Category Archives: Data Loss

cybersecurity, Data Loss, Data Protection, Information Security, insidertrading

How to ruin the reputation of your (118 year old) company, lose your job and your liberty

Unfortunately there are so many cases I can use to illustrate this. Most topical at this time at the start of autumn (fall) 2017 is Equifax.

They provide credit scoring services to the public and businesses in 14 countries, including Canada, UK and USA. Many financial organisations use them to assess the credit-worthiness of individuals and companies.

This company has been around for more than 100 years, they have an operating revenue of over 3 billion USD and over 9000 employees.

Their bread and butter is information. Personal information. Including name, addresses, social security number, income and loans amongst others. Stuff classed as sensitive PII by most if not all data protection agencies.

They hold data on more than 820 million individuals and 91 million businesses.

In May 2017, they lost the details of which 145 million people in the USA, at least 400000 in the UK and 100000 in Canada.

Heads Roll

Within Equifax, the chief information officer Susan Mauldin and chief security officer David Webb were retiring and within two weeks Richard Smith, the CEO said he was stepping down after having to explain the breach to a US Congress committee in October.

The market is not impressed

Their share price was trading around 140 USD, then plunged to a low of 94 USD a few days after the disclosure, which is comparable to Talktalk’s share price drop.

The actual financial impact to Equifax is unknown at this time, as it’s still so recent.

It gets worse

During a congressional hearing, it transpired that the CIO, Jun Ying had sold 950k USD of company shares. June 2019, he was found

guilty of insider trading and sentenced to 4 months in prison

and ordered to pay restitution amounting to 120M USD, as well as a 55K USD fine.

As of 13/05/19: This incident has cost the firm 1.4 B USD so far

 

IT Pro article

Moneysavingexpert article

cybersecurity, Data Loss, Hacked, Information Security

The value of patching, The cost of not patching

(One) Major cause of data breaches

Over 50% of data breaches are due to published exploits where fixes or patches are available.

The actual percentage varies to which study you refer to. The vulnerabilities may be through the OS, platforms like Java and Flash or applications.

Secure Configuration is essential, one such aspect is patching. Making sure that you’ve employed the most up-to-date software.

The reality is that many organisations do not adequately patch their software and hardware. For many it is an onerous task. They may be worried about introducing issues to their production services or it may be the lack of resources.

The risk is real, whether it is risk to production from using different (updated) software or from crackers exploiting vulnerabilities.

Regression and user-acceptance testing is essential here. There are other mitigation schemes where a staged patching is adopted, where a proportion of servers or instances of the software is patched and then used in production. It could be a test or development units.

I’ve just talked about the value and reasons for patching.

The other considerations are the cost of not patching.

There are many examples, but I’ll just share a couple with you.

Talktalk looses data

Talktalk, a communications company in the UK mobile telephone, TV and broadband market. They lost 157000 customer details in 2015. The vulnerability was on a website that had not been patched for 3.5 years. In the aftermath they lost of more than 150000 customers. Their share price dropped 30%.

Promotions and incentives cost them 35M GBP. Their 2016 profits dropped by 56%. They were also fined 400000 GBP by the ICO. Under GDPR the fine imposed could’ve been more than 70M GBP.

Equifax looses even more data

Moving to a more recent data breach, Equifax. They provide credit scoring services to the public and businesses. Many financial organisations use them to assess the credit-worthiness of individuals and companies.

They hold data on more than 820 million individuals and 91 million businesses.

In 2017, they lost the details of which 145 million people in the USA, at least 400000 in the UK and 100000 in Canada.

Heads Roll

Within Equifax, the chief information officer Susan Mauldin and chief security officer David Webb were retiring and within two weeks Richard Smith, the CEO said he was stepping down after having to explain the breach to a US Congress committee in October.

The market is not impressed

Their share price was trading around 140 USD, then plunged to a low of 94 USD a few days after the disclosure, which is comparable to Talktalk’s share price drop.

The actual financial impact to Equifax is unknown at this time, as it’s still so recent.

The breach was likely to be from a vulnerability that had been publicised and known for months and not mitigated.

The fallout from this incident is yet to settle. There are likely to be class action law suits in the USA and Canada. The respective regulators are likely to be sifting through the post mortem reports and deciding on what punitive measures to take.

Further reading and references

 

Availability, Data Loss, Hacked, Malware, Ransomware

Massive Attack

There have been very public examples of cyber attacks, affecting organisations on a global scale. Despite prominence given to recent outbreaks, such as Wannacry in May 2017 and NotPetya in June 2017, the first recorded global malware outbreaks started much earlier.

Some history

John von Neumann wrote a paper on “Theory of self-reproducing automata” published in 1966 which described self-replicating artificial forms, how they would spread, mutate and be self-deterministic.

The first examples

1981 saw one of the first computer virus designed to infect Apple II PCs by Richard Skrenta. Five years later in 1986 saw one of the first PC virus, known as Brain as well as other monikers, this was written by Basit Alvi.

Why ?

There have been many more malware in the intervening years, the main difference between these and current malware infections is that the earlier instances were programmers showcasing their skill and ingenuity mainly for bragging rights and inter-peer competition. They were often created as proof of concepts and sometimes were released by mistake.

Interconnected

Another aspect worth mentioning is that the world has moved on since the 1970s. Personal computers then were not generally interconnected, they were stand alone and strictly the domain of hobbyists.

The Internet

The origins of the internet started in the 1960s as a USA government project, which was made a commercial prospect in 1983 with few private users. By 1995 there were 16 million users, by the turn of the new century more than 300 million users. A decade later, 2000 million users. We are on course for 4000 million users in 2017. Exponential growth in action, the effective network  proximity means that something that happens on the otherside of the world, can affect you milliseconds later.

There are not many commercial or governmental organisations which are not internet connected. Domestic connectivity has also mirrored this growth, which has been taken into the mobile and IoT space as well.

Ransomware

The first recorded instance of a ransomware was in 1989 written by Dr. Joseph Popp for PCs called the AIDS Info Disk which was a malware that demanded 189USD to be paid for license fees.

Ransomware is now a commercial enterprise, organised crime has seen the potential for great ROI (return on investment) for little risk.

There have also been rumours of nation state involvement in malware, which has been loosely substantiated by leaks, revelations and evidence from whistleblowers. They have been carefully crafted and targeted attacks. One such example is such Stuxnet, designed to damage centrifuges used by Iran in a uranium enrichment programme.

SWIFT

Attacks on the global interbank transfer service, SWIFT netted more than 80M USD in 2016. A similar heist was reported in Ecuador and an attempt at defrauding a bank in India this year.

More recently Wannacry and Petyta in May and June 2017. The last two has leveraged stolen malware, allegedly originating from USA’s National Security Agency (NSA).

So we are beginning to see a muddying of the waters between what is likely to be nation state campaigns and what is used by organised crime for their money raising efforts. Even the lines between nation state and organised crime may be blurred, as the two most recent global ransomware events have been attributed to various countries.

Who did it ?

Be mindful that attribution is not an exact science; this is where clues may be left to confuse and misdirect and definitely an area where

plausible deniability reigns.

So what does this all mean? Apart from plenty of mystery, intrigue, 007 and general dodginess all round.

How does it affect me and you ?

For the population at large and commerce, it means further disruption caused to our digital environment from a myriad of sources, be it an attack to demonstrate technical control for political purposes or for monetary gain, the fallout or collateral damage is likely to affect the rest of us.

What can we do about it ?

Many of these exploits take advantage of poor cyber hygiene. If basic guidelines on the use of internet based services, system maintenance and configuration were followed, the susceptibility to these attacks by organisations would be significantly lower and even if an organisation were to succumb to a cyber attack, recovery would be significantly quicker and be less damaging on operations.

Follow-up – “How to protect yourself from malware”

References

List of viri from Comodo

Wannacry – Symantec

Wannacry – The Independent

Petya or not ???? – Reuters

Destructionware, not ransomware – The Verge

More on NotPetya – TechCrunch

 

Data Loss, Data Protection, GDPR, Personal Information

GDPR – Nothing to do with us; UK is leaving the European Union, so we don’t need to do anything.

screen-shot-2016-09-13-at-11-40-12

(GDPR – General Data Protection Regulations 2016)

Bit of history to put things into perspective, in 1950, the Council of Europe created an international treaty to protect human rights and fundamental freedoms in Europe. Article 8 provides a right to respect for one’s “private and family life, his home and his correspondence”. The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data was published in 1980, this defined the data controller and personal information. A year later EU Treaty 108 was drafted which which espouses the Eight principles for protecting personal data. There are many other notable Acts of Parliament, including the Data Protection Act 1984 and Computer Misuse Act 1990. Let’s get to the present day.

GDPR is the culmination of efforts to update the EU Data Protection Directive, 95/46/EC that was ratified in 1995.

There are 99 articles and hundreds of recitals in the GDPR. I’ll present that in a GAP analysis in the future.

Bottomline

The Good news

  • The underlying reasons for having the GDPR hasn’t changed from the EU Data Protection Directive of 1995, the tenets are broadly the same.
  • Lawful processing, accuracy, appropriate technical controls etc still form the core of the GDPR.

However, as always, the devil’s in the details.

What has changed ..?

The reach of the new regulation is significantly extended.

The potential penalties are designed to be “effective, proportionate and dissuasive”. Based on a two-tier basis of 2%/4% of global turnover or 10m/20m Euros, whichever is greater.

Data Protection breaches will be taken more seriously.

Transparency. Accountability. Consent. Portability.
Breach notification. Certification. Data Protection Officer. Privacy by design.

Using tricks to opt people in will regarded in a negative light and is not in line with transparency.

The C suite will be accountable for Data Protection, not something which is loosely delegated to someone in IT.

Personal Data Breaches, the ICO must be notified within 72 hours.

Data Controllers must implement data portability in a commonly used format.

A Simple Checklist

  • Does your business collect, store or process personal data (anything that identifies an individual of the EU) ?
    (That includes customer lists, membership details, medical records, delivery addresses, cookies and other identifying markers)
  • Does your business have customers in any EU state ?
  • Does your business intend to retain or gain new customers in any EU state after Brexit ?
  • Does your business intend to partner with EU entities that serve EU customers between now and Brexit ?
  • Does your business intend to partner with EU entities that serve EU customers after Brexit ?

A “Yes” or may be means that your organisation will be better placed if it aligns it’s governance and policies soon, as it is likely to take time to adopt and implement.

This is not an IT exercise – this needs to be owned at C or board level and this must be demonstrable.

Also, don’t forget that the UK is still in the EU and it will take a minimum of 2 years for Brexit to complete, which takes us into 2019, a year after GDPR is in effect.

For non-UK readers (and companies), there are no geo-boundaries to this. Your company may be based in South Africa, but if you have EU customers (non-company), you need to comply.

Some questions that need to be addressed
Will the UK retain the GDPR after Brexit ? If it doesn’t, the UK will need introduce something broadly similar if she intends to trade with the remaining EU members. Which requires time and money.

My money is on the UK adopting the GDPR and applying some judicious derogations, enough to gain some flexibility, but retain compatibility.

On a similar vein, keep any eye on how the issue with US Safe Harbor/ Privacy Shield and Ireland Data Protection challenge of model contract clauses plays out in the near future.

screen-shot-2016-09-13-at-11-42-40

Further reading

http://ec.europa.eu/justice/data-protection/reform/index_en.htm

https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

http://www.twobirds.com/en/practice-areas/privacy-and-data-protection/eu-framework-revision

 

Data Loss, Data Protection

Passwords – Not fit-for-purpose, misused and Ugly

It’s a perennial subject, but one worth reiterating, as old habits die hard. “Popular Passwords”, from the numerous loss and publication of unencrypted password lists, a league table has been created. The data is from 2014, but I very much doubt much has changed, so the message goes out again. Please avoid using regular names, sport teams and standard mis-spelling of dictionary words, such as P455word1, it’s better than 12354567 or qwertyuiop, but no way is it secure.

Is your password below ?

popular passwords

Source : www.informationisbeautiful.net

There are password guessers which substitutes 5,$ etc for S. The dictionary used covers the main languages used for commerce, English, French, Spanish, German and more commonly now Korean, Japanese and Chinese.

The safest password is one which is randomly generated or at least not a dictionary word. Using password managers is one strategy that people and organisations use, but that means putting your trust in that product and relying on you remembering your password to unlock that, but it is a better solution than many others.

Guidelines

  • Use 10 characters or more
  • Avoid dictionary words
  • Don’t reuse passwords across different services (for sensitive or high value services)
  • Don’t just rely on common substitutions
  • Write them down (keep the book/paper safe)

I know the last one is contentious. Better to write it down than to forget it or rely on another piece of software of technology that can be compromised. Your smartphone can be hacked anywhere in the world, your paper notebook is much, much harder to access.

 

Rank Password Change from 2013
1 123456 No Change
2 password No Change
3 12345 Up 17
4 12345678 Down 1
5 qwerty Down 1
6 123456789 No Change
7 1234 Up 9
8 baseball New
9 dragon New
10 football New
11 1234567 Down 4
12 monkey Up 5
13 letmein Up 1
14 abc123 Down 9
15 111111 Down 8
16 mustang New
17 access New
18 shadow Unchanged
19 master New
20 michael New
21 superman New
22 696969 New
23 123123 Down 12
24 batman New
25 trustno1 Down 1

 

Source : splashdata.com

Data Loss, Data Protection, Hacked, Personal Information

Another day, another Data Breach – OPM – US government’s Office of Personnel Management

I’m sure you’ve seen this one in the news already. I have resisted commenting immediately, so that we can all take a step back and avoid knee-jerk, reactive comments.

21.5m USA federal employees and associates PI lost

Breach occurred over 12 months

In a nutshell, the personal data of 21.5m US government personnel was pilfered for more than 12 months. This included names, addresses, social security number (similar to the UK National Insurance number), position in the government and biometric data. Foreign contacts were also in the data haul. Background checks for the last 15 years, of friends, associates and information required for security clearance roles were lost. This information may potentially expose federal employee’s to unfavourable actions.

There were either no or insufficient controls in place to protect the data, control access, detect data leakage or detect malware. Apparently it was only due to a security tool demonstration that the breach was discovered at all.

Source :  http://www.prweb.com/releases/2015/06/prweb12787823.htm

The fallout has been severe; Katherine Archuleta, The Director of the US Office of Personnel Management has resigned in the wake of further revelations about the scale of the hacking attack on the agency. She had been in the role for two years. The insecurity of OPM services was already known and documented in an earlier audit by the US Inspector General as unsafe, some as far back as 2007. The Director accepted the risk and kept the servers running without sufficient mitigation. Other findings included using servers that were unable to employ encryption and inadequate authentication.

Audit recommendations not properly mitigated

Although there was an upgrade plan underway, her mitigation strategy was not-fit-for-purpose and did not reflect the risk and vulnerabilities at the OPM.

This has echoes of the 2014 Target Breach, where management were aware of serious issues, but under-played and ignored advice. This neatly highlights the fact that you can have independent audit, but if the risk is not owned by the board, properly interpreted and mitigated, you are leaving your organisation (or indeed country) open to threats.

I have also deliberately avoided the more political aspects of this breach; It is the duty of all countries to spy on another, for gain, for war and for peace. Blaming one country or another for your own failings is disingenuous at best and totally blinkered to the realities of our world.

Further reading

https://www.opm.gov/cybersecurity/

http://www.nytimes.com/2015/07/10/us/office-of-personnel-management-hackers-got-data-of-millions.html?_r=0

http://www.cio.com/article/2947453/data-breach/how-opm-data-breach-could-have-been-prevented.html

http://www.cio.com/article/2945425/data-breach/the-opm-lawsuit-will-only-make-the-lawyers-rich.html

Data Loss, Data Protection, Personal Information

Ponemon Institute – 2015 Cost of Data Breach Study: United States

US study at a glance

$6.5 million is the average total cost of data breach 11% increase in total cost of data breach

$217 is the average cost per lost or stolen record

8% increase in cost per lost or stolen record

Highlights from the report

As in the ICO (UK) Data Breach report, healthcare comes number 1 in the charts, this time for the cost of each breach.

The report is definitely worth spending time reading. It highlights the following points for minimising the cost and impact of security breaches :

  • Board-level engagement and CISO leadership
  • Employee training
  • A relevant and up-to-date incident response plan and team
  • Targeted use of encryption
  • BCM integration
  • Insurance protection

These are the fundamental building blocks of an ISMS (information Security Management System), found in ISO27001, COBIT5 and others.

The Ponemon Institute report

Data Loss, Data Protection, Personal Information

UK Healthcare sector accounted for 40% of data breaches

2014 Q4 figures released by the ICO (Information Commissioner’s Office) reveals that of the data breaches reported to them, over 40%  originated from the healthcare sector.  Local government and education are a distant 2nd and 3rd respectively.

Source : ICO Q4 2014 Data Breach figures

The vast majority of these were attributed to human error, broken down into detail in the next chart.

Source : ICO Q4 2014 Data Breach figures

Principle 7 failure originates from inadequate technical controls.

The ICO states :

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Chun’s View

The raw figures indicate that the healthcare sector is prone to unintended personal information exposure (bear in mind these numbers haven’t been normalised),  it could be that this sector’s threshold for reporting is lower, It does reinforce the point that the majority of data leaks are due to human error.

Mitigation

Board-level sponsorship of Data Protection and Information Security training, as part of a larger learning and development regime, is essential. It must be viewed by the organisational population as worthwhile.

This must be formalised into the training strategy and woven into the Employees Handbook and Security Policy of the organisation.

As well as regular training targeting people who handle personal data, the training quality assurance is provided by the tracking of training metrics, such as completion and pass rates. With a sufficient data set, this may be correlated against the number of incidents reported. Incident rates may actually increase, as more may be reported when people are more aware of their obligations.

Parting words

Whichever sector you’re in, guarding against unintentional exposure of personal information is essential to maintaining your organisation’s reputation and avoiding the attention of the ICO.

Further reading (ICO)

Data Loss, Data Protection, Personal Information

World Leader’s PI leaked

The personal details of all 31 leaders at the recent G20 summit in Australia have been accidentally leaked by the Australian immigration department. Despite being notified of the high-profile breach four months ago, it neglected to inform anyone.

The details included passport numbers, visa details and other particulars of each leader at the summit.

Tony Abbott and Vladimir Putin cuddle koalas before the start of the first G20 meeting in November 2014. Photograph: Andrew Taylor/G20 Australia/Getty Images

In a letter obtained under Freedom of Information requests, it’s been revealed that a staffer at the G20 leaders summit staged in Australia last November mistakenly mailed a list of the leaders’ personal details to an official at the Asian Football Cup Local Organising Committee.

Although the information hasn’t been publicly exposed and is unlikely to be of use for nefarious purposes, not many people are likely to pretend to be Vladimir Putin or David Cameron. The damage is reputational and is certainly embarrassing for the Australian government. Ironically it had just recently passed controversial mandatory metadata retention laws.

Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015

International Business Times article on the new Australian Bill and obligations of ISPs

The Guardian’s article on the new Australian Bill

 

 

 

Data Loss, Data Protection, Hacked

2014 – The Year of 1 Billion Data Record Losses

Gemalto the digital security services company and Safenet have released a report titled “2014 – Year of Mega Breaches & Identity Theft”

2014 Data Breaches Gemalto Infographic

The headline numbers make for sober reading. The number of data records loss jumped 78%, from about 575 million in 2013 to more than one billion in 2014.

In terms of time, in 2014 some 2,803,036 data records were lost every day, 116,793 every hour, 1,947 every minute and 32 every second. So figure in about the time it took to read the previous sentence, about 400 data records would have been stolen or lost based on the 2014 data breach statistics.

Despite the widespread availability of commercially and indeed open source encryption solutions as a means for protecting  information and privacy, only 58 of the data breach incidents in 2014, or less than 4% of the total, involved data that was encrypted in part or in full.

In short, companies and organisations are still not taking protection of data seriously. It’s likely to take the commensurate loss of revenue or regulatory fines, up to and including gaol time for things to start improving.

One catalyst for this may well be the EU General Data Protection Regulations, but there’s a lot of lobbying and compromises between the proposals and actual legislation. It may still revert back to being an EU Directive. Meanwhile our Personal Information is being  shared, sold and aggregated ad infinitum, that’s before it’s leaked and stolen !

Gemalto’s 2014 Data Breach Report