Recently, car insurance and breakdown cover provider AA faced accusations of covering up the severity of a data breach that occurred in April of this year. The AA, through their customer support Twitter, chose to downplay reports of the breach and assured users that no credit card or other sensitive data had been exposed. Data was leaked from their online shop due to a server misconfiguration. However, this server contained data on over 100,000 AA customers, and included partial credit card data. Despite knowing about this breach for over two months, it wasn’t until the cyber security community cried out in outrage that AA eventually admitted to the severity of the breach. No customers were notified by the AA directly.
Cyber Essentials Accreditor Suffer Data Breach, Exposes Companies to Phishing Attacks
For those of you who may not have heard of the Cyber Essentials scheme, it is an accreditation-based program created by the UK government and backed by the industry in both the UK and Ireland, to show that basic cyber security measures have been put in place that will block most cyber attacks. It was designed as an affordable alternative to ISO27001, which may be financially out-of-reach for many small/medium enterprises, and is a requirement for any businesses that deal with the UK government. So, it may have come as a surprise to many to find out that the IASME Consortium, one of six accrediting bodies in the UK, has suffered a data breach which exposed the company names and email addresses of their applicants. While no other information such as these companies’ security configurations were leaked, the breach could well open the exposed companies to phishing attacks from cyber criminals.
A list of Cyber Essentials applicants, including their company names and corporate email addresses, may have been leaked to hackers.
ICO Less Likely to Issue Fines to Companies Who Train Staff
The Information Commissioner’s Office in the UK has issued a statement that organisations who train their staff in data security will be less likely to receive a fine or monetary penalty. The ICO recommends that at least 80% of an organisation’s staff are trained on how to handle sensitive data and keep it secure from data breaches, with a spokeswoman stating that “reasonable steps” must be taken to secure data, with “full account of the facts” taken into consideration in the event of a data breach being discovered.
At least 80% of an organisation’s staff should be trained on keeping data secure. Human error remains the top cause of data breaches.
Ransomware attacks may breach new EU GDPR data protection regulations.
With the introduction of the new EU general data protection regulation (GDPR) this time next year (25 May 2018 to be exact) – businesses all over the globe could find themselves in breach of the regulation and facing hefty fines should they fail to prevent a ransomware attack, phishing attack or similar. The message is finally getting out there – something needs to be done about ransomware and fast.
How Ransomware could cause a breach of GDPR?
As noted in this RTE article by @AengusCox – data protection and governance expert @DaraghOBrien, Managing Director of Castlebridge Associates, confirms GDPR is all about accountability. Not only do organisations have to comply with the regulation, they also have to demonstrate compliance through evidential proof (documentation, etc) of the controls, processes, technology, etc. that they have in place to protect the sensitive and personal data they hold on EU citizens (to include their staff, customers, vendors and third parties).
Daragh confirms that ransomware could indeed be seen as a breach of GDPR by the data protection commissioner, as ransomware typically can affect both the availability and access of personal data and can also affect the recovery of the personal data. Indeed, some viruses are known to upload personal data to hackers – a clear data breach and major breach of the GDPR.
As the GDPR comes more and more into focus through the year and into next year – security experts predict that hackers/scammers will begin to steal data with advanced ransomware and then blackmail the victims by threatening to report them to data protection commissioner.
What can be done?
In the RTE video interview, Daragh notes that security awareness training for staff is crucial now. Businesses urgently need to train their staff how to recognise and avoid clicking on links in phishing emails.
Many may not realise yet, but Article 39 1(b) of the GDPR regulation places a mandatory onus on organisations to undertake security awareness training for staff that deal with sensitive personal data. Read more
Ransomware – WannaCry No More – Train and Phish your staff.
By now, many of you that have not been under a rock for the last couple of weeks have heard about the worldwide ransomware cyber-attack WannaCry Decrypt0r that began in earnest on Friday 12th May 2017. The new ransomware caused major disruption to the IT systems of 40 National Health System hospitals across the UK (resulting in most non-emergency operations being suspended). Not only that, but it also caused disruption to an additional 200,000 victims, distributed over at least 150 countries (including several banks, Renault, Nissan, FedEx Corp, Telefonica, German Railways and even the Russian Interior ministry).
How Did This Happen?
Global reports from cyber security experts confirm that this ransomware gets onto a network through an unsuspecting user clicking on a link or attachment in a spam email.
The last few years and countless data breaches have shown that human error (due to a lack of security awareness training) from phishing and social engineering is the number 1 cause of cyber-attacks, ransomware and data breaches worldwide. Unfortunately, many companies including hospitals who have not invested in security awareness training and ongoing testing of their staff with simulated fake emails (to keep them savvy to the latest scams) will continue to be the most vulnerable to this and future similar style cyber- attacks.