Disaster for Three Mobile as huge data hack is disclosed


News has emerged today that one of Britain’s biggest mobile phone companies has suffered a huge breach of its systems, exposing an estimated six million user account details to  compromise.  This represents two thirds of the company’s customer base.

Believed to have been a hack through an authorised employee login, the hackers were able to access the customer upgrade database.

A spokesman for Three said, “Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.  We’ve been working closely with the Police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity”.

Three added that the data accessed included names, phone numbers, addresses and dates of birth, but added that it did not include financial information. Customers whose data has been affected have not yet been informed at this time. However the speed of intercept is indicated by the revelation by the National Crime Agency that they are investigating the breach and that three people have already been arrested, two for computer misuse and one for perverting the course of justice.

With the Chancellor, Philip Hammond’s speech at the beginning of November calling on companies to do more to protect their customers against cyber crime after the series of high-profile breaches in the last few years, the commercial imperative for businesses to create stronger security measures with GDPR on the horizon shows that the need for diligence in compliance is greater than ever.

As part of its ongoing efforts to keep its customers and regional businesses best informed, Amicus ITS has been conducting a series of cyber security roadshow events to help inform and educate businesses in the region.  The next one is on Thursday 24th November 2016 at its headquarters in Totton.  For details click here

UK healthcare: cyber attack focus

More than 113 million patient records were stolen from hospitals and healthcare facilities around the globe as a result of security failures and cyber-attacks in 2015.

IBM’s Cyber Security Intelligence Index naming the healthcare industry as the number one attacked industry in 2015, it is no surprise that 41% of all security breaches reported to the UK’s information Commissioner’s Office (ICO) year were from the health sector.

These attacks have not only damaged the reputation of healthcare organisations but also their bank balances. The ICO has issued 11 fines amounting to £1.4 million between April 2010 and November 2015, with one NHS trust fined £325,000 for the use of unencrypted devices.

Notable cyber-attacks and security breaches in the healthcare industry
October 2016 North Lincolnshire and Goole NHS Foundation Trust (NLAG) had its systems infected with a virus that resulted in cancelling at least 35 patient operations, and other patients had to be relocated whilst the threat was dealt with.

In 2015
56 Dean Street, an NHS HIV, clinic released email addresses of 781 patients while sending out its monthly newsletter.   730 of these addresses contained the full names of the recipients. The breach was an internal error that the ICO rewarded with a £180,000 fine.

NHS-approved online pharmacy company, Pharmacy2U, sold details of more than 20,000 of its customers to marketing companies without their knowledge or consent. This breach resulted in the ICO fining the pharmacy £130,000.

Why is the healthcare industry under attack?

Better technology and the move to paper-free healthcare allows health professionals to look up and share life-saving information wherever and whenever it is needed. This is vital in improving patient care but it has brought the industry into the sights of cyber criminals.

Personal confidential data is valuable to those with malicious intent, meaning that health and social care systems will increasingly be at risk from external threats and potential breaches as technology becomes more prevalent. This has been emphasised by Lynne Dunbrack, research vice president for the International Data Corporation (IDC): “Frankly, health care data is really valuable from a cyber-criminal standpoint. It could be 5, 10 or even 50 times more valuable than other forms of data.”

Reviewing data security for the health and care industry has found that internal breaches are often caused by people finding workarounds to burdensome processes and outdated technology – and that those people may be unaware of their responsibilities.

How to stop these attacks

Step 1: Cyber Essentials certification

Cyber Essentials is the UK-Government-backed security scheme that sets out five security controls that could prevent around 80% of basic cyber-attacks, improving cyber security and preserving the reputation of the healthcare industry.

Cyber Essentials certification also demonstrates to patients, suppliers and third parties that data security is being taken seriously.  Amicus ITS works with CREST approved, cyber security organisations to ensure that your status has been independently verified by a third-party vulnerability scan.

Step 2: ISO 27001

ISO 27001 is the international standard that describes best practice for an Information Security Management System (ISMS). It encompasses people, processes and technology, recognising that information security within the healthcare industry is not about technology alone.

Step 3: Protect your perimeter

With threats and threat actors continuously evolving there is a real need for intelligent perimeter protection as well as innovation with password and identity management. At Amicus ITS we are happy to provide advice to help ensure your data is as secure as possible.

Amicus ITS specialist information governance and security division, provides services to support NHS and public sector organisations. Our client base is substantial and includes corporations of all sizes. We believe our success in winning and retaining clients is due to Amicus ITS’ deep and ongoing understanding of N3 compliance requirements in the UK.

Accidental data leakage would be thing of the past with BS 10010


Consultation opens on BS 10010 which seeks to bring government-style information classification schemes to public organisations and end inadvertent data leakage.

Classified? BS 10010 says, think before you send.
A BSI standard which promises to end inadvertent data leakage is available for public consultation. The aptly binary standard, BS 10010 “Information Classification, Marking and Handling (ICMH)”, is designed to ensure that people within organisations who are sharing information will automatically mark the data with its information classification – such as sensitive, confidential, company confidential.

If sharing information with another BS 10010 compliant organisation, the sender would be assured that the recipient would follow the same procedures for handling that information.

“It’s designed to make people think carefully about how they classify information,” said Dr Andrew Rogoyski, vice president of cyber security services at CGI UK, who initiated the development of the standard with the British Standards Institute (BSI) two years ago.

“When people start realising that the stuff they are generating – whether it’s pictures or words – has some sensitivity, they will have to think, how am I protecting it and how do I ensure that only the right people get access to it?

The BSI set up a committee to create the standard and a draft for public consultation has been published on its website. The consultation will remain open until 27 December 2016.

The standard doesn’t prescribe specific solutions, hopes are that it will prompt developers to create word processing and email software that will automatically prompt users to classify documents as they produce them. Such systems already exist as add-ons to existing software but he said they lacked coherence. BS 10010 would help standardise the implementation of the systems and ensure compatibility within organisations and between third parties.

With the General Data Protection Regulation (GDPR) coming into force on 25 May 2018, BS 10010 may have come at just the right time. National information regulators such as the UK’s ICO will be empowered to levy fines of up to four percent of an organisation’s global turnover. One estimate following the recent Tesco Bank breach put the potential cost to Tesco (as the parent company of Tesco Bank) at as much as £1.9 billion if GDPR had been in effect.

It is hoped that BS 10010 will be adopted by organisations keen to tighten up their data classification systems.

BS 10010 is open for public comment on the BSI website until 27 December 2016.

JP Norman, Director of Technology, Security & Governance, “It will be interesting to see if there is a similar drive to spread it to supplier organisations, in the same way that the ISO 9001 management systems standard spread through the business ecosystem.”

UK will be implementing the EU General Data Protection Regulations in May 2018


Elizabeth Denham the UK Information Commissioner confirmed on 31st October 2016 that the UK would be implementing the EU General Data Protection Regulations.

She reported that The Secretary of State Karen Bradley MP announced the decision at the Culture, Media & Sport Committee meeting on 24th October 2016, confirming the following:   “We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”

Elizabeth Denham confirmed, “I see this as good news for the UK. One of the key drivers for data protection change is the importance and continuing evolution of the digital economy in the UK and around the world. That is why both the ICO and UK government have pushed for reform of the EU law for several years.  The digital economy is primarily built upon the collection and exchange of data, including large amounts of personal data – much of it sensitive. Growth in the digital economy requires public confidence in the protection of this information.
Citizens want the benefits of these digital services but they want privacy rights and strong protections too.  Having sound, well-formulated and properly enforced data protection safeguards help mitigate risks and inspire public trust and confidence in how their information is handled by business, third sector organisations, the state and public service.
The major shift with the implementation of the GDPR will be in giving people greater control over their data. This has to be a good thing. Today’s consumers understand that they need to share some of their personal data with organisations to get the best service. But they’re right to expect organisations to then keep that information safe, be transparent about its use and for organisations to demonstrate their accountability for their compliance”.

As Amicus ITS reported in our blog on 14th October 2016, the Information Commissioner’s Office is committed to helping UK businesses and public bodies to prepare to the meet the requirements for GPDR ahead of May 2018 and beyond.  It’s 12 point plan for business is published and all organisations are urged to review it against their current data protection measures.

Elizabeth Denham added:  “I acknowledge that there may still be questions about how the GDPR would work on the UK leaving the EU but this should not distract from the important task of compliance with GDPR by 2018.  We’ll be working with government to stay at the centre of these conversations about the long term future of UK data protection law and to provide our advice and counsel where appropriate”.

The ICO advise they will be publishing guidance on different areas over the next six months.  Amicus ITS will ensure that we share these with you as they arise so you can best prepare your organisation for the tighter regulations, responsibilities and accountability.

Defend, deter, develop – strategy to counter being in a widely connected world


The Chancellor, Philip Hammond announced on 1st November 2016 the UK Government’s plans for a new £1.9 billion strategy to defend the nation against cyber attack over the next five years, as well as outlining a more attacking stance on going after those who would seek to do the nation harm.

Philip Hammond added, “If we do not have the ability to respond in cyberspace to an attack which takes down our power network – leaving us in darkness or hits our air traffic control system grounding our planes – we would be left with the impossible choice of turning the other cheek, ignoring the devastating consequences, or resorting to a military response,” Philip Hammond said as he described the National Cyber Security Strategy in London. “That is a choice we do not want to face and a choice we do not want to leave as a legacy to our successors.” He went on to say, “Trust in the internet and the infrastructure on which it relies is fundamental to our economic future.”

The Government announcement follows the recent speech from the National Cyber Security Centre’s Director General, Andrew Parker and warnings from the head of MI5 about the increasingly aggressive behaviour in cyberspace from nation state threats from countries like Russia. Russia is suspected of trying to influence the US elections by creating distrust in the electoral process, plus the usual espionage, subversion and cyber attacks.  All in all – the stakes continue to escalate in volume and severity of national scale.  Unsurprisingly, the Kremlin has dismissed the allegation.

In addition, the recent targeting of WIFI-enabled domestic appliances to create a DDoS attack to seek to disable specific websites via the Internet of Things (IoT), has started to create uncertainty in the minds of the public as to what they can trust with technology.  The situation is not helped by a lack of education around the need to create fresh passwords on receipt to avoid default factory settings which can be overrun.  Neither is the situation helped if the manufacturers install a factory setting password which in itself cannot be changed.

Web founder Tim Berners-Lee attending the Open Data Institute’s forum on the same day commented in a Radio 4 interview:  “The United Kingdom needs to have a strong but responsible and accountable police force, and [cyber-intelligence agency] GCHQ needs to have the tools to be able to defend us and defend the open internet.”

What the £1.9 billion is expected to translate into is specialist police units to tackle organised online gangs, some money towards education and the training of 50 cyber security specialists at the National Cyber Security Centre.

Where historically, it was the Americans who sought to confront Russia, the UK’s desire to have a visibly active stance should be welcomed by UK business, although much will depend on whether we get enough ‘boots on the ground’ or ‘hands on the keyboards’ to counter the high volume of lower end cyber attacks which has been identified as a real need.


Wake up call on cost estimate to UK business from EU GDPR


The EU General Data Protection Regulations (GDPR) which are already in force, become law formally from 25th May 2018.  Many businesses have not started to take countermeasures to review their data protection.

Recent analysis published by the Payment Cards Industry Security Standards Council (PCI SSC), using survey figures from the Office of National Statistics, suggested that there were 2.46 million ‘cyber incidents’ in 2015.  If the Information Commissioner’s Office (ICO) were notified of every breach and imposed the maximum penalty, this would result in large organisations facing fines totalling £533m and SMEs having to pay £908m under the existing data protection laws.

Under the new GDPR law this would result in a truly massive hike in financial penalties for the same offences – triggering fines of £70bn for major organisations and £52bn on SMEs.

These estimates are based on a maximum fine being levied on day one of the breach under the rules and each national information commissioner is likely to be more lenient in the early stages of EU GDPR implementation.  Added to this, following Brexit, the UK data protection legal landscape and penalties have yet to be defined. However, businesses operating internationally nonetheless have to work within the GDPR framework and many are now starting to appoint data protection officers.

The message is clear – businesses cannot afford to dally.  Whatever the size, all organisations need to start their preparations now.  Companies should conduct reviews to understand and map their data and put in place robust standards and procedures around the management of data to counter any cyber security threat.  Only by taking these steps can organisations seek to avoid the increasingly overwhelming size of fines that could legitimately be imposed.