence. “These attacks show that

The post Critical Flaw in GDPR Plug-In For WordPress appeared first on The Cyber Security Place.

WordPress GDPR Compliance plugin hacked to spread backdoor

By Waqas

Update your GDPR Compliance plugin right now. Security researchers have identified a critical vulnerability in the popular WP GDPR Compliance plugin assisting over 100,000 website owners around the world to comply with European privacy regulations known as GDPR that was announced by European Union on May 25th, 2018. The vulnerability was discovered by researchers at Wordfence which allows hackers to […]

This is a post from HackRead.com Read the original post: WordPress GDPR Compliance plugin hacked to spread backdoor

How Safe and Secure are Wearables?

The ‘wearable technology’ market has been exponentially growing in recent years and is expected to exceed 830 million devices by 2020. One of the key drivers pushing this rapid expansion are fitness trackers, namely wristband tech and smartwatch apps which monitors our daily activity and health. But as we integrate wearables devices seamlessly into our everyday lives, what are the privacy and security risks they pose? How should wearable manufacturers and app developers be protecting consumers?

245 million wearables will be sold in 2019

Insurance company Vitality offers customers a heavily discounted Apple Watch to customers in return for their fitness routines and health data, the more activity you do each month, the greater your reward through a monthly discount. While this exchange of information for rewards provides a great incentive for consumers to improve their health, the personal data consumers are sharing in return has a tangible value for the insurance company. However, providing an insurance company with a daily data breakdown of one's health is an unacceptable tradeoff for some, regarding such a practice as an invasion of their privacy. 

As of May 2018, all EU citizen's privacy rights are legally protected by the General Data Protection Regulation (GDPR). GDPR compliance is required by all companies which process EU citizen data, including those based outside of the European Union. The privacy regulation requires wearable device and app providers to obtain each EU citizen's explicit consent before collecting their personal information, they must also clearly explain what types of personal information they intend to collect, how they intend to use the data, and inform consumers about any other organisation they intend to share their data with. If they don’t, wearable tech firms and app providers should brace themselves for heavy fines by European Information Commissioners.

For further details about the GDPR requirements and for Wearables Software Development Security Advice, read my IBM developerWorks 3 part guidance "A developer's guide to the GDPR" and my Combating IoT Cyber Threats

Wearable personal data is also of value to hackers and criminals, for instance, your fitness routine provides a clear picture of the best times to burglarise your home. With personal consumer data potentially at stake, fitness wearable manufacturers should incorporate both default privacy and security standards into the infrastructure of the device, to help ensure personal information remains safeguarded from known and future cyber threats.  ULa global safety science company, has developed testing for cybersecurity threats and offers security verification processes to assist manufacturers in assessing security risks and helping mitigate them before the product even goes to market. If the industry takes these steps, wearable consumers will feel safe and secure as they reap the intended benefits of this new innovation, while the wearables industry will be well positioned to meet the promise of its growth projections.

Europe’s largest bank just got hacked

HSBC Bank, the seventh-largest banking and financial services organizations in the world and the largest in Europe, has been breached by hackers. The bank is now sending letters to an undisclosed number of customers notifying them that hackers have their data.

In a notification template submitted to the California Attorney General’s Office, HSBC said it became aware that online accounts were accessed by unauthorized parties sometime between October 4 and October 14, 2018.

“When HSBC discovered your online account was impacted, we suspended online access to prevent further unauthorized entry of your account,” the notice reads. “You may have received a call or email from us so we could help you change your online banking credentials and access your account. We apologize for this inconvenience. HSBC takes this very seriously and the security of your information is very important to us.”

HSBC adds (emphasis ours), “The information that may have been accessed includes your full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history where available.”

The bank provides no details of the breach, such as how the attackers managed to infiltrate its systems and then exfiltrate customer data. It does say, however, that its first action after containing the breach was to enhance the authentication process for HSBC Personal Internet Banking. This suggests the breach may have involved credential stuffing (where large numbers of previously-breached credentials are “stuffed” into login forms until they are potentially matched to an existing account), or a vulnerability in the bank’s two-factor-authentication (2FA) process.

On a slightly more positive note, customers are told HSBC is offering a complementary year of credit card monitoring via Identity Guard, which monitors and protects credit data, but also alerts users to activities that could indicate identity theft. Customers must sign up for the freebie within 90 days, or they won’t be eligible after that window is closed.

According to Wikipedia, HSBC’s assets total US $2.374 trillion, as of December 2016, with annual revenue in the tens of billions. Last year alone, it raked in $51.445 billion, or 45.1 billion euros. Considering the sheer number of potential European clients and the amount of personally identifiable information compromised, HSBC stands to incur a stinging fine under the recently introduced General Data Protection Regulation. The GDPR’s penalties for such data breaches are calculated at up to 20 million euros, or 4% of the company’s annual turnover, whichever is greater. Needless to says, EU legislators won’t have too hard of a time making that calculation.

Eurostar resets customer passwords after hack attack

European high-speed railway service Eurostar reset all user account passwords after a security incident, according to the Telegraph.

The rail company detected unauthorized attempts to access user accounts between October 15 and 19, and immediately sent a notification email to the customers affected. Hackers used legitimate email addresses and passwords on the Eurostar website.

The company says the attack did not compromise credit card and payment details, which are not stored on their systems. They blocked accounts to prevent things from getting out of hand.

The exact number of affected accounts was not mentioned, nor was the type of data leaked.

“We have taken this action as a precaution because we identified what we believe to be an unauthorized automated attempt to access eurostar.com accounts using your email address and password,” the company told customers.

“We’ve since carried out an investigation which shows that your account was logged into between the 15 and 19 October. If you didn’t log in during this period, there’s a possibility your account was accessed by this unauthorized attempt.”

The Information Commissioner’s Office was informed and is looking into the matter.

“We’ve received a data breach report from Eurostar and are making enquiries,” said a spokeswoman.

As per GDPR requirements, companies that detect breaches affecting personal data of EU citizens must inform their customers within 72 hours. If companies don’t comply with GDPR requirements, they face hefty fines.

A number of companies operating with customer data have been hacked in the past months, including Air Canada, British Airways and Cathay Pacific. There’s no evidence linking them to the Eurostar breach.

Cyber Security Roundup for October 2018

Aside from Brexit, Cyber Threats and Cyber Attack accusations against Russia are very much on the centre stage of UK government's international political agenda at the moment. The government publically accused Russia's military 'GRU' intelligence service of being behind four high-profile cyber-attacks, and named 12 cyber groups it said were associated with the GRU. Foreign Secretary Jeremy Hunt said, "the GRU had waged a campaign of indiscriminate and reckless cyber strikes that served no legitimate national security interest".

UK Police firmly believe the two men who carried out the Salisbury poisoning in March 2018 worked for the GRU.

The UK National Cyber Security Centre said it had assessed "with high confidence" that the GRU was "almost certainly responsible" for the cyber-attacks, and also warned UK businesses to be on the alert for indicators of compromise by the Russian APT28 hacking group.  The NCSC said GRU hackers operated under a dozen different names, including Fancy Bear (APT28), had targetted:
  • The systems database of the Montreal-based World Anti-Doping Agency (Wada), using phishing to gain passwords. Athletes' data was later published 
  • The Democratic National Committee in 2016, when emails and chats were obtained and subsequently published online. The US authorities have already linked this to Russia.
  • Ukraine's Kyiv metro and Odessa airport, Russia's central bank, and two privately-owned Russian media outlets - Fontanka.ru and news agency Interfax - in October 2017. They used ransomware to encrypt the contents of a computer and demand payment 
  • An unnamed small UK-based TV station between July and August 2015, when multiple email accounts were accessed and content stolen

Facebook was fined the maximum amount of £500,000 under pre-GDPR data protection laws by the UK Information Commissioner's Office (ICO) over the Cambridge Analytica Scandal. Facebook could face a new ICO fine after revealing hackers had accessed the contact details of 30 Million users due to a flaw with Facebook profiles. The ICO also revealed a 400% increase in reported Cyber Security Incidents and another report by a legal firm RPC said the average ICO fines had doubled, and to expect higher fines in the future. Heathrow Airport was fined £120,000 by the ICO in October after a staff member lost a USB stick last October containing "sensitive personal data", which was later found by a member of the public.

Notable Significant ICO Security Related Fines

Last month's British Airways website hack was worse than originally reported, as they disclosed a second attack which occurred on 5th September 2018, when the payment page had 22 lines of malicious Javascript code injected in an attack widely attributed to Magecart.  Another airline Cathay Pacific also disclosed it had suffered a major data breach that impacted 9.4 million customer's personal data and some credit card data.

Morrisons has lost a challenge to a High Court ruling which made it liable for a data breach, after an employee, since jailed for 8 years, stole and posted thousands of its employees' details online in 2014.  Morrisons said it would now appeal to the Supreme Court., if that appeal fails, those affected will be able to claim compensation for "upset and distress". 

Interesting article on Bloomberg on "How China Used a Tiny Chip to Infiltrate U.S. Companies". However, there was a counter-narrative to the Bloomberg article on Sky News. But didn't stop Ex-Security Minister Admiral Lord West calling the Chinese when he said Chinese IT Kit 'is putting all of us at risk' if used in 5G.  He raises a valid point, given the US Commerce Department said it would restrict the export of software and technology goods from American firms to Chinese chipmaker Fujian Jinhua BT, which uses Huawei to supply parts for its network, told Sky News that it would "apply the same stringent security measures and controls to 5G when we start to roll it out, in line with continued guidance from government". Recently there have been warnings issued by the MoD and NCSC stating a Chinese espionage group known as APT10 are attacking IT suppliers to target military and intelligence information.

NCSC is seeking feedback on the latest drafts 'knowledge areas' on CyBOK, a Cyber Security body of knowledge which it is supporting along with academics and the general security industry.

Google are finally pulling the plug on Google+, after user personal data was left exposed. Google and the other three major web browser providers in the world said, in what seems like coordinated announcements, businesses must accept TLS Version 1.0 and 1.1 will no longer support after Q1 2018.

So its time to move over to the more secure TLS V1.2 or the more secure & efficient TLS V1.3.

NEWS

Dublin Information Sec 2018: take note of this advice to embed lessons from a data breach

When assembling an incident response team, it’s worth including someone whose job is to take notes. It might seem like a small point, but it’s a big help for communicating during a breach, and learning lessons afterwards.

Maybe it’s because I write things down for a living, but for me, that was one of the key takeaways from Brian Honan’s presentation at Dublin Information Sec 2018 this week. “Have someone on your team who is a scribe, who will take notes of timelines, of who did what, and who will brief senior management about what’s happening,” he said.

All the president’s men

Brian made the remarks during a presentation about how to manage data breaches in light of GDPR’s stringent reporting regime. Organisations that suffer a breach involving personal data must report it to the designated data protection authority within 72 hours. Such a tight timeframe puts incredible pressure on incident response teams. It’s important to plan ahead, and identify the key roles and responsibilities in advance. The team could include specialists in data protection, information security, operations, human resources, legal, public relations and facilities management.

The designated note-taker can be an invaluable buffer between the technical teams scrambling to investigate the incident, and management who will want regular progress reports. Without that buffer, the need for regular updates might distract the investigation team from their work. Accurate notes can form the basis of open communication to an organisation’s staff, customers, media or other stakeholders. “Communicate throughout every part of this process,” Brian said.

Total recall

Having contemporaneous notes also provides a valuable record for when it’s time to take a fresh look at what happened. “Always review and measure, see where you can improve and how you can make things better,” Brian said.

He recommended conducting a review within 24 hours of an incident. That’s the ideal timeframe because memories fade – we’re only human after all. The longer the time lag between the incident and the review, the less reliable everyone’s recollection will be. But if the review stage is postponed for any reason, good notes are the next best thing.

Brian Honan, speaking at Dublin Information Sec 2018 conference at the RDS

 

The post Dublin Information Sec 2018: take note of this advice to embed lessons from a data breach appeared first on BH Consulting.

Busting myths and misconceptions around GDPR and security

For better or worse, GDPR and security are often wedded together, when the relationship in fact is slightly more complicated. Sarah Clarke, a specialist in privacy, security, governance risk and compliance with BH Consulting, has picked apart some myths and misconceptions around the subject. She kindly gave us permission to use material she published in her excellent Infospectives blog. It’s well worth reading for anyone whose role involves data protection or security.

In part one, she outlines the media backdrop (clickbait headlines and all). She then goes into detail about what the GDPR really says about security and covers security as a source of privacy risks.

Confusion and misunderstanding

Sarah decided to write the blog partly out of frustration from seeing discussions about privacy, GDPR, and the role of security, where facts were in short supply. “Confusion stems from security vendors and security experts misunderstanding the GDPR, not filtering out their security bias, or willingly leveraging GDPR furore to drive a security-centric agenda,” she wrote.

Privacy experts often note that just one principle in GDPR specifically references security. As Sarah argues, the picture is more nuanced. In the daily reality of many organisations, this works a little differently. Security and data protection intersect where people, process, or technical controls are necessary to minimise the risk of harm to data subjects resulting from a personal data breach – or business as usual processing. The two also meet where a security function’s own people, process, or technical controls involve processing personal data. What’s more, both need to work together when security teams must assess, oversee, and/or pay for GDPR-related change.

Minimising risk to data subjects

“If I had to draw out one fact from everything above that needs to be drilled into the heads of many security practitioners (including me in the early days), it’s this: Data Protection is NOT just about minimising the probability and impact of breaches. Data Protection IS about minimising the risk of unfair impact on data subjects resulting from historical data processing, processing done today, and processing you and your third parties might do in future.”

The second part of Sarah’s blog looks at three myths about GDPR. First, is that the regulation makes encryption mandatory, or whether using the technology negates other controls. Secondly, she tackles the assumption that being certified to ISO27001 effectively ensures compliance with GDPR. Third, she asks whether existing security-related risk management is fit for privacy purposes.

Encryption mandated nowhere

Expanding on the first point, Sarah says encryption is a vital tool but not a mandatory one. “The GDPR doesn’t mandate ANY specific controls. It mentions a couple, like pseudonymisation and encryption, but it is all about control selection based upon your local risks… Rendering data unintelligible is an incredibly effective mitigation for post breach data related harm to both data subjects and the organisation, but it in no way negates the need to apply other security and data protection controls.”

Next, she dismisses the idea that becoming certified to the information security standard ISO27001 is the same as GDPR compliance. However she adds that certification helps this way. “The Information Security Management System (ISMS), described in ISO27001, represents a robust way to scope, assess, articulate, document, and manage risks associated with all aspects of organisational security, including personal data security.

Assessing security risk from a privacy perspective

Lastly, Sarah debunks the misconception that security-related risk management is suitable for privacy purposes. The reason being that “the assessment of security related risk is pretty poor in general”. Outside certain fields like the military, healthcare, or energy, few consider the impact on individuals or groups of data subjects. As we’ve seen above, this consideration is central to GDPR.

Sarah outlines “unavoidable and critical steps” to determining the rights and freedoms of data subjects. Finally, she wraps up the post with seven practical steps for organisations to review where security, data processing, and privacy meet. Whether you work in a security role or on the privacy side, we encourage you to read the full posts. Both go into great detail and include helpful external links to other resources and discussion points. Our thanks to Sarah for sharing the material with us. You can read her blogs at www.infospectives.co.uk or follow her on Twitter.

The post Busting myths and misconceptions around GDPR and security appeared first on BH Consulting.

British Airways Hack Update: Caused by Injected Script & PCI DSS Non-Compliance is Suspected

On Friday (7th September 2018), British Airways disclosed between 21st August 2018 and 5th September 2018, 380,000 BA customer's payment card transactions were compromised by a third party through its website and mobile app. This data included the customer's full name, email address, debit\credit card 16 digit number (PAN), expiry date and card security code i.e. CVV, CV2

Details of how the hack was orchestrated have now come to light. In a blog post RiskIQ researchers have claimed to have found evidence that a web-based card skimmer script was injected into the BA website, very similar to the approach used by the Magecard group, who are believed to be behind a similar attack against the Ticketmaster website recently. Web-based card skimmer script attacks have been occurring since 2015.

In this case, once the customer has entered their payment card details and then submits the payment either on a PC or on a touchscreen device, the malicious script executes and captures their payment card data, sending it to a virtual (VPS) server hosted in Romania. The server was hosted on a domain called baways.com and was certified (https) by Comodo to make it appear legit within the website html (code). The server domain was registered 6 days before the breach started, this obviously went undetected by BA's security, perhaps the domain registration could have been picked up by a threat intelligence service.

Other Researchers have also claimed the BA website wasn't PCI DSS compliant. Marcus Greenwood found files loaded from 7 external domains onto the BA website, and crucially said the BA payment page wasn't isolating the card payment entry within an iframe, which would prevent any third-party scripts (and XSS attacks) from being able to read the payment card form fields. The Payment Card Industry Data Security Standard (PCI DSS) is required by all organisations which accept, process, store and/or transmit debit and credit cards.

Here is the advice from CEO of global cybersecurity specialist SonicWall, Bill Conner:

"Organizations and government entities carry a responsibility to consumers and civilians alike to guard their most valuable information at all cost. While the British Airways breach may not have been as detrimental as I’m sure its culprits would have liked it to be, it should serve as a wake-up call to CTOs, CIOs and CISOs. The fact is, it is early days, and the true damage done is yet to be seen. Personal information that does not change as easily as a credit card or bank account number drive a high price on the Dark Web. This kind of Personally Identifiable Information is highly sought after by cybercriminals for monetary gain. Companies should be implementing security best practices such as a layered approach to protection, as well as proactively updating any out of date security devices, as a matter of course."

My view mass credit\debit card data (cardholder data) complete with the security code has always been targeted by cyber crooks as it is very easily sellable on the dark web, as the data only can be used in cardholder-not-present transaction fraud, where credit card holder is not physically present i.e. online, app, phone. The finger can be pointed at lack of PCI DSS compliance by merchants like BA, however, I think it is about time technology was used to improve the security of all cardholder-not-not present transactions, namely Multi-factor authentication (MFA).  While MFA on all cardholder-not-present is not a silver bullet, there is no 100% security, enforced usage across all industries would certainly devalue debit\credit card data considerably.

British Airways Customer Data Stolen in Website and Mobile App Hack

In a statement, British Airways stated: "From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on ba.com and the airline’s app were compromised." The airline said they will be notifying affected customers, and if anyone has been impacted to contact their bank or credit card providers.
The Telegraph reported 380,0000 payments were compromised, and that BA customers had experienced payment card fraud as a result before the BA breach disclosure, which strongly suggests unencrypted debit\credit cards were stolen.

There are no details about the data theft method at the moment, but given the statement said the BA website and BA mobile app was compromised, I think we could be looking at another example of an insecure API being exploited, as per the Air Canada breach and the T-Mobile breach last month.

We'll see what comes out in the wash over the next few days and weeks, but thanks to the GDPR, at least UK firms are quickly notifying their customers when their personal and financial data has been compromised, even if there is little detail reported about how. Without knowing how the data was compromised, customers cannot be truly assured their private data is safe. It also will be interesting to learn whether the BA systems were compliant with the Payment Card Industry Data Security Standard (PCI DSS), required by all organisations that accept, process, store and/or transmit debit and credit cards.

Update: 
A spokesperson at BA said "hackers carried out a sophisticated, malicious criminal attack on its website" and impacted BA customers would be compensated. 

380,000 card payment transactions were confirmed as stolen, specifically:
  • Full Name
  • Email address
  • Payment card number (PAN)
  • Expiration date
  • Card Security Code [CVV] - typically a 3 digit authorisation code written on the back of the debit\credit card
BA insists it did not store the CVV numbers, these are not allowed to be stored after payment card authorisation under PCI DSS. This suggests the card details may have been intercepted during the payment transaction, perhaps by a maliciously injected or compromised third party website plugin, as opposed to data theft from the database, as often seen with SQL injections attacks against web apps.

BA have published help and FAQs to anyone that is impacted by this data breach.
https://www.britishairways.com/en-gb/information/incident/data-theft/latest-information

British Airways is owned by IAG, their share price dropped by more than 4%, which equates to a £500m+ value loss in the company.

Update on the Attack Method (11 Sept 2018)
In a blog post RiskIQ researchers have claimed to have found evidence that a web-based card skimmer script was injected into the BA website, very similar to the approach used by the Magecard group, who are believed to be behind a similar attack against the Ticketmaster website recently. Web-based card skimmer script attacks have been occurring since 2015.

In this case, once the customer entered their payment card details and submitted the payment either on a PC or on a touchscreen device, the malicious script captured their data and sent it to a virtual (VPS) server hosted in Romania. The server was hosted on a domain called baways.com and was certified (https) by Comodo to make it look legit. The server domain was registered 6 days before the breach started, this obviously went undetected by BA's security, perhaps the rogue domain registration could have been picked up by a threat intelligence service.

Researchers have also claimed the BA website wasn't PCI DSS. They found 7 scripts running on the BA website, but crucially said the BA payment page wasn't isolating the card payments within an iframe, which would prevent third-party scripts (and XSS attacks) from being able to read the payment card form fields.

Bill Conner, CEO SonicWall said "Organizations and government entities carry a responsibility to consumers and civilians alike to guard their most valuable information at all cost. While the British Airways breach may not have been as detrimental as I’m sure its culprits would have liked it to be, it should serve as a wake-up call to CTOs, CIOs and CISOs. The fact is, it is early days, and the true damage done is yet to be seen. Personal information that does not change as easily as a credit card or bank account number drive a high price on the Dark Web. This kind of Personally Identifiable Information is highly sought after by cybercriminals for monetary gain. Companies should be implementing security best practices such as a layered approach to protection, as well as proactively updating any out of date security devices, as a matter of course."

Creating Ripples: The Impact and Repercussions of GDPR, So Far

“GDPR is coming, GDPR is coming!” For months this was all we heard – everyone was discussing GDPR’s impending arrival on May 25th, 2018, and what they needed to do to prepare for the new privacy regulation. GDPR – the General Data Protection Regulation – first came to fruition on April 14th, 2016, as a replacement for the EU’s former legislation, Data Protection Directive. At its core, GDPR is designed to give EU citizens more control over their personal data. But in order for that control to be placed back in consumers’ hands, organizations have to change the way they do business. In fact, just five months after the implementation date, we’ve already seen GDPR leave an impact on companies. Let’s take a look at the ramifications that have already come to light because of GDPR, and how the effects of the legislation may continue to unfold in the future.

Even though the EU gave companies two years to ensure compliance, many waited until the last minute to act. Currently, no one has been slapped with the massive fines, but complaints are already underway. In fact, complaints have been filed against Google, Facebook, and its subsidiaries, Instagram and WhatsApp. Plus, Max Schrem’s None of Your Business (NOYB) and the French association La Quadrature du Net have been busy filing complaints all around Europe. “Data Protection officials have warned us that they will be aggressively enforcing the GDPR, and they watch the news reports. European Economic Area (EEA) residents are keenly aware of the Regulation and its requirements, and are actively filing complaints,” said Flora Garcia, McAfee’s lead privacy and security attorney, who managed our GDPR Readiness project.

However, the ramifications are not just monetary, as the regulation has already affected some organizations’ user bases, as well as customer trust. Take Facebook for example – the social network actually attributes the loss of 1 million monthly active users to GDPR, as reported in their second quarter’s earnings. Then there’s British Airlines, who claims in order to provide online customer service and remain GDPR compliant, their customers must post personal information on social media. Even newspapers’ readership has been cut down due to the legislation, as publications such as the Los Angeles Times and Chicago Tribune stopped allowing European readers access to their sites in order to avoid risk. “This is the new normal, and all companies need to be aware of their GDPR obligations. Companies outside of the EEA who handle EEA data need to know their obligations just as well as the European companies,” Garcia says.

GDPR has had tactical repercussions too; for instance, it has changed the communication on the way the IT sector stores customer data. A consumer’s ‘right to be forgotten’ means organizations have to clearly explain how a customer’s data has been removed from internal systems when they select this option, but also ensure a secure backup copy remains. GDPR also completely changes the way people view encrypting and/or anonymizing personal data.

What’s more — according to Don Elledge, guest author for Forbes, GDPR is just the tip of the iceberg when it comes to regulatory change. He states, “In 2017, at least 42 U.S. states introduced 240 bills and resolutions related to cybersecurity, more than double the number the year before.” This is largely due to the visibility of big data breaches (Equifax, Uber, etc.), which has made data protection front-page news, awakening regulators as a result. And with all the Facebook news, the Exactis breach, and the plethora of data leaks we’ve seen this so far this year, 2018 is trending in the same direction. In fact, the California Consumer Privacy Act of 2018, which will go into effect January 1st, 2020, is already being called the next GDPR. Additionally, Brazil signed a Data Protection Bill in mid-August, which is inspired by GDPR, and is expected to take effect in early 2020. The principles are similar, and potential fines could near 12.9 million USD. And both China and India are currently working on data protection legislation of their own as well.

So, with GDPR already creating ripples of change and new, similar legislation coming down the pipeline, it’s important now more than ever that companies and consumers alike understand how a piece of data privacy legislation affects them. Beyond that, companies must plan accordingly so that their business can thrive while remaining compliant.

To learn more about GDPR and data protection, be sure to follow us at @McAfee and @McAfee_Business, and check out some of our helpful resources on GDPR.

 

The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.

 

The post Creating Ripples: The Impact and Repercussions of GDPR, So Far appeared first on McAfee Blogs.

Latest on the Currys PC World Data Breach Impacting 10 Million Customers

Following further investigations, Currys PC World today confirmed 10 million of their customer personal details may have been stolen by hackers, a revised number from the 1.2 million customers and 5.9 million payment cards it advised back in June.

In June 2018, the company said there was "an attempt to compromise" 5.8 million credit and debit cards but only 105,000 cards without chip-and-pin protection had been leaked after hackers attempted access to company's payment processing systems.

The hack was said to have occurred nearly a year before it was disclosed, so it either went undetected, which is common where there is inadequate security monitoring in place, or the business knew about the breach but choose not to disclose it to their impacted customers.

The Information Commissioner's Office (ICO) fined the Dixons Carphone £400,000 for a data in 2015 breach, however, Currys PC World stated the incidents were not connected.

The business stressed it has now improved its security measures including enhanced controls, monitoring, and testing to safeguard customer information, and "trebling their investment in cybersecurity". Unfortunately, no details have been disclosed explaining how the hackers were able to access such large quantities of personal data. The company "security improvement" statement suggests their IT security was rather underfunded and not at a sufficient standard to adequately secure their business operations and customer data.

The ICO (statement) and the NCSC (statement) both have released statements in June about the breach. So we'll see what the ICO makes of it, but I think the business is likely to be fined again, although not the potentially massive GDPR penalties, as this data breach occurred before the GDPR came into force in May.

Customer statement by Currys PC World to their customers today

On June 13, we began to contact a number of our customers as a precaution after we found that some of our security systems had been accessed in the past using sophisticated malware.

We promptly launched an investigation. Since then we have been putting further security measures in place to safeguard customer information, increased our investment in cyber security and added additional controls. In all of this we have been working intensively with leading cyber security experts.

Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017. This unauthorised access to data may include personal information such as name, address, phone number, date of birth and email address.

While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and we have no confirmed instances of customers falling victim to fraud as a result. We are continuing to keep the relevant authorities updated.

As a precaution, we are letting our customers know to apologise and advise them of protective steps to take to minimise the risk of fraud. These include:

If you receive an unsolicited email, letter, text or phone call asking for personal information, never reveal any full passwords, login details or account numbers until you are certain of the identity of the person making the request. Please do not click on any links you do not recognise.


If you think you have been a victim of fraud you should report it to Action Fraud, the UK’s national fraud and internet crime reporting centre, on 0300 123 2040*.

We also recommend that people are vigilant against any suspicious activity on their bank accounts and contact their financial provider if they have concerns.
You can find more information here


We take the security of your data extremely seriously and have previously announced that we have taken action to close off this access and have no evidence it is continuing. Nevertheless, we felt it was important to let customers know as soon as possible.

We continue to make improvements and investments to our security systems and we’ve been working round the clock to put this right. We’re extremely sorry about what has happened – we’ve fallen short here. We want to reassure you that we are fully committed to protecting your data so that you can be confident that it is safe with us.

Cyber Security Roundup for May 2018

I'm sure the release of the GDPR on 25th May hasn't escaped anyone's attention. After years of warnings about the EU parliament's intended tough stance on enforcing the human right to privacy in the digital realm, a real 'game changer' of a global privacy regulation has finally landed, which impacts any organisation which touches EU citizen personal data. 

The GDPR's potential hefty financial penalties for breaching its requirements is firmly on the radar of directors at large enterprises and small businesses alike, hence the massive barrage of emails we have all have received in recent weeks, on changes to company privacy statements and requesting consent, many of which I noted as not being GDPR compliant as obtaining "explicit consent" from the data subject. So there is a long way to go for many organisations before they become truly GDPR compliant state based on what I've seen so far in my mailbox.

Cybercriminals have been quick to take advantage of the GDPR privacy emails deluge, using the subject matter in their phishing attacks to cheat access to accounts and con victims.
On a positive GDPR note, also on 25th May, IBM developerWorks released a three-part guidance series written by myself, aimed at helping Application Developers to develop GDPR compliant applications.

Developing GDPR Compliant Applications Guidance

Overshadowed by the GDPR coming in force, was the release of new NHS Data Security and Protection Toolkit, aimed at the NHS and their service providers, and the European NIS Directive (for telecom providers) went under the radar, but they are significant to those working in those industries.

Always make sure your Broadband Router\Hub does not permit remote administrative access (over the internet) and is always kept up-to-date with the latest security patches, otherwise, it will be at serious risk of being hacked and remotely controlled by cyber-criminals. As evidenced with month, after a DNS flaw in over 800,000 Draytek Routers has allowed hackers to take them over, malware called VPNFilter has infected 500,000 routers, and serious vulnerabilities has been reported in TP-Link EAP controllers.

IBM made headlines after banning its workers from using USB sticks, which I think is a good and reasonable policy. As quite frankly any modern enterprise, whether large or small, with a decent IT infrastructure and cloud services, staff shouldn't need to use USB devices to move data either internally or externally with third parties, so I see this as a rather smart business and security move to ban all USB devices, as it forces staff to use the more secure and more efficient technology made available.

As my @securityexpert twitter account crossed the 10,000 follower threshold Twitter advised 300 million users to reset their passwords after internal error. Apparently, the passwords for the Twitter accounts were accidentally stored in a database in their "plain text" value instead of using a hashed value for the password, as per best practice. I always strongly recommend Twitter users to take advantage and use the multi-factor authentication system Twitter provides, which reduces the risk of account hacking.

Breaches of note in May included a T-Mobile website bug which exposed personal customer data, Coca-Cola said an insider breached 8,000 accounts, and BMW cars were found to have over a dozen security vulnerabilities.

As always a busy month of new security patch releases, with Microsoft, Adobe, PHP, PGP, Google, Git, and Dell all releasing critical security updates to fix significant security flaws. Click the links for the full details.

Analysis of DDoS Attacks at Cloudflare, has revealed that while organisations in the UK have certainly upped their spending on DDoS mitigation, cyber-criminals are now responding by switching to Layer 7 based DDoS attacks
Some interesting articles about the Welsh Cyber Security Revolution and a review of the NHS a year on from the WannaCry outbreak

Reports of interest this month include the Thales Data Threat Report, which found UK businesses to be the most breached in Europe. The LastPass Psychology of Passwords Report which found 59% of people surveyed used the same passwords across multiple accounts, despite 91% of them knowing that using the same password for multiple accounts is a security risk. The 2017 Cylance Report stated the number of cyber-attacks on industries such as healthcare, manufacturing, professional services, and education rose by about 13.4% between 2016 and 2017.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Application Development GDPR Compliance Guidance

Last week IBM developerWorks released a three-part guidance series I have written to help 
Application Developers develop GDPR compliant applications.

Developing GDPR Compliant Applications Guidance

The GDPR
The General Data Protection Regulation (GDPR) was created by the European Commission and Council to strengthen and unify Europe's data protection law, replacing the 1995 European Data Protection Directive. Although the GDPR is a European Union (EU) regulation, it applies to any organizations outside of Europe that handle the personal data of EU citizens. This includes the development of applications that are intended to process the personal information of EU citizens. Therefore, organizations that provide web applications, mobile apps, or traditional desktop applications that can indirectly process EU citizen's personal data or allow EU citizens sign in are subject to the GDPR's privacy obligations. Organizations face the prospect of powerful sanctions should applications fail to comply with the GDPR.

Part 1: A Developer's Guide to the GDPR
Part 1 summarizes the GDPR and explains how the privacy regulation impacts and applies to developing and supporting applications that are intended to be used by European Union citizens.

Part 2: Application Privacy by Design
Part 2 provides guidance for developing applications that are compliant with the European Union’s General Data Protection Regulation. 

Part 3: Minimizing Application Privacy Risk

Part 3  provides practical application development techniques that can alleviate an application's privacy risk.

How prepared is your business for the GDPR?

The GDPR is the biggest privacy shakeup since the dawn of the internet and it is just weeks before it comes into force on 25th May. GDPR comes with potentially head-spinning financial penalties for businesses found not complying, so it really is essential for any business which touches EU citizen's personal data, to thoroughly do their privacy rights homework and properly prepare.

Sage have produced a nice GDPR infographic which breaks down the basics of the GDPR with tips on complying, which is shared below.

I am currently writing a comprehensive GDPR Application Developer's Guidance series for IBM developerWorks, which will be released in the coming weeks.


The GDPR: A guide for international business - A Sage Infographic

Cyber Security Roundup for February 2018

February saw over 5,000 websites infected by cryptocurrency mining malware after a popular accessibility plugin called ‘BrowseAloud’ was compromised by hackers. This led to several UK Government and Councils websites going offline, including the Information Commissioner's Office, the Student Loans Company, and Manchester City, Camden and Croydon Council website. Symantec Researchers also announced that 'Crytojacking' attacks had increased 1,200% in the UK. Cryptojacking once involved the installation of cryptocurrency mining malware on users computers, but now it is more frequently used in-browser, by hacking a website and execute a malicious mining JavaScript as the user visits the compromised website, as with the case with the 'BrowseAloud' incident.

More than 25% of UK Councils are said to have suffered a breach in the last five years according to the privacy group Big Brother Watch, who said UK Councils are unprepared for Cyber Attacks.

There was a  fascinating report released about Artificial Intelligence (AI) Threat, written by 26 leading AI experts, the report forecasts the various malicious usages for AI, including with cybercrime, and manipulation of social media and national news media agendas.

GDPR preparation or panic, depending on your position, is gaining momentum with less than 100 days before the privacy regulation comes into force in late May. Here are some of the latest GDPR articles of note.

Digital Guardian released an interactive article where you can attempt to guess the value of various types of stolen data to cybercriminals -.Digital Guardian: Do you know your data's worth?

Bestvpns released a comprehensive infographic covering the 77 Facts About Cyber Crime we should all know about in 2018.

February was yet another frantic month for security updates, which saw Microsoft release over 50 patches, and there were new critical security updates by Adobe, Apple, Cisco, Dell, and Drupal.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

GDPR Material and Territorial Scopes

The new EU General Data Regulation will enter into force 25 May of this year. The GDPR contains rules concerning the protection of natural persons when their personal data are processed and rules on the free movement of personal data. The new regulation is not revolutionary but an evolution from the previous Data Protection Act 1998 […]

GDPR Preparation: Recent Articles of Note

Company preparations for GDPR compliance are (or should be!) in full swing with the 25th May enforcement date fast looming on the horizon. With that in mind, I found the following set of recent GDPR articles a decent and interesting read. The list was compiled by Brian Pennington of Coalfire, he has kindly allowed me to repost.

If you are after further GDPR swatting up, you could always read the actual regulation EU General Data Protection Regulation (EU-GDPR), and don't forget to read all the Recitilies.

If you have any offer GDPR related articles or blogs of note, please post in the comments.

Cyber Security Roundup for January 2018

2018 started with a big security alert bang after Google Security Researchers disclosed serious security vulnerabilities in just about every computer processor in use on the planet. Named 'Meltdown' and 'Spectre’, when exploited by a hacker or malware, these vulnerabilities disclose confidential data. As a result, a whole raft of critical security updates was hastily released for computer and smartphone operating systems, web browsers, and processor drivers. While processor manufacturers have been rather lethargic in reacting and producing patches for the problem, software vendors such as Microsoft, Google and Apple have reacted quickly, releasing security updates to protect their customers from the vulnerable processors, kudos to them.

The UK Information Commission's Office (ICO) heavily criticised the Carphone Warehouse for security inadequacies and fined the company £400K following their 2015 data breach, when the personal data, including bank details, of millions of Carphone Warehouse customers, was stolen by hackers, in what the company at the time described as a "sophisticated cyber attack", where have we heard that excuse before? Certainly the ICO wasn't buying that after it investigated, reporting a large number Carphone Warehouse's security failures, which included the use of software that was six years out of day,  lack of “rigorous controls” over who had login details to systems; no antivirus protection running on the servers holding data, the same root password being used on every individual server, which was known to “some 30-40 members of staff”; and the needless storage of full credit card details. The Carphone Warephone should thank their lucky stars the breach didn't occur after the General Data Protection Regulation comes into force, as with such a damning list of security failures, the company may well have been fined considerably more by ICO, when it is granted vastly greater financial sanctions and powers when the GDPR kicks in May.

The National Cyber Security Centre warned the UK national infrastructure faces serious nation-state attacks, stating it is a matter of a "when" not an "if". There also claims that the cyberattacks against the Ukraine in recent years was down to Russia testing and tuning it's nation-state cyberattacking capabilities. 

At the Davos summit, the Maersk chairman revealed his company spent a massive £200m to £240m on recovering from the recent NotPeyta ransomware outbreak, after the malware 'totally destroyed' the Maersk network. That's a huge price to pay for not regularly patching your systems.

It's no surprise that cybercriminals continue to target cryptocurrencies given the high financial rewards on offer. The most notable attack was a £290k cyber-heist from BlackWallet, where the hackers redirected 700k BlackWallet users to a fake replica BlackWallet website after compromising BlackWallet's DNS server. The replica website ran a script that transferred user cryptocurrency into the hacker's wallet, the hacker then moved currency into a different wallet platform.

In the United States, 
the Federal Trade Commission (FTC) fined toy firm VTech US$ 650,000 (£482,000) for violating a US children's privacy laws. The FTC alleged the toy company violated (COPPA) Children's Online Privacy Protection Rule by collecting personal information from hundreds of thousands of children without providing direct notice.

It was reported that a POS malware infection at Forever21 and lapses in encryption was responsible for the theft of debit and credit card details from Forever21 stores late last year. Payment card data continues to be a high valued target for cyber crooks with sophisticated attack capabilities, who are willing to invest considerable resources to achieve their aims.

Several interesting cybersecurity reports were released in January,  the Online Trust Alliance Cyber Incident & Breach Trends Report: 2017 concluded that cyber incidents have doubled in 2017 and 93% were preventable. Carbon Black's 2017 Threat Report stated non-malware-based cyber-attacks were behind the majority of cyber-incidents reported in 2017, despite the proliferation of malware available to both the professional and amateur hackers. Carbon Black also reported that ransomware attacks are inflicting significantly higher costs and the number of attacks skyrocketed during the course of the year, no surprise there.  

Malwarebytes 2017 State of Malware Report said ransomware attacks on consumers and businesses slowed down towards the end of 2017 and were being replaced by spyware campaigns, which rose by over 800% year-on-year. Spyware campaigns not only allow hackers to steal precious enterprise and user data but also allows them to identify ideal attack points to launch powerful malware attacks. The Cisco 2018 Privacy Maturity Benchmark Study claimed 74% of privacy-immature organisations were hit by losses of more than £350,000, and companies that are privacy-mature have fewer data breaches and smaller losses from cyber-attacks.

NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS

Cyber Security Roundup for November 2017

One of the most notable data breaches disclosed this month was by Uber, given the company attempted to cover up the breach by paying off hackers. Over a year ago the transport tech firm was said to have paid £75,000 to two hackers to delete 57 million Uber account records which they had stolen. Uber revealed around 2.7 million of the stolen records were British riders and drivers. As a UK Uber rider, this could mean me, I haven't received any notification of the data breach from Uber as yet. The stolen information included names, email addresses, and phone numbers. Uber can expect enforcement action from regulators on both sides of the pond, the UK Information Commissioner's Office (ICO) said it had "huge concerns" about the breach and was investigating.

Jewson, Cash Converters, and Imgur all reported losing data due to hacks this month, while Equifax has reported suffering significant negative financial losses following their high profile hack of personal customer data. Equifax reported their net income had dropped by £20 million due to the hack, and their breach bill was coming in at a whopping £67 million.

November was a very busy month for security patches releases, with Microsoft, Apple, Adobe, Oracle, Cisco and Intel releasing a raft of patches to fix critical vulnerabilities. Apple even had to quickly release an emergency patch at end of November to fix a root access flaw reported in macOS High Sierra version 10.13.1. So just keep patching everything IT to ensure you and your business stays ahead of enterprising cybercriminals, the Equifax breach is a prime example of what can go wrong if system patching is neglected.

November also saw Open Web Application Security Project (OWASP) finally released an updated version to its Top Ten application vulnerabilities list, which is a ‘must know’ secure coding best practice for all software developers and security testers, especially considering that Akamai reported web application attacks had increased by 69% in the third quarter of 2017. Look out for an updated OWASP Top Ten IBM DeveloperWorks Guidance from me in December to reflect the updated list.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS