In a case that has set a new precedent in data breach law, UK supermarket giant Morrisons has been found liable by a High Court for the actions of a former staff member who purposely leaked payroll data for thousands of employees. The decision was reached as part of a class-action lawsuit brought against Morrisons by over 5000 current and past employees of the company, and was in relation to an incident that took place in 2004 – where an employee posted 100,000 employees’ personal details on the internet. This personal information included bank details, salary, insurance information, phone numbers and addresses. Lawyers have refereed to this ruling as a “landmark” decision, as it was the first class-action suit filed over a data breach in the UK, and ruled that Morrisons was liable to owe compensation to the victims despite the judge ruling that Morrisons had not been at fault in any way. However, this case is very much in keeping with current trends in regulation to fiercely protect user data, and the high expectations being placed to companies to ensure this.
Nadine Dorries, a British MP, has made news over the past few weeks after admitting on Twitter that she shares the password to her work PC with other staff in her office and even “interns on exchange programs”. According to Dorries, the main reason for this is that her staff can access a shared mailbox on the PC and reply to constituents. More worrying still, in wake of the backlash directed at Dorries, other MPs have come forward and admitted to the practice, revealing a worrying trend. In a further statement that showed up Dorries’ lack of data protection savvy, she tweeted that since she was backbench MP without access to government documents, there was nothing sensitive to access. Dorries (and hopefully all other MPs sharing their passwords) are in for a rude awakening, however, as not only is sharing passwords against the rules of parliament in the UK, but even information as basic as an address book constitutes Personally Identifiable Information (PII) which is subject to strong protection under existing data protection laws – and will be protected even more fiercely under the upcoming GDPR, even in the UK.
Password sharing may be standard practice among MPs, but it is far from best practice. Mailbox delegation could achieve the same productivity with a fraction of the risk.
A macro is a small piece of code that runs within a software program such as Microsoft Word or Excel, and is normally used to automate common or repetitive tasks. Macro malware is the practice of hiding a virus in a macro code and enticing unsuspecting users into downloading a Word or Excel file and running the macro script within, which then will download a virus, malware or even ransomware onto that person’s PC. Macro malware was common during the 1990s, but lapsed in popularity through most of the 21st century as increasingly savvy PC users learned how to spot the spam or phishing emails that delivered them, which were often riddled with typos. Nowadays, however, macro malware is seeing a big return due to two factors – Phishing emails are becoming increasingly sophisticated and no longer have obvious typos in them, and ransomware – a very profitable form of malware for criminals – can be easily downloaded via a macro, leading to entire networks being encrypted and held to ransom. It is now critical that all users understand the threats that macro malware can pose, particularly to their organisation, and learn how to spot the attacks before it’s too late.
Excel files are a common means of transmission for macro malware, which can download ransomware to infect entire networks at a time
The Central Statistics Office has admitted to a data breach involving an error by a staff member, leading to a sever breach of data protection rules. Reports were made last week that a past employee for the CSO has been sent P45s of other past and present employees in error. The past employee was outraged at the time, as she believed that 1000 people’s records had been breached.
The CSO has since issued a “sincere apology” for the incident, and volunteered that the incident had not affected 1000 people, but had actually concerned 3000 former employees.
The Central Statistics Office has apologised for a staff error which sent 3000 P45s to a past employee – a catastrophic data breach
Uber is back in the hot water again after it has revealed that over 57 million records were exposed in a 2016 data breach, which it subsequently covered up. This news comes not long after Uber ousted founder and CEO Travis Kalanick, who was suceeded in August by Dara Khosrowshahi. Kalanick was forced out of his own company due to a litany of scandals, and now Khosrowshahi is keen to do things the right way – hence the fresh statement declaring the breach. However, this has put Uber into a very troubling situation as not only do they face legal action for covering up a data breach, but it has also revealed an incredibly poor security culture within the company.