ICO reports security failures across all sectors as fines continue to ramp up in 2019

Since May 2018 when GDPR kicked, the ICO has been progressively investigating data breaches identified to them and no-one has been spared in their enforcements.  From local Government officials illegally accessing personal data, to public bodies (including HMRC for data harvesting), to the Metropolitan Police (responding to Subject Access Requests), the NHS (for illegally accessing medical records), to regulated industries and small businesses carrying out unsolicited communications by email or telephone (affecting up to 4.5 million unsuspecting contacts).  Even in one extraordinary case, a Council employee shared unredacted data about alleged gang members profiled on a police intelligence ‘Gang Matrix’ database to other Council staff and external organisations. This ended up on social media and was then used by the gang members themselves.  Unbelievable, but sadly true.

Amicus ITS Director of Technology, Security & Governance, JP Norman commented:  “The ICO are striking a balance between the severity of a breach individually, the volume of data affected and the harm and distress caused by the breach of security and lack of protocol.   We can see from the  enforcement notices published across 2018-19, the huge variety of cases that the ICO have dealt with in the last 18 months and ultimately this illustrates data responsibility is in the hands of every individual, with fallout picked up by the organisation/company directors”.

Big headliner fines this Summer featured the £183.4m fine published to British Airways following the 2018 cyber incident where users logging in to BA’s website were diverted to a fraudulent site where their personal details, payment information and travel plans were harvested.  This represented 1.5% out of a total possible fine of 4% of global turnover.  Plus, the £99.2m fine to Marriott International hotels group for a data breach whereby 339 million guest records globally were exposed over several years following a merger and lack of due diligence and security measures being adopted.  Both organisations are seeking to defend their position. Other big names included: Equifax (£500,000), Uber (£385,000), and Yahoo! (£250,000) for cyber security failures.

Against this backdrop, the ICO Annual Report for March 2018-19 published in July 2019 recognised that 82% of personal data breaches investigated had been closed with no further action, as corrective measures to avoid a repeat had been taken or were being acted upon, which we should take as positive news as organisations learn to manage their data more responsibly.

JP Norman adds:  “All organisations face the same responsibilities around data management and data security.  At the heart of good practice is education and staff training. This can identify what is appropriate when sharing data and that if approved, it is done lawfully and safely.   Organisations, institutions and businesses of any size must have a Data Protection Officer (DPO), who may also be the Data Controller if appropriate. These representatives need ready access to policies and guidance around data security and measures to be taken in the event of any breach, which can be evidenced and practised as part of a smart Business Continuity Plan.  This can be intimidating for businesses of even medium size to get to grips with and act confidently so we often see the DPO function outsourced”.

Amicus ITS recognises the challenges organisations face and earlier this year published our new Virtual Data Protection Officer service on G-Cloud 11 for public sector customers.  Notably, this service is equally available to SMEs.  Any organisation that is unsure if it has the right security policies and security measures in place can contact Amicus ITS in confidence.  If the service is taken up, this security consultancy could not only save you £000s but also help protect against reputational damage which can be priceless.  Call our Sales team today for a free initial discussion on +44 2380 429429.

Amicus ITS’ privacy policy can be found here

Yoo-hoo! – Yahoo finally discloses massive cyber breach

2000px-yahoo_logo-svg

 

Yahoo disclosed today that they have suffered what they believed to be a ‘state-sponsored’ cyber-attack. The attack itself dates back to 2014. Some 500 million users are believed to have had their personal details stolen in what is believed to be the biggest publicly disclosed cyber breach in history.

The US internet firm which at its height was worth $125bn during the dot.com boom, made a net loss of $4.4bn in 2015 and agreed a sale to global communications and tech giant, Verizon for $4.8bn earlier this Summer (Verizon’s rationale for purchase being the access to Yahoo’s core internet business, which has more than a billion active users a month, which would make it a global mobile media company).

So how does this breach compare with other large scale breaches made public in 2016?

• 2012 LinkedIn – 180 million accounts hacked
• 2010 MySpace – 360 million accounts hacked
• 2012 Dropbox – 68 million accounts hacked

There appears to be a trend of large data breaches announced which have taken place at least two years after the event, giving the hackers a comfortable period to make maximum use of any data they wish to target. The difference with the Yahoo breach revolves around the claims of it being ‘state sponsored’. For consumers this means that the motivations of the hackers could well be focused on specifically targeted individuals, not the wholesale public (not to say that the data isn’t sold on to the cyber underworld). This breach could be focused on particular individuals’ accounts concerning people who have been supressed in free speech in their source country. News of a mass data breach in August could be related to this, but Yahoo’s announcement is a formal acknowledgement versus previous dark net gossip. How this plays out and the degree of malice behind the event, we have yet to find out.

What should users do by way of best practice?

Whether or not someone believes their account has been compromised, it is always good to change passwords regularly and ensure they are strong and unique (an unbroken combination of U/L case characters, symbols and numbers). Multi step verification processes can further stiffen defences. Wrapping this with good antivirus and anti-malware software with security policies and procedures, will protect the majority of businesses.

However, the key factor in any security stance is education; this should be at the heart of all security themes no matter the size of the business. I recommend all Security professionals look to enhance their awareness to be able to educate end users and if you are an end user push for security education if you have not received it. Your security perimeter extends beyond you as an individual to your company and also on to your customers and suppliers.

This week’s technology news – 27th March 2015

Are you really YOU online?

Cifas have published Fraudscape, their annual survey of 277,000 fraud cases from 245 members spanning a range of UK sectors.  With cyber security issues topping the chart of risks for business in 2014/15, ID fraud is becoming the largest emerging threat as cyber criminals turn their attention to using other people’s identifies or creating new false identities, as increased vigilance by business and consumers has begun a decline in accounts being hacked or taken over.  It is estimated that there are 758 frauds occurring every day at a rate of 31 per hour in the UK (Cifas members alone) and the Department of Health estimates there were an eye watering 30 million cases of prescription fraud in 2014.

The survey findings report:

• 41% of all frauds recorded in 2014 involved criminal abuse of personal data or ID details to impersonate someone or create fictitious ID to steal money.
• 113,839 cases of ID fraud were recorded in 2014, up by 5% on 2013.
• Average victim’s age was 46
• Men are twice as likely as women to have their ID stolen.
• Emerging trend for young adults (21-30) being targeted (up 51% since 2011 to 14,850), reflecting this group’s increased use of financial products.
• The 55+ age group has witnessed a 15% rise in ID fraud victims from 2013 reaching 25,346 in 2014.

Read the full survey at:  https://www.cifas.org.uk/fraudscape_latest

Cifas CEO Simon Dukes described ID fraud as being on an industrial scale, “The frauds we are recording point to increasingly sophisticated, predatory and organised criminals”.  Cifas acknowledge that the stats may be the tip of the iceberg as this is only what has been reported by their members and is on public record.

The true extent is expected to be far greater, as the UK stats which create the starting point for data gathering, are understandably challenging and much goes unreported.  The Department for Business, Innovation and Skills figures records the following baselines:

• There were 5.2 million private sector businesses in the UK at the start of 2014.
• 180,000 charities (England and Wales)
• 560 central government bodies
• 400 local authorities
• 150 NHS Trusts

Then there are the individuals who have suffered fraud.   Collating reports therefore from across 5.4 million organisations and identifying how many out of 60 million people have suffered fraud requires some degree of estimation (and the figures do not include SMEs in the private sector which according to the Federation for Small Businesses accounts for over 99% of all private sector business in the UK and almost 50% of private sector employment).

But the warning bells are there for us all. The last recorded stats from the now disbanded National Fraud Authority (NFA) put the cost of fraud to the UK economy at £15.5 billion in 2013.   The Cifas fraud cases route to the City of London Police. But few of Cifas’ members know the point at which an ID has been compromised which would help target prevention efforts.

WHAT TO DO?  Any organisation which has not taken steps to increase resilience by improving its firewalls, beefing up id authentication, encyption and having sound antivirus and malware software in place could be placing it and its customers at unnecessary risk.  Reporting ID fraud and data breaches as standard has the potential to strengthen national security learning if government and industry can work closer together.  Added to this, education and awareness training amongst employees and consumers is a must as we find ourselves in an ever more cynical world surrounded by criminal intent.

2736833_s

Threat to Safe Harbour Agreement in Euro court

Europe’s highest court, the European Court of Justice’s (ECJ) will shortly be reviewing how European’s data is shared with US companies in a landmark case which questions the effectiveness of the US Safe Harbour Agreement.

Brought by activist Max Schrems off the back of Edward Snowden’s whistleblowing, the lawyer’s complaint is that companies such as Facebook (by being complicit in Prism, an NSA surveillance system), are ignoring privacy practices and that the Safe Harbour Agreement should be scrapped in favour of local regulators acting to protect European’s data.

The Safe Harbour agreement (in place since 2000), allows US firms to collect data on their European users and store them in US data centres as long as certain principles around storage and security are upheld (eg. Giving notice to users and advising them on how the data can be accessed and by whom).

UK data regulator Ofcom are reported to have said at the hearing that scrapping Safe Harbour would “risk disrupting trade that carries significant benefit for the EU and its citizens”.

If upheld, the decision would have severe repercussions for any US firm dealing with Europeans’ data, including giants such as Twitter, Google, Microsoft and Yahoo.   Twitter commented they would be forced to build datacentres in Europe to hold separated info.  Facebook has not responded formally, although the BBC has quoted that the social media behemoth would welcome an update of the Safe Harbour rules post Snowden.

For UK organisations where the issue of sovereignty is important, let alone the level of data protection required, the issue is likely to drive them to seek to preserve and protect their customers data by having it only reside in various UK datacentres to avoid the risk of losing control of the data at any time and having to deal with local regulators and data laws.

275994_s

Microsoft’s future career as a carrier

Microsoft has been delivering text, voice and video services for many years to both consumers and businesses across phones, tablets and PCs. Their current offerings are Skype and Lync, with the latter soon to be rebranded Skype for Business.   Currently over 100 million people now use Lync to communicate at work. This week Microsoft announced that Skype for  Business would include an enterprise-grade PSTN connection to Office 365 Skype for Business.

Microsoft’s strategic partners (including AT&T, BT, Colt, Equinix, Level 3 Communications, Orange Business Services, TAT Communications, Telstra, Verizon and Vodafone) will be working together with Microsoft to deliver secure and direct connections to Office 365 Skype for Business customers through Azure ExpressRoute for Office 365.   Azure ExpressRoute leverages partners’ networks to provide a private, dedicated and high bandwidth connection that bypasses the internet – essentially making Office 365 an extension of your on-premise environment whether you’re on site or not.

Skype for Business can handle all an organisations’ communications and with Azure ExpressRoute and their partners providing a direct connection rivalling traditional communication companies, Microsoft is essentially placing themselves into the carrier business.

This will offer businesses a one-stop-shop for a secure communication package, which is where Microsoft is aiming this offering – for now. In principle this technology could be used on a commercial device. The user, instead of buying a phone, minutes and texts from a high-street carrier, could order a Windows 10 phone with a subscription to Office 365 that includes minutes and texts through Skype direct from Microsoft.

Whether Microsoft does or doesn’t tie these devices and services together in such an offering, its potential does highlight the importance of Microsoft’s strategic partnerships which benefits all – not just Microsoft going forward.

Skype-for-Business-logo-FI

Troublesome domains

When browsing the internet – or even securing your own website, you will likely only worry about a few TLDs (top level domains), with the most common being .com, .net and .org.    In recent years there has been an explosion of new TLDs with the number now available rising to over 650.

One of the most recent TLD’s ”.sucks” has been stirring up trouble.   It’s easy to see how this new domain could be a serious nuisance as all it takes is for someone to take your company’s name and register the new “.sucks” domain and they have the perfect, virtual home in an ideal location to poke mischief and maliciousness at your brand, with the potential of you losing big business.

The initial answer for most will be simple; to buy the domain before anyone else can and cause trouble, but this is where it gets ugly.  The group who purchased the rights to sell “.sucks” called Momentous is charging astronomical fees of $2,500 for ”.sucks” domains.   To major organisation, this could be small change and amount to no more than regular IT admin housekeeping, however for SMEs or professional individuals, the cost is extortionate – and every business will need to calculate the risk of a 3rd party taking over this domain and the potential cost of damages to its brand in doing so.

ICANN, the international body that supervisors all things internet, including the creation and approval of new TLDs clearly decided that “.sucks” was fit for purpose.  Whether ICANN is fit for purpose itself in thinking that such a domain name could be positive in any way for business is risible.

Organisations are now left with a wholly unnecessary headache and unwanted financial outlay if they are to insure against potential negative outcomes.  Hopefully a sharp backlash from disapproving businesses will make ICANN recognise their folly – and in future only permit the release of sensible domain names that add value to the internet.

1280px-ICANN_svg

 

This week’s technology news – 25th October 2014

Wearable Technology – not so Mickey Mouse

It was never going to be long before the commercial opportunities from wearable technology would be fully grasped by the entertainment industry. Into frame comes The Walt Disney Company, who have been discussing the success of their adoption of wearable technology at the Digital Strategy Innovation Summit recently.  Their new “MagicBand” aims to “improve customer experience and engage with visitors” at its parks and resorts.   This is a neat euphemism for describing big data analytics consuming and helping direct customer behaviour through holding personal details to enable greater marketing opportunities to be had.

The MagicBand uses radio frequency identification (RFID) technology.  Visitors can enter parks, hotel rooms, purchase food and gifts, use fast-track services as well as link Disney photos to an online account with a swipe of their arm.   Acknowledging the issue of privacy and security, Disney’s customers can elect whether or not to share their personal data.  If they do, families can register one time payment details to avoid carrying a wallet to pay for individual items during a stay, or register their children’s names and birthdays to make a “magical” personal greeting at a ride – or have informed conversations with a Disney character whilst walking around.

Should we be surprised, well no, not really.  After all it is 20 years since Tesco employed company DunnHumby in 1994 to analyse their Customer Relationship Management (CRM) data to find patterns to help direct marketing campaigns. This quickly became known as the highly successful Tesco Loyalty Card.  Even this wasn’t cheap though – the scheme is reputed to cost £60million per annum to run.  However, the exploitation of data to direct company decisions is the future and central to the Internet of Things to make our lives easier.  So the more intelligent organisations are about their use of data, its connections, privacy and security, the greater the potential opportunities that can arise in future – and hit the bottom line.

 

 

Disney-magicband-290px_290X230

Apple’s new SIM

Apple announcements come and go, but last week’s big Apple event was mostly underwhelming, bringing incremental refreshes to its iPads and Macs with an absence of exciting new features. A small detail that went unnoticed by most (and wrongly reported by others), is the new Apple SIM that comes included within the new iPads in the US and UK.

The Apple SIM is essentially an Apple branded nano-SIM which lets you swap between different network providers without swapping the SIM itsel.  This can be done by choosing you provider of choice on the iPads touch interface without visiting a physical or web store.  That is the plan at least. Currently here in the UK, only EE have signed up so you are limited to swapping between EE and nothing.

You can thankfully also use a standard nano-SIM in the new iPads, but it has yet to be confirmed that if you sign up for a data plan on the new Apple SIM it will still work if taken out and moved into a non-apple device?

If the answer was no, then this annoyance would likely go unnoticed by most, as only a fraction of iPad buyers opt for the cellular capable option.  However, if this was used in the next iPhone launch, the Apple SIM could tie Apple devices and numbers together making an iPhone to iPhone upgrade painless, but an iPhone to a competitor a difficult or impossible task.

If this was to come into play, it may fly in the States where Apple has stronger control over network carriers and a history of less flexible mobile options.  But here in Europe, it would likely be slammed by anti-trust laws for unfair competitor practises. Apple’s new SIM may be both a starting point and a testing bed laying low in new 4G iPads, but things will escalate extremely quickly if it makes the jump over to iPhones in the future.

AppleSIM

 

Yahoo! finds success in mobile

 

Not long ago we saw Marissa Mayer, Yahoo! CEO make the statement that they had missed a huge opportunity in mobile. Since then Yahoo! has been hard at work enhancing its modern mobile portfolio with a sequence of clever acquisitions of mobile app development houses.

With the company revealing its latest quarterly earnings with mobile revenues in excess of $200 million, they estimate growth revenues in mobile to exceed $1.2 billion by the end of this year.

Over the past 10 months Yahoo!’s mobile acquisitions have included Snapchat clone “Blink”, messaging app “MessageMe”, home screen app “Aviate” and mobile analytics startup “Flurry”. In addition to their existing apps these start-ups were also tasked with creating the new Yahoo! App suite including News, Sport and Weather. The surprisingly high quality of these apps have earned them a recent surge in consumer interest and the spin off has been that consumers are returning to use Yahoo! Services.

When a company the size of Yahoo! misses a technology shift as big as mobile apps they can often find themselves in serious trouble. Yahoo! is currently rumoured to be involved in numerous new mobile app development house acquisitions, so in finding success in mobile, it is safe to say they are going to focus more than ever on mobile.  If the next set of acquisitions turn out as well as the last, Yahoo! may see a new lease of life as a heavyweight in the mobile app business.

Yahoo__for_Mobile__Your_favorite_Yahoo__services__on_your_phone_-2

 

How out of touch are we?

 

Microsoft has been developing touch technology for a while now to embrace realism in resistance and weight on their keyboards and touch pads (see blog 5 July 2013), however touch devices are moving on again to evolve into next generation technology described as “rich touch”.

The iPhone was regarded as being an exemplar of multi-touch interfaces, but recently an altogether more creative suggestion has been made by Professor Chris Harrison of Carnegie Mellon University in the States.  Interfaces have become far simpler for people to use, but Harrison derides the empahsis on size reduction in favour of the flexibility that different touch can provide to expand the use of a device.  All of this is based on analysis of the richness of how humans naturally use their hands, versus how many fingers you use to poke at a screen.  Guitars he sees, are very sensitive for this in terms of touch, pressure and grasp and can pick up on vibration.  Harrison sees this as the key to matching desktop productivity on mobile devices.

Rich touch would enable your knuckle to be used to add another dimension to your pointer finger ie. lassoing part of a photo, or tapping on the screen with your knuckle to bring up a contextual menu and refine and edit content. These variances can work as a “left-click” for touchscreen interfaces. Further options can be cued by the angle of touch to turn the screen into a different menu sequence, so a poke is different to grazing your fingertip across the screen – which could alter the scrolling process (a big deal for smartwatches). Then there is “drilling” the screen to turn volume up or down and other recognition of hand shapes to perform other functions.

All of the above developments seek to connect the user more personally and practically with their devices which should increase output and engagement satisfaction.  As long as options remain for selecting how we access different menus, and rich touch options can be switched on or off, it will add another new rich layer to our user experience, whilst also protecting the less dextrous user amongst us.

guitar

 

Amicus ITS – Our views on this week’s new

Apple’s profits – The Bigger Picture

Research firm, Statisa have announced Apple’s profits amount to more than Google, Microsoft, Amazon, Facebook, eBay and Yahoo combined.  Their $47.1 billion profits are primarily thanks to the popularity of their well-designed, fashionable, mobile devices and the growing impact on the work environment.  Whilst we love the iPad and the iPhone, can Apple maintain this lead by using their design and phenomenal budgets to drive consumers to the next big thing?

The end of XP

This week saw the start of the 500 day countdown for the end of XP support, giving Windows 8 a fighting chance in gaining significant sales figures.  Although Windows 8 has so far seen a slow start, we think Microsoft’s big gamble will pay off.  As mobility grows, organisations will look to the best solution to meet their OS needs and we think Windows 8 will come up trumps.

Windows Phone anyone?

Microsoft is placing all bets on the new Windows 8 ecosystem to push sales of its phone division.  The new device comes with a similar look and feel to its desktops, tablets, Xbox and phones, in the hope that users will enjoy the experience on one device and try another. We think this is a smart move for Microsoft and predict that by the end of 2014, we may see the market share spilt between Apple, Microsoft and Google.

Security breaches enhance corporation’s awareness

In recent months, hacking has increased.  Many big names are currently in the firing line; Google, Yahoo and Microsoft becoming the latest.  As industry leaders succumb to security breaches, the rest of the world becomes increasingly concerned as to how secure their IT infrastructure really is.  Organisations need to step up their game and will look to managed service providers for help.