IT Governance Blog on IT governance, risk management, compliance and information security.

Yesterday the Information Commissioner announced that he had fined Midlothian Council £140,000 for disclosing sensitive personal information to the wrong recipient on 5 separate occasions. All 5 breaches involved children’s social service reports and occurred between January and June 2011.

 Ken MacDonald, Assistant Commissioner for Scotland commented:

 “The serious upset that these breaches would have caused to the children’s families is obvious and it is extremely concerning that this happened five times in as many months. I hope this penalty acts as a reminder to all organisations across Scotland and the rest of the UK to ensure that the personal information they handle is kept secure.”

The ICO’s investigation found that all five breaches could have been avoided if the council had put adequate data protection policies, training and checks in place.

The ICO has ordered the council to review and update its data protection policy and ensure council staff and those who work with the council are adequately trained in their DPA responsibilities.

The ICO is gaining support for its request to conduct audits of local councils and NHS bodies without request.  There have been numerous public sector bodies caught in breach of the DPA over the last two years, however the actual number who are not meeting data protection compliance levels is thought to be much, much higher.

The cost-effective way to tackle this issue is to ensure you are DPA compliant now. DPA training and compliance is not expensive, especially compared to the potential huge fines that can be levied on an organisation who are found to have breached the DPA.

DPA Foundation Training – Essential for those responsible for personal and sensitive data within an organisation.

SafeXs Sticks – Essential for protecting sensitive data within an organisation. Hardware encrypted and almost bombproof, the SafeXs stick also comes as an enterprise package.

DPA Staff eLearning – A Cost effective way of delivering essential training to staff.

DPA Toolkit – Essential time saving documentation toolkit to help you create the documents you need to ensure DPA compliance.

You can read more about the Data Protection Act here >>>

Keep a step ahead, and stay out of trouble – deploy easy-to-use encrypted USB sticks today!

	SafeXs FIPS 197 USB Stick Silver Package Get SafeConsole Lite Free!   Various capacity options available: FIPS 197 from just £48 and FIPS 140-2 from just £76.50

Mobile giant 02 have suffered a couple of embarrassing gaffs this week. Firstly it was revealed that they had been inadvertently been passing their customers phone numbers on to any site that they visited when using O2’s 3G network on smartphones. With almost half of O2’s customers using smartphones, the data leakage could possibly have affected up to 15 million people.

O2 blamed a ‘technical’ glitch and has since stated the problem has been resolved and apologised to its customers. However a leading consultant at Sophos, Graham Cluley, commented that such issues had “been known about for almost two years at least”.

The Guardian reported yesterday that O2 also ‘regularly hands over subscribers’ phone numbers to sites that offer age-restricted material and premium-rate billing, whether the users realise it or not.’

What?! I hear you cry. The Information Commissioners Office’s is considering investigating the incident however it seems unlikely that that any action will be taken as a mobile phone number, in the eyes of the ICO, on its own, is not considered as a ‘personally identifying information’.

Even though, with your number being passed onto potentially anyone under the sun, you could be the subject of phishing attacks, reverse charge texts and unsolicited marketing.

These incidents further highlight what companies do with our data when we’re surfing the internet; and how little we actually know as consumers. And what can you do as a consumer? Where is the avenue for reproach? We’ll all be politely told that the issue was a ‘technical problem’ and has now been resolved. But when did we sign up for this in the first place? I mean if, when you bought your latest phone, there were questions like: “Would you like us to share your information with every single website you visited?” Or, “Would you like us to pass your details on to sex chat services?” You would tick yes to these?!

Often terms and conditions are deliberately confusing, long winded and impenetrable for consumers; allowing the service provider you’re signing with the legal ambiguity to do with your information as they wish. But in the instances referenced in this article, this wasn’t the case. One was an error and the other – passing customer details onto premium and age-restricted sites – well, no one seems to know. O2 have thus far refused to comment. Are they allowed to do this?

One thing is for sure. Such instances cause huge brand damage and loss of custom. Retaining customer loyalty and brand image is of huge importance to all businesses and organisations. I dare say that if an SME suffered an instance like this that they would have a far more difficult time of it. Protection of customer data is important. The data protection act says so.

But I often wonder, when the brand is so big and they have so much money, as in the instance of Playstation last year, and now someone like O2, are they beyond the pale?

You can read more about data protection and the Data Protection Act here >>>

Praxis Care charity  lost a memory stick in August 2011,  containing  confidential data of 160 different people. The data that was held on the unencrypted stick contained personal information such as their mental health and care records.

Since losing the memory stick and coming under the wrath of the ICO for suffering the data breach, Praxis Care is now committed to improving its data protection standards.

Christopher Graham, the information commissioner, said: “Carrying people’s personal information around on an unencrypted memory stick is clearly unacceptable.”

To avoid a situation like the above, companies need to use a secure USB sitck with hardware encryption.

SafeXs is a secure USB stick with AES 256 bit hardware encryption and is FIPS 197-certified. Over 1 million of these sticks are now in use by the NHS, helping to keep patient data and other confidential data secure.

Simply plug in a SafeXs and within minutes you can be up and running. All you need do is set a password and any data placed on the SafeXs is encrypted.

Read more about the popular encrypted USB stick >>

It seems like every week we hear of a new news story where a company has been hacked, broken the Data Protection Act and/or fined. Although in these hacking stories the data of innocent people is often compromised, it seems like the blame is often being put upon the companies, when in fact it should be the hackers who are taking the blame.

After a data breach occurs, how much investigation goes into finding the hacker that committed the crime? Little? Or none? It is easier to blame the company where the attack occurred, issue a fine, and pronounce them incompetent of looking after your data. But is this really the case? Lee Howell, Managing Director at the World Economic Forum, stated that “it’s impossible to be completely secure online”. So if this is true, then why should the victims (companies) be put to blame? Yes, I agree that companies who manage sensitive data should take the necessary precautions to do everything they can to protect that data, but where does the justice lie for them if they did not commit the real crime?

Take it like this; if you were to lock your house up at night (doors, windows etc.) before you went to bed, and you were burgled during the night, should it then be you who faces prosecution for not protecting your house properly, or should the person who broke into your house be prosecuted?

Lee Howell talks about social norms in terms of cyber crime, concluding that “we do not yet fully understand how social norms are shaped in the virtual world. Why is it that many people who would be ashamed to admit stealing a DVD from a shop will happily discuss illegally downloading a movie?” This can be referenced to the point above about the current justice system for hackers and hacked companies.

It is important to note that one of the main reasons cyber criminals don’t get caught is because of the anonymity of it all. Hackers are often more technologically advanced than the people tracking them down, which can mean that most investigations come to a halt before they’ve even begun. You can find hacking software easily on the web, meaning that anyone can try their hand at it, which has thus been a major cause in the proliferation of hacking. Another main reason why hackers fail to get caught is the difficulty in cross-border policing. If you notice a computer attack that came from country X, tracking down that cyber criminal would be near-on impossible due to the different laws and regulations held between two different countries. Adam Segal from The Diplomat says, “It’s hard to deter if you can’t punish, and you can’t punish without knowing who is behind an attack.” With so much difficulty in tracking down hackers, they often get away with the crime, but does their anonymity give them the right to this?

More attention should be put on the hackers themselves (tracking them down and prosecuting them), rather than the companies who suffer data breaches because of them. A unified approach and shift in focus will lead to a more realistic deterrent for cyber criminals, hoping to break the cyber gang culture that is appearing across the web.

Food for thought anyway.

The Information Commissioner’s Office (ICO) website shows that £541,000 in fines were issued during 2011 between 7 organisations, making the average fine £77,285! This is not counting the fines issued by courts following a prosecution. This is an increase of 238% over 2010, when the power to issue monetary penalty notices were first introduced to the ICO.

In 2010 there were 2 fines issued for a total of £160,000. If the same percentage increase occurs in 2012, over 2011, total fines issued could be over £1.8M!

Avoid these fines for as little as £156, here’s how:

	Complete Data Protection Toolkit Price: Just £156 This complete toolkit provides all the tools and resources you need to carry out your own DPA project and become compliant quickly and cost-effectively. The proven do-it-yourself approach towards achieving DPA compliance!

2011 saw a vast growth in the number of malware attacks on businesses and individuals. Hackers are now at a point where they can “wreak havok and access the best-kept secrets of organisations without ever leaving their living-rooms”. From phishing scams, to the Sony hack, 2011 has seen the worst of all cyber attacks. Millions of people’s data has been compromised around the world: hackers have made millions, whilst companies have lost millions. So, will 2012 see a repeat of last year? Or will we clamp down on cyber crime once and for all?

We here at IT Governance Ltd have picked the bad and the very bad to show you just what a year it’s been in cyberspace….

1. Sony PlayStation hack

Now this really was the worst of the worst – names, addresses and card details were stolen from around 77 million people who had accounts with the PlayStation Network (PSN).

2. Student loan phishing scam

Students across the UK mistakenly handed over access to their bank details after receiving an email asking them to confirm their details. Anywhere between £1,000 and £5,000 was stolen from each student who gave access.

3. Android apps

22 apps were removed from the android market by Google after it was discovered they contained fradulant software. The apps tricked users into sending premium text messages.

4. RIM hack

Blackberry’s blog was hacked after the London riots, warning Blackberry not to assist the police.

5. Local council fined £130,000 for breach of DPA

Powys Council, England, was fined £130,000 after the details of a child protection case were sent to the wrong person. This was one of the largest fines the ICO have actioned against a council. Read more >>

6. WikiLeaks

WikiLeaks was responsible for releasing top secret information about governments across the world on its website.

7. NHS Breach

Lulzsec hacked the NHS, alerting them that their information security management system was inadequate. However, they put on the “white hat” approach, publicizing the hack but not revealing any compromising information.

8. Gmail phishing scam

Chinese identity thieves used ‘spear phishing’ tactics to take over hundreds of Gmail accounts, including those belonging to senior officials and military personnel.

9. Epsilon data breach

Epsilon, the email communication giant was hacked in March 2011, where customer email lists were stolen from at least 26 different companies.

10. RSA attack

One of the most high-profile breaches of 2011 involved the world’s most-used two-factor authentication systems. Hackers stole information relating to RSA’s SecurID system, by mimicking RSA naming conventions to avoid detection. What was so unique about this case, was that only one attack on an RSA customer was ever reported, showing that the counter-actions RSA took were extremely effective.

Source: Security News Daily, Information Week and Real Business.

The lesson to take away from these hacks and breaches is that companies and individuals alike need to be educated on cyber issues. There needs to be an understanding of what to look out for, what to click and what not to click, who to give your details to and who not to, and to generally be alert, rather than sticking our heads in the sand.

Education will help combat cyber issues and prevent repeat attacks occurring in 2012.

We have a number of staff awareness training courses available at IT Governance, covering DPA, Information Security and ISO 27001 and PCI DSS training. These are extremely effective and affordable, considering no travelling or other course attendance costs are incurred, as learners can study from their desk in their spare time.

Book your e-Learning course today >>