Data terrorism – a deadly match

The impact of the Ashley Madison mass cyber leak is reported to have claimed its first suicide victims in the last few days following the first divorce proceeding announcements from suspicious partners across the globe.

There has now been an accusation from an aggrieved former staffer at Ashley Madison that innocent victims formed part of the mass data volume.  The employee, who had sought compensation in a grievance case against the dating agency, claimed that she had been recruited to make up spurious accounts to boost membership numbers and attract matches, along with an insidious claim that innocent people had been caught up in 3rd party data lists looped in and caught up in the resulting data dump.

Avid Life Media in desperate attempts to try and position itself as the victim, has offered a £240,000 reward for information leading to the hackers of its IT systems. If the number of class action lawsuits (five at the latest count – 4 US and 1 Canadian) are anything to go by, Avid Life might be trying to raise the sum, not offer it in future, as more than $500 billion is already being claimed in damages, according to NBC News.  On top of this, claims have emerged from security blogger Brian Krebs that leaked emails show that CEO Noel Biderman hacked into a competitors database, in 2012 to download and play with their customers’ accounts to make non-paying customers pay and create mythical messages between parties.

Beyond Avid Life’s own low morale stance, an unsurprising but sad repercussion has been the news that cyber criminals are now reaching out to victims, claiming to have access to the stolen data and are targeting them with directions to click on spurious links that then open them to further malware threats. This is in addition to direct blackmail threats to a number of parties threatening to expose their identities from the publicly held information and share it with spouses, employers and their communities.

In a more positive regulatory twist this week, following a US appeal court ruling, the Federal Trade Commission has given the greenlight for a lawsuit against US hotel operator, Wyndham Worldwide, who suffered three breaches in 2008 and 2009. This resulted in frauds totalling more than $10.6 million against its 619,000 customers whose personal details and credit card information was stolen.  The FTC’s legal argument being that the hotel group failed to properly safeguard consumers’ data. This augurs badly for Avid Life Media if the wind changes in the direction of corporate responsibility as expected now.

For privacy protection firm Privitar commenting on the Wyndham Worldwide ruling, safeguarding data should be a key priority of organisations.  Their CEO Jason du Preez commented: “This decision is further support for the notion that companies need to take the way they manage and process sensitive data more seriously.”  Whilst opportunities from big data analytics are genuine, there are real legal and ethical implications which need to be properly comprehended and interpreted. For du Preez, “…ensuring that only essential data is visible in any given process, organisations can extract essential value from data while complying with the strictest standards for data protection as it separates data utility from data identity”, he said.

A cyber hacker is a terrorist and like any terrorist, has no care about how many victims they hurt, or how badly.  It is therefore up to every organisation to take all reasonable steps to safeguard the data they hold on behalf of 3rd parties.  There is no other option in today’s society – unless you want to throw away your business and see it going under through the courts.


3D scanning is coming to a smartphone near you


3D scanning, used to make models which could be manipulated on a PC or printed on a 3D printer, requiring sophisticated depth-sensing cameras.  These 3D cameras can be both very expensive and much larger than a regular camera sensor, both traditionally being barriers to bringing the technology to mobile in a more mainstream way.

Microsoft, no stranger to 3D camera technology, has developed multiple commercial versions of its Xbox Kinect 3D motion camera and has shown off several prototypes on miniaturized, mobile versions of 3D cameras. They have now announced a new, software driven approach to bringing 3D scanning to the mass market called “MobileFusion”.

MobileFusion doesn’t rely on any special 3D hardware but is entirely driven by an app being developed for iOS, Android and Windows Phone. The main focus for the app is to create digital versions of real life objects that can be then printed on a 3D printer.

The trick to using a single camera to capture depth is that it needs to be slowly moved around the object, so it does take longer to capture, however the cost and availability bonuses of the app should make this an exciting addition to the phone’s feature set.

The reason why this is a major step forward is that currently 3D scanners are very limited and conversely, most people own a smartphone.  This remarkable technology will let anyone capture digital copies of real world objects be it at a museum, outside, in home or in the office.

With many more 3D objects available and the power to create them at ease, 3D printing may get its shot at mainstream success beyond the current niches that have adopted the technology so far.

Warning from Information Commissioner – data security too lax in legal profession

With law firms the seventh most targeted business group according to the Cisco 2015 Annual Security Report, it is probably little surprise that the Information Commissioner, Christopher Graham, has warned the profession to improve its information security practices after 15 reported data breach incidents involving members of the industry in three months.

Christopher Graham commented: “The number of breaches reported by barristers and solicitors may not seem that high, but given the sensitive information they handle, and the fact that it is often held in paper files rather than secured by any sort of encryption, that number is troubling. It is important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach.”

The Law Society Gazette announced that the ICO investigated 173 UK law firms in 2014 for a variety of incidents that may have breached the Data Protection Act 1998 (DPA).

Solicitors and barristers hold a veritable treasure chest of data including: confidential business data, proprietary information and intellectual property, litigation strategy information, personally identifiable information, and other legally sensitive information.

The impact for the legal profession is serious.  The penalties for a law firm quite profound.  If found guilty of breaching the DPA, law firms can face fines of up to £500,000 from the ICO, as well as a damaging loss of credibility.

Graham warns about data security Principle 7 of the DPA, which states that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. 

The ICO says he is mindful that there is “no one size fits all” solution, so “…[legal firms] should adopt a risk-based approach to deciding what level of security you need”, in order to mitigate the risk.

The efficacy of ISO 27001 and best-practice cyber security IS that necessary safeguard.  ISO27001 as an ISMS, wraps people, processes and technology with an enterprise-wide approach to protecting information – in whatever form it is held – based on the specific threats the organisation actually faces.  This acts as the counterpoint to inadvertent threats posed by untrained staff, inadequate procedures and out-of-date software solutions.

Responsible companies should certainly take heed of his advice and do more to protect their client data.   This may be in the form of gaining the certification directly, or alternatively, outsourcing to a reputable established IT Managed Service Provider which holds this this essential accreditation to properly consult and set about the necessary measures to formally protect clientele, finances and reputation.  What price reputation?


No anonymity when you screw around online – notes from the Ashley Madison fallout

Adulterous subscribers and suspicious partners worldwide waited with baited breath for the fallout after data hackers the “Impact Team’ mass dumped the personal data records of 32 million users from the Ashley Madison database on 15th July 2015.  “It’s full account information,” said Robert Graham, CEO of Errata Security, in a blog post. “That includes full names, emails, phone numbers, addresses and passwords”.  Additionally credit card information and dating information about height, weight, personal information and GPS co-ordinates are included.  Whatever fake accounts some people may have created, there’s so much information leaked that dissecting it and cross referencing it will enable the identities to be verified.

With a further 14 Gigabytes of data with matching encryptions keys dumped yesterday, it is little surprise that the first divorce proceedings about suspected infidelities have started to be listed in the English law courts.  Inevitably the primary beneficiaries of all of this will be the divorce lawyers.  As one quipped today, “September will be like Christmas this year”.  Nice.

The list of global offenders some of whom may have signed up with false names or email addresses is reported to include: business leaders, public figures, government employees, senior politicians, members of the military, police officers and diplomats.  In the US, more than 15,000 of the email addresses are allegedly hosted on US government or military servers using the “.gov” and “.mil” top-level domains, with ties to agencies including the State Department, Department of Homeland Security, as well as the House and Senate.  There is real risk for damaged reputations and of course the prospect of future blackmail threats awaiting some – but for those naughty enough to use the website, it may be years before they are targeted by criminals.

A trigger for the hackers was apparently the flaws in their data protection policy, with leavers being charged a £12 fee to have their details removed permanently.  However, this was not the case, despite assurances from CEO Neil Biderman, as after initial threats from the Impact Team, there were multiple reports of people who had paid this charge whose details still appeared in the exposed data.

Ashley Madison factoids:
• The online dating agency for married people has been running since 2001.
• Subscribers number 37 million members worldwide across 46 countries.
• The organisation states that there are 1.2 million subscribers in the UK alone (representing 2% of the population).
• Ashley Madison’s revenue for 2014 was reported at £77m.
• They are stated to be worth £670 million.

The source code of Ashley Madison is held by its parent company Avid Life, which now faces threat through its other websites and business interests.  The Sword of Damocles now hangs over smug CEO Noel Biderman’s business.  It is highly unlikely it can survive a) the hit to its reputation as a safe place to flirt and b) the cost of lawsuits which are expected to hit its doormat in coming months?

From a legal perspective a breach of privacy may have occurred if personal information has been discovered and published, which could open Ashley Madison to lawsuits.   Mark Watts Head of Data Protection at London law firm Bristows, noted that if a company had a presence in the UK (eg. office or a server) it would be subject to the UK’s Data Protection Act and UK residents would have the right to have their data deleted for free. “You cannot charge for it”, he said.  Our quick check at Companies House shows one Ashley Madison Limited, private limited company, still reportedly active in status terms today, whose nature of business is “other information technology service activities”. They have a registered office in Milton Keynes.

As Luke Scanlon, technology lawyer at Pinsent Masons commented:  “The interesting thing about this incident is that recent court decisions in the UK have been leaning towards the view that a claim can be brought when no financial loss occurs but where a person experiences distress as a result of a data breach.

“In the case of Ashley Madison… if each were to try to claim for £1000 in compensation Ashley Madison could see itself incurring costs of up to £1.2 billion. Even if claims for distress in this case are modest, the sheer volume of data breached and individuals affected in this attack could have a critical impact on the company”.  A remedy for breach of contract he advises would be complicated, costly, and risk further exposure.  However, this sounds like a Class Act to us.

Unreasonable behaviour certainly from Ashley Madison, a salutary reminder to businesses and organisations that never has it been more important to ensure that they have up to date data security measures in place, accompanied by robust governance policies to ensure best possible defence against cyber threats.

Google’s going to have a daddy called Alphabet


This week Google announced plans for the US tech giant to be divided up and run by a new parent company called Alphabet, with Google CEO becoming the CEO for Alphabet.

Google is known primarily for its search engine and other web services such as Mail, Maps and YouTube but the money Google has made from these ventures and most importantly its internet ads, have given it the opportunity to spin up a surprising amount of side-projects big and small.

This split of the main company into division companies with dedicated leadership of each, enables Google to remain focused, not just on its core business such as web services and android platform development, but keep a spotlight on self-driving cars, robotics and its far reaching project, Calico – which seeks to deny death.

The new Alphabet companies consist of the following:

Google – core business such as search, Android, YouTube, Maps, ect
Google X – research and moonshot projects including Google Glass, Internet delivering balloons, robotics, ect
Fiber – high speed internet delivery
Nest – last years smart home devices acquisition
Sidewalk Labs – improving modern cities
Calico – Life sciences company project to increase human longevity
Google Capital – investment arm focusing on late-state growth companies
Google Venture – venture capital arm

In addition to the splitting up, Alphabet’s logo has a more subdued tone. The main Google logo has not changed however and remains as colourful as ever.

It is likely we will see more announcements soon and possibly Alphabet will be adding even more companies, both acquisitions and new developments into its fold in the future. The ambition of Google is looking bigger than ever.  But with Alphabet, they can down play their monstrous size and focus on delivering new individual projects once more.

As co-founder Larry Page said in his announcement:  “We’ve long believed that over time companies tend to get comfortable doing the same thing, just making incremental changes. But in the technology industry, where revolutionary ideas drive the next big growth areas, you need to be a bit uncomfortable to stay relevant”.  The tech giant is certainly keeping to that promise and ensuring that whilst its brand stays prominent, it is able to explore this statement of intent with clearly defined new business areas for the behemoth.

Local authorities committing 4 data breaches every day

big brother watch

A new study by privacy campaign group Big Brother Watch has identified an alarming amount of recorded data breaches by local authorities. Over a 3 year period there was 4,236 data breaches, with the authorities with the largest amount of recorded breaches listed below:

1.           Brighton and Hove City Council – 190
2.           Sandwell Council – 187
3.           Telford and Wrekin Council – 175
4.           Peterborough City Council – 160
5.           Herefordshire Council – 157
6.           Glasgow City Council – 128
7.           Doncaster Council – 106
8.           Essex County Council – 106
9.           Lincolnshire County Council – 103
10.         Wolverhampton City Council – 100

In addition to the amount of breaches, the attitude towards protecting data shown by local authorities is seen as alarming by Big Brother Watch’s director Emma Carr, stating the findings showed “shockingly lax attitudes to protecting confidential information”.

The study findings are based on feedback to Freedom of Information requests sent to all UK local authorities and includes; data lost over 400 times, 5000 letters sent to wrong address, sensitive or confidential information compromised in 260 cases and breaches involving personal data linked to children on 658 occasions.   With regard to the data loss, despite more than 400 instances of loss or theft, including 197 mobile phones, computers, tablets and USBs and 600 cases where information was inappropriately shared, just a single person has faced criminal sanctions and only 50 have been dismissed.  Southampton City Council recorded 50 data breaches.

The Information Commissioner’s Office, the Justice Select Committee and the Home Affairs Select Committee have all given their widespread support for imposing tougher penalties for the most serious of data breaches.  However, with only a fraction of employees disciplined or dismissed, one questions how seriously councils are taking protecting the privacy of the public?   A spokesman for the Local Government Association said: “Councils take data protection extremely seriously and staff are given ongoing training in handling confidential data.”   But on the face of the latest findings, this does not, by all accounts seem to the case.     Local authorities will need to prove that they can be trusted with digital security and that our personal data is safe with them, addressing both the security measures in place and policies around handling breaches once they have been found.

How toxic can the world’s domain controller ICANN get?

An alliance of 47 countries called on ICANN the world domain name distributor back in June 2015, to respect privacy and freedom of expression when allocating top domain names.   Amicus ITS last questioned the rationale and discretion of the company when it released “.sucks” as a domain name back in March 2015 and the squabbling about fee exploitation with its licencee over trademarking in April 2015.  See blog

The Council of Europe (CoE) whilst holding no legal power to force ICANN to change its procedures (ICANN is a body appointed by the US Government), has stated its concern that the personal data of the domain name holders (name and postal address) is publicly available on the WHOIS online database.  Whilst not subject to the European Data Protection Act, ICANN as a US body should, according to the CoE, give due regard and duty of care around the personal data it handles.  In a declaration, the CoE said:  “ICANN, as a private non-profit corporation, should respect international human rights law, notably the UN Resolution 17/4 on human rights and transnational corporations”.  The declaration goes on to note that ICANN should strike an appropriate balance between “…economic interests and those of pluralism, culture and linguistic diversity, alongside the needs of vulnerable groups and communities”.

A requirement for ICANN is to undergo an independent review into WHOIS every three years.  In the last review in 2012, the chairwoman Emily Taylor noted that ICANN staff were obstructive about its compliance function. With further reports noting poor levels of data accuracy in WHOIS records, the organisation was found wanting on its compliance and safeguards policy.

What then to make of last week’s news that ICANN Chairman, Steve Crocker lost the plot during a webinar with a working party from the 2015 review group, as they were assessing how ICANN should handle its database.  When challenged, Crocker was heard to shout: “That is completely unacceptable … I understand you didn’t really want to think hard about it, but this is a destructive and inappropriate thing to do.”  The outburst resulted in silence, followed by a “wow!” from one of the review group members.  Not a response one would expect from the head of the management board.

The organisation appears to be resolute in not acting on any of the previous independent recommendations.  This is alarming as ICANN is about to be handed control of the all powerful ‘IANA contract’ by the National Telecommunications and Information Administration (NTIA) (the arm of the US Department of Commerce responsible for this move).  This would grant ICANN 100% control of the world’s DNS and IP address allocations.  It all sounds messy and unsettling as the transition plan to the new IANA contract is reportedly riddled with flaws.  In addition, ICANN was recently found to have broken its own bylaws when it gave preferential treatment to one or two bidders for the “.africa” top-level domain.  Accusations have allegedly been made of cover-ups by the staff in misleading stakeholders and the public over its actions. It would appear that the organisation is out of control and in denial.

The NTIA meanwhile has opened two review periods for people to make comments on the proposals before it approves the transition, based on four principles:

1.  Support and enhance the multi-stakeholder model.
2.  Maintain the security, stability, and resiliency of the Internet DNS.
3.  Meet the needs and expectation of the global customers and partners of the IANA services.
4.  Maintain the openness of the Internet.

ICANN has chosen to stay silent over accusations by its critics.  Surely, this time of public review is the cue for technology organisations and the internet community on the other side of the Pond to rise up and challenge ICANN to provide evidence that it is fit for purpose to carry out this important role and handle data correctly. Either that, or perhaps it should relinquish the reins in favour of an organisation that can inspire trust?