Carphone Warehouse have been ordered to pay a fine of £400,000 (over €450,000) to the UK Information Commissioner’s Office, one of the largest fines the ICO has ever issued to a company. A data breach at Carphone Warehouse occurred in 2015, which subsequently led the ICO to investigate the company and discovered a series of “systematic failures” in security practice. The severity of the fine reflected the fact that up to 3 million customers’ data was compromised, in addition to the data of a further 1000 employees. The data itself was also considered extensive by the ICO, as names, addresses, phone numbers, marital status and dates of birth were all leaked. It is further believed that some 18,000 customers had payment card details leaked as well.
2018 certainly knows how to make an entrance. The Christmas turkey has barely been finished and we’re told that nearly every electronic device on the planet with an Intel processor (from servers to PCs, smart devices and more) are susceptible to not one, but possibly two of the worst critical hardware related flaws ever known (Meltdown & Spectre). Flaws that can allow a hacker to steal your data without a hint of detection. In cases like these we often hear “but I have the latest next generation antivirus software”, but it’s not going to help you here I’m afraid. “And I have the latest next generation firewall and a state of the art SIEM solution just installed” – no good for fixing this either. You may even be really good and have your staff trained in security awareness and your systems backed up offsite – but unfortunately neither will address the root cause of this global issue. Even Santa couldn’t help fix this one – that’s how serious this is.
The hardware flaws have been aptly named “Meltdown” and “Spectre”. They sound like something straight out of a James Bond spy movie – and to be honest – the names aren’t far off, given if exploited, spying on you is exactly what a hacker could do. Predictions have already come in from experts that this could be the biggest disaster in IT history, and similar to the KRACK WiFi vulnerability of last year, Meltdown and Spectre could take years to fully fix. While important workarounds are available in some cases and must be put in place (see below) , only a hardware redesign in processor architecture will truly lay these bugs to rest.
To make matters worse, now that the crafty hackers know about it and with the EU GDPR data protection regulation coming into force on the 25th May – we predict, this year is going to see some considerable cyber-attacks that will try to take advantage of at least one of these flaws which may result in some pretty serious data breaches and some serious GDPR related fines. Its time like these one would think “Why did we ever go paperless?”.
Dublin Zoo has admitted it has been hit by a scam in which cyber criminals were reportedly able to steal up to €500,000. The zoo has stated that they are cooperating with the Garda National Economic Crime Bureau in a case of invoice redirect fraud. While neither the Gardaí nor Dublin Zoo revealed the amount of money taken, sources have reported that it was up to €500,000, most of which was successfully recovered.
Reports indicate that Dublin Zoo may have lost up to €500,000 through the scam, with an estimated €130,000 remaining at large overseas.
In a case that has set a new precedent in data breach law, UK supermarket giant Morrisons has been found liable by a High Court for the actions of a former staff member who purposely leaked payroll data for thousands of employees. The decision was reached as part of a class-action lawsuit brought against Morrisons by over 5000 current and past employees of the company, and was in relation to an incident that took place in 2004 – where an employee posted 100,000 employees’ personal details on the internet. This personal information included bank details, salary, insurance information, phone numbers and addresses. Lawyers have refereed to this ruling as a “landmark” decision, as it was the first class-action suit filed over a data breach in the UK, and ruled that Morrisons was liable to owe compensation to the victims despite the judge ruling that Morrisons had not been at fault in any way. However, this case is very much in keeping with current trends in regulation to fiercely protect user data, and the high expectations being placed to companies to ensure this.
The High Court decided in a landmark ruling that Morrisons must compensate the victims of the data breach, despite not being at fault
Nadine Dorries, a British MP, has made news over the past few weeks after admitting on Twitter that she shares the password to her work PC with other staff in her office and even “interns on exchange programs”. According to Dorries, the main reason for this is that her staff can access a shared mailbox on the PC and reply to constituents. More worrying still, in wake of the backlash directed at Dorries, other MPs have come forward and admitted to the practice, revealing a worrying trend. In a further statement that showed up Dorries’ lack of data protection savvy, she tweeted that since she was backbench MP without access to government documents, there was nothing sensitive to access. Dorries (and hopefully all other MPs sharing their passwords) are in for a rude awakening, however, as not only is sharing passwords against the rules of parliament in the UK, but even information as basic as an address book constitutes Personally Identifiable Information (PII) which is subject to strong protection under existing data protection laws – and will be protected even more fiercely under the upcoming GDPR, even in the UK.