ICO reports security failures across all sectors as fines continue to ramp up in 2019

Since May 2018 when GDPR kicked, the ICO has been progressively investigating data breaches identified to them and no-one has been spared in their enforcements.  From local Government officials illegally accessing personal data, to public bodies (including HMRC for data harvesting), to the Metropolitan Police (responding to Subject Access Requests), the NHS (for illegally accessing medical records), to regulated industries and small businesses carrying out unsolicited communications by email or telephone (affecting up to 4.5 million unsuspecting contacts).  Even in one extraordinary case, a Council employee shared unredacted data about alleged gang members profiled on a police intelligence ‘Gang Matrix’ database to other Council staff and external organisations. This ended up on social media and was then used by the gang members themselves.  Unbelievable, but sadly true.

Amicus ITS Director of Technology, Security & Governance, JP Norman commented:  “The ICO are striking a balance between the severity of a breach individually, the volume of data affected and the harm and distress caused by the breach of security and lack of protocol.   We can see from the  enforcement notices published across 2018-19, the huge variety of cases that the ICO have dealt with in the last 18 months and ultimately this illustrates data responsibility is in the hands of every individual, with fallout picked up by the organisation/company directors”.

Big headliner fines this Summer featured the £183.4m fine published to British Airways following the 2018 cyber incident where users logging in to BA’s website were diverted to a fraudulent site where their personal details, payment information and travel plans were harvested.  This represented 1.5% out of a total possible fine of 4% of global turnover.  Plus, the £99.2m fine to Marriott International hotels group for a data breach whereby 339 million guest records globally were exposed over several years following a merger and lack of due diligence and security measures being adopted.  Both organisations are seeking to defend their position. Other big names included: Equifax (£500,000), Uber (£385,000), and Yahoo! (£250,000) for cyber security failures.

Against this backdrop, the ICO Annual Report for March 2018-19 published in July 2019 recognised that 82% of personal data breaches investigated had been closed with no further action, as corrective measures to avoid a repeat had been taken or were being acted upon, which we should take as positive news as organisations learn to manage their data more responsibly.

JP Norman adds:  “All organisations face the same responsibilities around data management and data security.  At the heart of good practice is education and staff training. This can identify what is appropriate when sharing data and that if approved, it is done lawfully and safely.   Organisations, institutions and businesses of any size must have a Data Protection Officer (DPO), who may also be the Data Controller if appropriate. These representatives need ready access to policies and guidance around data security and measures to be taken in the event of any breach, which can be evidenced and practised as part of a smart Business Continuity Plan.  This can be intimidating for businesses of even medium size to get to grips with and act confidently so we often see the DPO function outsourced”.

Amicus ITS recognises the challenges organisations face and earlier this year published our new Virtual Data Protection Officer service on G-Cloud 11 for public sector customers.  Notably, this service is equally available to SMEs.  Any organisation that is unsure if it has the right security policies and security measures in place can contact Amicus ITS in confidence.  If the service is taken up, this security consultancy could not only save you £000s but also help protect against reputational damage which can be priceless.  Call our Sales team today for a free initial discussion on +44 2380 429429.

Amicus ITS’ privacy policy can be found here

Microsoft rapid response to Windows patching after security scare


Users and organisations using out of support Windows Operating systems Windows XP, Windows 7, Windows Server 2003, Windows 2008 R2, Windows 2008 are being urged by Microsoft to undertake urgent patching measures, following Microsoft’s discovery of a critical remote code execution vulnerability.

The severity of its potential impact worldwide has prompted Microsoft to step in to release patches for the out of support Windows XP and Windows Server 2003.  Windows XP users will need to download the patch (Remote Code Execution CVE-2019-0708) from the Microsoft Update Catalogue.

Microsoft spokesman and Director of Incident Response, Simon Pope, speaking from their Security Response Centre advised that this exploit vulnerability was ‘wormable’.  This means that the user doesn’t have to ‘do’ anything themselves to cause the damage.  Any malware created by hackers in response to this vulnerability that links to this Microsoft code, would cause a ripple effect by cross-infecting computers through Remote Desktop Protocol (RDP). RDP would facilitate the hacker’s ability to send requests enabling arbitrary code to be run, to view, change or delete data, or create new accounts with full user rights. This was the experience in 2017 when the Wannacry attack went global.

With millions of users still using Windows 7 machines, Microsoft are not taking any chances and are taking the same holistic steps as in 2017 to seek to protect users whether using supported or unsupported systems.

Unfortunately, there doesn’t appear to be a killswitch for someone to discover in this vulnerability unlike with Wannacry, but prudent and expeditious action taken promptly by organisations and their inhouse IT teams, (or through the direct intervention of IT MSPs like Amicus ITS), can take the mitigation steps to limit impact.  Amicus ITS have already taken immediate steps to instigate the patching for all our customers. In addition, the RDP vulnerability can be mitigated by good access control and firewall management our Network Team are undertaking.

I would advise vulnerable organisations to update to the latest operating system (currently Windows 10), but check the following paths as part of risk mitigation consideration:

1. Upgrade to the latest or near latest operating systems – full mitigation
2. Consider migrating to the 365 / Azure platforms – server mitigation
3. Take up an advanced patching service via Amicus ITS – server and device patch assurance

Any organisations seeking advice or support can contact our Sales team in the first instance by calling +44 (0)2380 429429 or by emailing enquiries@amicusits.co.uk quoting ‘Microsoft Code Exploit 2019’

JP Norman is the Director of Technology, Security and Governance at Amicus ITS

French regulators throw the first big GDPR punch at Google with £44m fine

Google has fallen foul of the French data regulators with the announcement yesterday of an impressive £44m fine against the global search engine giant.  In a move that has sent the tech industry chattering, this marks the first major European penalty since the rollout of GDPR on 27th May 2018.  It was going to happen sooner or later, it was just a matter of who first?

Google’s blunder was their covert process of gathering data to personalise ads without ‘sufficiently’ informing user, burying the detail in terms and conditions and using pre-ticked boxes (contrary to new legislation).

CNIL, the French equivalent of the UK’s Information Commissioner’s Office filed two complaints as soon as GDPR came into effect.

Commenting on the severity of the fine, CNIL advised that the action was “justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent”.

The penalty is the largest to date under the European Union privacy law, known as the General Data Protection Regulation, which took effect in May, and shows that regulators are following through on a pledge to use the rules to push back against internet companies whose businesses depend on collecting data.

The fine announced on Monday is far lower than the maximum penalty under the European privacy law, which is 4% of global revenue. For Google, that would be more than $4 billion!

The response has been largely welcomed in the wider MSP community as a prompt to improve better marketing processes, echoed by Amicus ITS.  Like many others today, Amicus ITS uses Account Based Marketing, so the lawful consent required is applied directly with the customer.

The news is a salutary reminder for vigilance with firms to ensure they comply with GDPR and offer flexibility in providing services through different marketing channels that create the variety and correct routes for data capture through websites and other means (which these days is translated as the increase in companies offering AI chatbots when communicating services or offering information with 3rd parties).

Are you surprised by the fine?  Who do you think is going to be next up for punishment?  Give us your thoughts.

‘Orangeworm’ the new superworm hacking group that’s targeting healthcare

Hacking activity targeting the healthcare sector continues to rise.  New security research just released by Symantec has identified a global hacking group called ‘Orangeworm’.  Though its targeted victims accounted for a small number of organisations in 2016 and 2017 (mostly in the USA and Asia), some were identified as being based in Europe.  Analysis by industry has revealed that the healthcare sector is Orangeworm’s primary target, with 39% of hacking outcomes manifesting themselves in this data rich sector which includes hospitals and pharmacies.

Symantec said, “Based on the list of known victims, Orangeworm does not select its targets randomly or conduct opportunistic hacking. Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack”.

Orangeworm’s wormable trojan, named ‘Kwampirs’ is able to vet the data to determine if the computer is used for research, or contains high value data targets eg. patient information.  The Kwampirs then create a backdoor on compromised computers, enabling the hackers to remotely access equipment and steal sensitive data – and Orangeworm survives reboots.

The trojan worm has a penchant for machine software on critical hospital equipment which includes kit like x-ray machines and MRI scanners, as well as machines used to assist patients in completing consent forms.  If the ‘victim’ computer is of interest, the malware then “aggressively” spreads itself across open network shares to infect other computers within the same organisation and uses built-in commands to grab data. This includes “any information pertaining to recently accessed computers, network adapter information, available network shares, mapped drives, and files present on the compromised computer.”

The supply chain is a key part of this vulnerability funnel, with targets including manufacturers providing medical devices and technology companies offering services to clinics, plus logistics firms delivering healthcare products.

Director of Technology, Security & Governance, JP Norman advises:  “Ensure your anti-malware provider can detect Kwampirs activity and to prevent and detect an infection, ensure that:

•        A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
•        All operating systems, anti-virus and other security products are kept up-to-date.
•        All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
•        Strong password policies are in place and password reuse is discouraged.
•        Network, proxy and firewall logs should be monitored for suspicious activity.
•        User accounts accessed from affected devices should be reset on a clean computer.”

Sales Director, Les Keen added, “Where there is the option for healthcare / supply chain organisations to prioritise IT funding, updating the Operating Systems is a primary, as is ensuring a strong and regular policy on Patch Management.  Our Sales and Security teams  are always on hand to review and audit organisational IT infrastructure and offer holistic remediation advice as part of our security readiness programmes.  Just call us on +44 2380 429429”.

 

You have been told…. GDPR is not Y2K

The Information Commissioner made an interesting observation about GDPR in her end of year summation on 22nd December 2017.

Elizabeth Denham commented that some businesses held the false perception that GDPR was on a par with the Y2K Millenium Bug worry that all systems would fail, which festered amongst business in the run up to New Year’s Eve 1999.

In a view which Amicus ITS shares, she commented that organisations that had taken steps to put in place preparations for GDPR, should not be concerned.  This follows a notable increase in scaremongering stories and also profiteering activity during 2017 for ‘GDPR solutions’.

Ultimately, companies have had two years to prepare for GDPR – and all the details are known (unlike with Y2K) and 25th May 2018 is simply the date the legislation takes effect.

However the identification of risks, understanding and good data management (accompanied by transparency to explain and communicate individuals’ rights) will, the ICO believes, create a sea change of positivity over time, as organisations catch up and apply the appropriate security to keep data safe.

Being committed to good process measures and demonstrating accountability for data management will, for Amicus ITS’ Director of Technology & Governance, JP Norman create a clear sign of assurance, competence and insight, especially valuable for IT Managed Service Providers. “For an MSP, the word ‘solution’ is a dangerous thing in relation to GDPR. There is no panacea. GDPR is essentially about a collection of measures diligently applied to fully understand and map how data comes into an organisation, where it is held, where it goes to – and then ensure it is safely protected and managed appropriately at all times in an open and transparent manner for stakeholders”.

See JP Norman’s interview and thoughts on GDPR for CRN as part of their expert European panel and download the e-book for more information http://view.ceros.com/incisive-media/solarwinds-gdpr-1/p/3

C Level Execs Reveal UK Business Still Not Prepared for GDPR

Trend Micro’s recently published survey has revealed a worrying lack of recognition that GDPR is going to seriously impact UK business if left unmanaged.  The results revealed a lax attitude about the severity of what is around the corner if data protection is not diligently overseen for compliance to ensure that employees, directors and decision makers all use data correctly.  The survey stats revealed the following:

•    Senior execs shunned GDPR responsibility in 57% of businesses.
•    Only 21% of businesses surveyed currently have a senior executive involved in the GDPR process.
•    66% were dismissive about the amount they could be fined.
•    42% of businesses do not know that email marketing databases contain PII.

•    In an example given, businesses were very uncertain as to who was accountable for the loss of EU data by a US service provider – with only 14% correctly identifying it is the responsibility of both parties.

•    Businesses were broadly found to lack the expertise to combat threat:

o   Only 34% have implemented advanced capabilities to detect intruders
o   Only 33% have invested in data leak prevention
o   Only 31% have employed encryption technologies

JP Norman, Amicus ITS Director of Technology, Security & Governance urged a proactive response without delay for anyone not already taking steps.  “Any organisation that does not recognise the importance of GDPR compliance and data protection responsibility needs to wake up fast.  A data breach after next May will no longer result in the organisation facing a slap on the wrist, some reputational damage and a manageable fine.  We have worked closely with the ICO and recommend their 12 step guide as a starting point for review.  Whatever challenges businesses think we may face through Brexit, GDPR has the potential to wipe businesses off the map entirely.  For the public sector, where the purse is controlled by Government and ringfenced locally, this will become even more damaging – personally, financially and politically.  However, whereas the cap is currently £500,000 till May 2018, this corporate penalty will rise to up to 4% of global turnover or a €20 million fine plus the potential of criminal prosecution thereafter.  I would urge all organisations who have not begun their information audit to start now”.

 

Work with your Security and Governance teams to thwart cyber attacks

A Petya ransomware attack suspected to be a modified EternalBlue exploit is currently spreading around the world as we go to press, with UK and European organisations already affected and shipping company Maersk and ad agency WPP announcing problems with systems down.

With only a few days since the attack on the UK Government on Friday 23rd June, security experts are describing such high profile attacks as the ‘new normal’.  Weak passwords on email accounts were to blame for around 90 parliamentarians being attacked.  An official spokesperson commented that users had failed to adhere to official guidance from the Parliamentary Digital Service.  Immediate remediation of disabling remote access was put in place as a precaution whilst further investigation were made.

This follows hot on the heels of last week’s report by Which, revealing that communications giant Virgin’s consumer Super Hub 2.0 router was found to be vulnerable to hacking for those who had not changed the default wifi password setting, felt by experts to be too short and not sufficiently complex.  Virgin are not alone amongst Internet Service Providers for issuing relatively simplistic wifi keys according to penetration testing experts.  Future success in thwarting attack will require 1) a change of culture from consumers to proactively change the default password on any wireless device and 2) for retailers to ensure that directions for changing the password are immediate to access the service, easy to read and quick to do.

And all of this just one month since the WannaCry cyber attack on NHS England which was amongst around 70 organisations hit worldwide.  Brian Lord, former Deputy Director for Intelligence and Cyber Operations at GCHQ commented in May that this was due to a change from low level theft and use of ransomware in the past few years to now internationally organised crime.  Todays criminal networks could generate sustained and co-ordinated attacks into the backs of ageing IT systems, delivering a simple tool at mass scale to vulnerable areas – in this case, systems where Microsoft security patches hadn’t been updated.

The clear messages from these tales of woe are:

•    Ensure effective security and governance procedures are in place for businesses and institutions – and that these are shared, understood and abided to by all staff without exception through regular training and education awareness.
•    Consider two factor authentication and more intelligent solutions around identity management and password tools to keep the door closed to wrongful access.
•    Protect older, more vulnerable Operating Systems through regular security assessments and vulnerability detection programmes to scan your networks and find holes in perimeter security to help target your patching priorities.

Rome wasn’t built in a day, but organisations that do not have strong and effective preventative measures can easily fall in one day.  Keep security at the forefront of your thinking and actions.  Read our full article on Ransomware here