ICO starts to bear its teeth ahead of GDPR as fines start ramping up

New research from PwC reveals that the Information Commissioner’s Office (ICO)  levied 35 fines in 2016 for breaches of the Data Protection Act (DPA). This is almost double the 18 fines from the year before.

Those fines totalled £3.2 million, which makes the UK the most active country in Europe in terms of regulatory enforcement of data protection laws. The next most penalised country was Italy (£2.86 million). However, figures across Europe pale in comparison to the US, which sees far more incidents and whose regulators can issue much larger fines. The PwC reports that US organisations were fined a total of approximately $250 million (about £193 million) in 2016.

Preparing for the GDPR
The gap between US and EU regulatory powers is set to shrink when the EU’s General Data Protection Regulation (GDPR) comes into effect next year. From 25 May 2018, all organisations that process EU residents’ personal data must comply with the Regulation, or they’ll face fines of up to €20 million (about £17.4 million) or 4% of their annual global turnover – whichever is greater.

This is much higher than the current limit for EU regulators. For example, the maximum fine that the ICO can currently issue for a breach of the DPA is £500,000 – although it is yet to do so. The largest fine a UK organisation has received from a breach of data protection laws has been £400,000 which was levied against Kerboom Communications in May 2017 and TalkTalk last year.

PwC addressed the arrival of the GDPR in its study. The company’s global cyber security and data protection legal services lead, Stewart Room, advised UK organisations to use the next year to prepare for the GDPR, adding: “We’ve performed more than 150 GDPR readiness assessments with our clients around the world. Many struggle to know where to start with their preparations, but also how to move programmes beyond just risk reviews and data analysis to delivering real operational change”.

It’s impossible to ignore the impact of legal and regulatory change in this area in recent years. The GDPR has already been a force for good by bringing the issue to much wider attention. After all, who can argue against what is essentially a code for good business, where privacy by design becomes part of everyday operations?

ICO fine on TalkTalk revealed


The ICO has revealed this week that it has fined communications company TalkTalk £400,000 (out of a maximum £500,000) for its poor web security following the theft of nearly 157,000 customer account details in October 2015.  As we reported in our blog of 13th May 2016, the company’s profits were deeply hit also as a direct result of the attack and the firm lost 101,000 subscribers in the first quarter after the attack.

The report by the ICO was scathing, with Information Commissioner Elizabeth Denham commenting, “Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action”, she added.

In nearly 16,000 cases, the attacker was able to steal bank account details.  Additionally, legacy software dating back from when TalkTalk took over rival Tiscali was found to be out of date enabling vulnerable web pages to be attacked using SQL injection.  TalkTalk had been unaware of the problem, which could have been readily fixed if its security measures were kept up to date.

The ICO explained that TalkTalk had been very lax in enforcing proper security on its own website.  Ms Denham added, “In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting.  Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue”.  These comments completely echo the advice Amicus ITS has consistently given to its customers and shared with the wider business community at its regional thought leadership cyber security roadshows.

The next Amicus ITS cyber security event will be held on 24th November 2016.  Further details will be posted on the main Amicus ITS events page

TalkTalk talk of recovery – hopefully no joke for their customers


TalkTalk have announced that their profits halved following the cyber attack on the company in October 2015.  Profits fell to £14m down from £32m the year before. The fall is attributed in part to the costs from the cyber attack by a number of hactivists in the UK (six arrests have been made – all individuals are under 21).

TalkTalk lost 101,000 subscribers in the quarter immediately following the attack where the  personal data of around 160,000 was compromised. This included email addresses, names and phone numbers, plus 21,000 unique 21,000 unique bank account numbers and sort codes.

TalkTalk’s immediate response was to play hardball with any customer trying to leave – quoting contract terms and penalty fees should they go.  Nowhere in their response was an identification of their responsibility for safeguarding customer data – and the onus fell to the customer to prove that any loss of future money was solely due to the hack.  So, for example, if a customer was spear-phished through social engineering as a result of the compromised personal data, that would be the customer’s fault.

If there was an Incident Response Plan (they had suffered previous breaches in the preceding year), then there’s little to show any learning outcomes to date.

Despite this, TalkTalk CEO Dido Harding maintains today that the company has recovered and that the customer churn experienced in the first quarter following the attack has since stemmed, indicating in her eyes, customer satisfaction.

Total revenues are reported to have grown 2.4% to £1.83 billion in the 12 months to 31st March 2016.  However, no matter how upbeat the CEO talks up the positives in May 2016, their PR mishandlings, lack of probity and lack of knowledge, indicates a disrespect of the customer, who (along with their data) should be and feel cared for, at all times.

So we’ll need to wait and see over the next 12 months what the figures and customer base numbers reveal.  However, one thing that is certain, the company’s failure to manage and protect their customer’s data with due diligence and probity has led to a very public sullying of the brand and ridicule in some boardroom circles.

The TalkTalk debacle should go into the lexicon for all future Board directors as a lesson in how not to do Disaster.  For any Board today, at least one member must understand and be accountable for cyber so that the appropriate reviews, decisions, IT investments and staff education are undertaken. This means:

1. Understanding cyber and identifying what your data crown jewels are
2. Ensuring your company has up to date security policies and practised procedures following ISO27001 compliance procedures
3. Interrogating your company’s infrastructure interrogated regularly for vulnerabilities and plugging any gaps
4. Working with data security specialists to monitor any devices, any infrastructure, any locations where your business or staff operate to ensure you maintain end point security at all times.

Amicus ITS has a Security as a Service offering, called Foxcatcher.   If you wish to speak to one of our team to discuss your organisation’s security.  Call us on 02380 429429.


The cost to TalkTalk of the 2015 cyber attacks

In our post of 31st December 2015, we discussed the lessons learned from the TalkTalk cyber attack debacle.  Now TalkTalk have published their Q3 results, offering a truer picture of the costs to date.

The original emergency damage forecast in November by the telecomms company was £30-£35 million (largely for unconditional free upgrades for customers and £15 million in reduced trading revenue).  This has now been doubled to £60 million.

Additionally, and of little surprise, there has been significant reputational loss, resulting in the loss of 4% of their customerbase (some 101,000 customers), following the attack.

Recovery will be slow and despite City share prices rising 5% this morning, this follows a 30% drop following the attack at the end of October 2015.

This, in a week where it was revealed that two other organisations felt the pain of attack:

•      Lincolnshire County Council’s systems shut down for four days following a malware attack contained within an email and a document that was opened in error by staff.  The £1m ransom was not paid and staff have been working off paper all week.  CIO Judith Hetherington-Smith said: “People can only use pens and paper, we’ve gone back a few years. [The attack] happened very quickly. Once we identified it we shut the network down, but some damage is always done before you get to that point – and some files have been locked by the software.  A lot of the files will be available for us to restore from the back-up.”

•      HSBC was also hit on Friday 29th January when customers couldn’t access their personal bank accounts. It was a DDoS attack and whilst HSBC sought to assure customers on Twitter stating they “successfully defended their systems“, the process to restore then caused considerable disruption for their customers. The timing couldn’t have been worse for many; the first pay day after Christmas, and the last working day before the tax return deadline.

What this amply illustrates is the urgent need for businesses to change their behaviours and instead of relying on a dim hope that they won’t be the target of an attack at some point in the future, businesses should assume they will be attacked.

NB.  Whatever the size of your company you are at risk.  So ensure that proper IT governance steps are undertaken through pen testing, robust cyber defence software, allied to round the clock monitoring and threat intelligence to put yourself in a stronger position defensively and an agile stance for responses.  That way you start to stem financial loss and costly reputational damage.


Lessons learned from the TalkTalk Cyber Attack


The Background to the cyber breach
• TalkTalk customer base 4 million users
• 21 October 2015 attack resulted in 157,000 individual personal records being compromised, with 16,000 bank and sort codes accessed and 28,000 tokenised credit card numbers.

Who was to blame?
Well obviously from a criminal point of view, there were actually five people known to be involved, four of whom were teenagers who have been arrested by the police.  However in truth, the real culprit is TalkTalk, in their failure to protect the data of their customers and learn the lessons from previous breaches across the preceding 12 month period.

So what are the lessons learned from this high profile cyber attack for all UK businesses and organisations regardless of size?
All businesses should expect to be breached.  TalkTalk failed to plan ahead despite the experiences of each breach:

Action 1:  Arrange for a full security review (pen testing, social engineering checks, dumpster diving (ensuring your confidential waste is disposed of properly), remote access connections, patch management etc..

Talk the Tech Talk
Disconcertingly for a company which reported gross revenue in 2014 of £1.7 billion ($2.65 billion), TalkTalk failed to invest sufficiently firstly in information security specialists and secondly, the technology to help withstand breaches.

Action 1: Ensure that your Board’s PR spokesperson has had media training and uses the right technical terms (“sequel” being mispresented for SQL”

Action 2: Ensure that nothing is revealed by a representative of your organisation going on camera (whether video or still) that discloses anything about your company or your technical infrastructure. A simple look up of the Open Web Application Security Project (OWASP) a not for profit software information sharing website, which would have given TalkTalk the heads up to correcting the latest threats and vulnerabilities

Know your network and understand security
Much of the public distress about this high profile cyber attack was that no-one in the management team could confirm whether the stolen customer data had been encrypted.

Action 1:  Ensure that a member of the Board understands data security, comprehends and can talk about Cloud – and understands the technical infrastructure of the organisation.

Speak the truth
In the TalkTalk scenario, the CEO claimed that they were “head and shoulders better than some of our competitors and some of the media bodies that were throwing those particular stones.”

This fell on ‘stony ground’ for Dido Harding when she said this to The Sunday Times and that under the U.K.’s 1998 Data Protection Act, TalkTalk was “not legally required” to encrypt customer data.   If the customer is a victim of a cyber attack, the deed is done and that bond of trust is forever damaged.

Respect your customer’s data as being your crown jewels
The Data Protection Act 1998 requires a duty of care of the organisation’s data controller to look after everyone’s data – their own and that held by them of their customers.

With the value of data for cyber criminals increasing with every strand of personal detail, criminals can profit from many types of customer data.  This does not have to be actual credit card or bank details, it can be any Personal Identifiable Information (PII), that when pieced together, forms a profile of the individual which the criminal can then sell on to 3rd parties.

Whilst there is no current UK legislation yet to mandate businesses and organisations to encrypt their data irrespective of the type of business, it is an easy preventative software step in order to protect your organisation. This simple move could save your organisation embarrassment and potentially millions of pounds in lost revenue – but critically, lost trust.

Lots to TalkTalk About With Latest Major UK Cyber Attack

In the wake of the third, “significant and sustained” cyber attack on a FTSE 250-listed UK company on Wednesday 21st October, TalkTalk is advising all of its 4 million subscribers that their personal data (including names, addresses, dates of birth, phone numbers, emails PLUS acount information, credit card and banking details) may have been breached.   The company is offering 1 year’s free credit monitoring for this latest breach, but it has not been a good period to have this toxic trading name.  TalkTalk suffered a sophisticated email scam in February 2015 which they claim was due to a third party contractor who had legitimate access to its customers’ data and in December 2014, the Guardian reported a possible data breach emanating from one of its Indian call centres, leaving some customers out of pocket by several thousand pounds and their banks offloading responsibility claiming the victims caused their losses by allowing the fraudsters illegal access through nefarious means.

The Information Commissioner’s Officer (ICO) started investigations into the hacking of Carphone Warehouse (owned by Dixons Carphone plc) in August affecting 2.4 million users and earlier this month, credit rating agency, Experian PLC’s North American unit was subject to a breach comprising the data of clients of US mobile carrier T-mobile USA Inc, affecting 15 million US customers and with reports of cyber offences reaching over 625,000 every month this Summer.

The Metropolitan Police Cyber Crime Unit has launched its investigation into the TalkTalk attack on its website.  Whilst TalkTalk’s CEO Dido Harding has confirmed that its website is now secure again and that TV, broadband, mobile and phone services have not been affected by the attack, its sales website and “My Account” bill checking services site have yet to be restored.  TalkTalk’s assurances about the seeming normality of service provision offers little comfort to its concerned customer base, few of whom will be surprised to hear the corporate has lost 10% in its share price within 24 hours of the bad news.   Claims have emerged today on BBC Radio 4’s Today programme that a Russian Islamist group had posted online that they were responsible for the attack. This is being investigated by the authorities, though TalkTalk are currently refusing to comment on this.

So where does this leave TalkTalk customers?
• Anyone who is victim of a cyber attack should maintain diligent monitoring of their bank and credit cards over several months to spot any suspicious transactions.  It may not necessarily be sudden and dramatic large scale financial losses that occur; there is an emerging trend for small scale withdrawals following hacks, far less eye-catching to the unwary consumer, but necrotic and damaging over the long term as part of a sustained syphoning of funds.

• Customers may be contacted by new 3rd party fraudsters, cashing in on the TalkTalk attack and contacting their already vulnerable customer base to gain access to their accounts, purporting to be TalkTalk staff trying to fix things. No real TalkTalk staff would demand direct account details over the phone – and this should set alarm bells ringing.

Cyber Precautions for Enterprise
For any company, it is imperative to have good process and policy safeguards with up to date malware and antivirus software installed, to wrap around the company’s data, users and applications.  However, in addition to this, commodity-based companies using the web to transact with the public and taking personal details and financial information, would be well advised to consider separating out the hosting of their website on a separate server to the main business server – and even having two different companies supplying this service to offer added security and peace of mind.  This would increase resilience, but of course is only step one for the data controller, step two is ensuring that the data is compliant ahead of the EU’s General Data Protection Regulation (GPDR) which comes into force in 2017.