Category: cyber security

Stolen NHS Data Published on Dark Web

A large volume of NHS data has been published by a ransomware group on the dark web. This follows the recent cyber attack on NHS Dumfries and Galloway, when cyber criminals were able to access a significant amount of data including patient and
staff-identifiable information. Data relating to a small number of patients was released in March, and the cyber criminals had threatened that more would follow.

Reacting to the latest publication of data, NHS Dumfries and Galloway Chief Executive Julie White said: “This is an utterly abhorrent criminal act by cyber criminals who had threatened to release more data.

“We should not be surprised at this outcome, as this is in line with the way these criminal groups operate.

“Work is beginning to take place with partner agencies to assess the data which has been published. This very much remains a live criminal matter, and we are continuing to work with national agencies including Police Scotland, the National Cyber Security Centre and the Scottish Government.”

Mrs White added: “NHS Dumfries and Galloway is conscious that this may cause increased anxiety and concern for patients and staff, with a telephone helpline sharing the information hosted at our website available from tomorrow.

“Data accessed by the cyber criminals has now been published onto the
dark web – which is not readily accessible to most people.”

“Recognising that this is a live criminal matter, we continue to follow the very clear guidance being provided to us by national law enforcement agencies.”

NHS Dumfries and Galloway advised people to be alert for any attempts to access their work and personal data. It has also set up a helpline for anyone concerned about the attack and is working with police and other agencies as investigations continue.

In December last year, NHS Fife was formally reprimanded by the Information Commissioner’s Office (ICO) following an incident where an unauthorised individual accessed sensitive patient information.

We have two workshops coming up (How to Increase Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security. 

MOD Payroll Data Hacked

The government has raised concerns about a cyber attack on an armed forces payroll system, with indications pointing towards China as the suspected perpetrator. Defence Secretary Grant Shapps is set to address Members of Parliament today, although he is not expected to directly attribute blame to any specific party.
Instead, he is likely to emphasise the threat posed by cyber espionage activities conducted by hostile states.

The affected system, utilised by the Ministry of Defence (MoD), contains sensitive information such as names and bank details of armed forces personnel, with a few instances where personal addresses may also be included. Managed by an external contractor, the breach came to light in recent days, prompting government action, although there’s no evidence suggesting data was actually extracted from the system.

The investigation into the breach is still in its early stages and attributing responsibility can be a complex and time-consuming process. While official accusations may not be made immediately, suspicions are reportedly pointing towards China, given its history of targeting similar datasets.

Those impacted by the breach will receive communication from the government regarding the incident, with a focus on addressing potential fraud risks rather than immediate personal safety concerns.

At the time of writing it is not clear if the MoD has reported the data breach to the ICO as required by the UK GDPR. In December 2023, the MoD was fined £350,000 for disclosing personal information of people seeking relocation to the UK shortly after the Taliban took control of Afghanistan in 2021. 

We have two workshops coming up (How to Increase Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security. 

The British Library Hack: A Chapter in Ransomware Resilience

In a stark reminder of the persistent threat of cybercrime, the British Library has confirmed a data breach incident that has led to the exposure of sensitive personal data, with materials purportedly up for auction online. An October intrusion by a notorious cybercrime group targeted the library, which is home to an extensive collection, including over 14 million books.

Recently, the ransomware group Rhysida claimed responsibility, publicly displaying snippets of sensitive data, and announcing the sale of this information for a significant sum of around £600k to be paid in cryptocurrency.

While the group boasts about the data’s exclusivity and sets a firm bidding deadline (today 27th November 2023), the library has only acknowledged a leak of what seems to be internal human resources documents. It has not verified the identity of the attackers nor the authenticity of the sale items. The cyber attack has significantly disrupted the library’s operations, leading to service interruptions expected to span several months.

In response, the library has strengthened its digital defenses, sought expert cybersecurity assistance, and urged its patrons to update their login credentials as a protective measure. The library is working closely with the National Cyber Security Centre and law enforcement to investigate, but details remain confidential due to the ongoing inquiry.

The consequences of the attack have necessitated a temporary shutdown of the library’s online presence. Physical locations, however, remain accessible. Updates can be found the British Library’s X (née twitter) feed. The risk posed by Rhysida has drawn attention from international agencies, with recent advisories from the FBI and US cybersecurity authorities. The group has been active globally, with attacks on various sectors and institutions.

The British Library’s leadership has expressed appreciation for the support and patience from its community as it navigates the aftermath of the cyber attack.

What is a Ransomware Attack?

A ransomware attack is a type of malicious cyber operation where hackers infiltrate a computer system to encrypt data, effectively locking out the rightful users. The attackers then demand payment, often in cryptocurrency, for the decryption key. These attacks can paralyse organisations, leading to significant data loss and disruption of operations.

Who is Rhysida?

The Rhysida ransomware group first came to the fore in May of 2023, following the emergence of their victim support chat portal hosted via the TOR browser. The group identifies as a “cybersecurity team” who highlight security flaws by targeting victims’ systems and spotlighting the supposed potential ramifications of the involved security issues.

How to prevent a Ransomware Attack?

Hackers are becoming more and more sophisticated in ways they target our personal data. We have seen this with banking scams recently. However there are some measures we can implement personally and within our organisations to prevent a ransomware attack.

  1. Avoid Unverified Links: Refrain from clicking on links in spam emails or unfamiliar websites. Hackers frequently disseminate ransomware via such links, which, when clicked, can initiate the download of malware. This malware can then encrypt your data and hold it for ransom​​.

  2. Safeguard Personal Information: It’s crucial to never disclose personal information such as addresses, NI numbers, login details, or banking information online, especially in response to unsolicited communications​​.

  3. Educate Employees: Increasing awareness among employees can be a strong defence. Training should focus on identifying and handling suspicious emails, attachments, and links. Additionally, having a contingency plan in the event of a ransomware infection is important​​.

  4. Implement a Firewall: A robust firewall can act as a first line of defence, monitoring incoming and outgoing traffic for threats and signs of malicious activity. This should be complemented with proactive measures such as threat hunting and active tagging of workloads​​.

  5. Regular Backups: Maintain up-to-date backups of all critical data. In the event of a ransomware attack, having these backups means you can restore your systems to a previous, unencrypted state without having to consider ransom demands.

  6. Create Inventories of Assets and Data: Having inventories of the data and assets you hold allows you to have an immediate knowledge of what has been compromised in the event of an attack whilst also allowing you to update security protocols for sensitive data over time.

  7. Multi-Factor Authentication: Identifying legitimate users in more than one way ensures that you are only granting access to those intended. 

These are some strategies organisations can use as part of a more comprehensive cybersecurity protocol which will significantly reduce the risk of falling victim to a ransomware attack. 

Join us on our workshop “How to increase Cyber Security in your Organisation” and Cyber Security for DPO’s where we discuss all of the above and more helping you create the right foundations for Cyber resilience within your organisation. 

Another Day; Another Police Data Breach  

The largest police force in the UK, the London Metropolitan Police (also known as the London Met), has fallen victim to a substantial data breach. Approximately 47,000 members of the police staff have been informed about the potential compromise of their personal data. This includes details such as photos, names, and ranks. The breach occurred when criminals targeted the IT systems of a contractor responsible for producing staff identification cards.

While this breach has raised concerns about the security of sensitive information, it is important to note that details like identification numbers and clearance levels might have been exposed as well. However, it has been confirmed that the breached data did not include home addresses of the affected Met police personnel. There are fears that organised crime groups or even terrorist entities could be responsible for this breach of security and personal data.

Furthermore, the breach has amplified security apprehensions for London Met police officers from Black, Asian, and Minority Ethnic backgrounds. Former London Met Police Chief Superintendent Dal Babu explained that individuals with less common names might face a heightened risk. Criminal networks could potentially locate and target them more easily online, compared to those with common names. This concern is particularly relevant for officers in specialised roles like counter-terrorism or undercover operations.

Reacting to this situation, former Met commander John O’Connor expressed outrage, highlighting concerns about the adequacy of the cyber security measures put in place by the contracted IT security company, given the highly sensitive nature of the information at stake.

This incident presents a significant challenge to the UK Home Office, and it is likely that the government will be compelled to swiftly review and bolster security protocols. This step is necessary to ensure that the personal data of security service personnel is safeguarded with the utmost levels of privacy and data security. Both the Information Commissioner’s Office (ICO) and The National Crime Agency have initiated investigations.

This follows the data breach of the Police Service of Northern Ireland (PSNI) where, in response to a Freedom of Information request, the PSNI mistakenly divulged information on every police officer and member of police staff. Over in England, Norfolk and Suffolk Police also recently announced it had mistakenly released information about more than 1,200 people, including victims and witnesses of crime, also following an FOI request. Last week, South Yorkshire Police referred itself to the information commissioner after “a significant and unexplained reduction” in data such as bodycam footage stored on its systems, a loss which it said could affect some 69 cases.

These incidents underscore the urgency of maintaining robust data protection measures and raising awareness about potential risks, especially within law enforcement agencies. It also requires Data Controllers to ensure that they have processes in place to comply with the requirements of GDPR (Article 28) when it comes to appointing Data Processors.

We have two workshops coming up in September (Introduction to Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security.

The Electoral Commission and PSNI: One Day, Two Data Breaches!

Yesterday two major data breaches were reported in the public sector. Both have major implications for individuals’ privacy. They are also a test for the Information Commissioner’s Office’s (ICO) approach to the use of its enforcement power.

In the morning, the Electoral Commission revealed, in a public notice issued under Article 33 and 34 of the UK GDPR, that it has been the victim of a “complex cyber-attack” potentially affecting millions of voters.
It only discovered in October last year that unspecified “hostile actors” had managed to gain access to copies of the electoral registers, from August 2021. Hackers also broke into its emails and “control systems”.

The Commission said the information it held at the time of the attack included the names and addresses of people in the UK who registered to vote between 2014 and 2022.This includes those who opted to keep their details off the open register, which is not accessible to the public but can be purchased. The data accessed also included the names, but not the addresses, of overseas voters.  

The Commission said it is difficult to predict exactly how many people could be affected, but it estimates the register for each year contains the details of around 40 million people. It has warned people to watch out for unauthorised use of their data. The ICO has issued a statement saying it is currently making enquiries into the incident.

And then late last night, and perhaps even more worrying for those involved, the Police Service of Northern Ireland apologised for a data breach affecting thousands of officers. In response to a Freedom of Information (FoI) request, the PSNI mistakenly divulged information on “every police officer and member of police staff”, a senior officer said. The FoI request, via the What Do They Know.Com website, had asked the PSNI for a breakdown of all staff rank and grades. But as well as publishing a table containing the number of people holding positions such as constable, a spreadsheet was included. This contained the surnames of more than 10,000 individuals, their initials and other data, but did not include any private addresses. The information was published on the WDTK website for more than two hours.

The ICO has just issued a statement Cabinet Office the PSNI data breach. A few years ago such data breaches would attract large fines. In 2021 the Cabinet Office was fined £500,000 (later reduced to £50,000) for publishing postal addresses of the 2020 New Year Honours recipients online. In June 2022 John Edwards, the Information Commissioner, announced a new approach towards the public sector with the aim to reduce the impact of fines on the sector. This centred around issuing reprimands rather than fines for the public sector. Since then no public sector organisation has been fined despite some very serious data breaches. In May 2023, Thames Valley Police (TVP) were issued with a reprimand after an ICO investigation found that TVP had inappropriately disclosed contextual information that led to suspected criminals learning the address of a witness (the data subject). As a result of this incident, the data subject moved address and the impact and risk to the data subject remains high.  Many data protection experts have expressed concern about the public sector’s special treatment. In relation to yesterday’s data breaches, anything other than serious enforcement action will lead to further questions for the ICO. 

The scale of the PSNI data breach is huge. The release of the names exposes individuals who are regularly targeted by terrorist groups. Had the breach included addresses, it would have been even more serious. Both these breaches are going to test the ICO’s public sector enforcement policy.

Ibrahim Hasan has given an interview to BBC Radio Ulster about the PSNI data breach. Listen here.

We have two workshops coming up in September (Introduction to Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security. Our Data Mapping workshop is proving very popular with IG and DP Officers who wish to develop this skill.

£4.4 Million GDPR Fine for Construction Company 

This month the UK Information Commissioner’s Office has issued two fines and one Notice of Intent under GDPR. 

The latest fine is three times more than that imposed on Easylife Ltd on 5th October. Yesterday, Interserve Group Ltd was fined £4.4 million for failing to keep personal information of its staff secure.  

The ICO found that the Berkshire based construction company failed to put appropriate security measures in place to prevent a cyber-attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email. The compromised data included personal information such as contact details, national insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information. 

The Phishing Email 

In March 2020, an Interserve employee forwarded a phishing email, which was not quarantined or blocked by Interserve’s IT system, to another employee who opened it and downloaded its content. This resulted in the installation of malware onto the employee’s workstation. 

The company’s anti-virus quarantined the malware and sent an alert, but Interserve failed to thoroughly investigate the suspicious activity. If they had done so, Interserve would have found that the attacker still had access to the company’s systems. 

The attacker subsequently compromised 283 systems and 16 accounts, as well as uninstalling the company’s anti-virus solution. Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable. 

The ICO investigation found that Interserve failed to follow-up on the original alert of a suspicious activity, used outdated software systems and protocols, and had a lack of adequate staff training and insufficient risk assessments, which ultimately left them vulnerable to a cyber-attack. Consequently, Interserve had breached Article 5 and Article 32 of GDPR by failing to put appropriate technical and organisational measures in place to prevent the unauthorised access of people’s information. 

Notice of Intent 

Interestingly in this case the Notice of Intent (the pre cursor to the fine) was for also for £4.4million i.e. no reductions were made by the ICO despite Interserve’s representations. Compare this to the ICO’s treatment of two much bigger companies who also suffered cyber security breaches. In July 2018, British Airways was issued with a Notice of Intent in the sum of £183 Million but the actual fine was reduced to £20 million in July 2020. In November 2020 Marriott International Inc was fined £18.4 million, much lower than the £99 million set out in the original notice. 

The Information Commissioner, John Edwards, has warned that companies are leaving themselves open to cyber-attack by ignoring crucial measures like updating software and training staff: 

“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office. 

Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.” 

We have been here before. On 10th March the ICO  fined Tuckers Solicitors LLP £98,000 following a ransomware attack on the firm’s IT systems in August 2020. The attacker had encrypted 972,191 files, of which 24,712 related to court bundles.  60 of those were exfiltrated by the attacker and released on the dark web.   

Action Points  

Organisations need to strengthen their defences and have plans in place; not just to prevent a cyber-attack but what to do when it does takes place. Here are our top tips: 

  1. Conduct a cyber security risk assessment and consider an external accreditation through  Cyber Essentials. 
  1. Ensure your employees know the risks of malware/ransomware and follows good security practice. At the time of the cyber-attack, one of the two Interserve employees who received the phishing email had not undertaken data protection training. (Our GDPR Essentials  e-learning solution is a very cost effective e learning solution which contains a specific module on keeping data safe.)  
  1. Have plans in place for a cyber security breach. See our Managing Personal Data Breaches workshop.  
  1. Earlier in the year, the ICO worked with NCSC to remind organisations not to pay a ransom in case of a cyber-attack, as it does not reduce the risk to individuals and is not considered as a reasonable step to safeguard data. For more information, take a look at the ICO ransomware guidance or visit the NCSC website to learn about mitigating a ransomware threat via their business toolkit

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop.  

Are you an experienced GDPR Practitioner wanting to take your skills to the next level? Our Advanced Certificate in GDPR Practice starts on 21st November.  

Calling Cyber Security Trainers:
We are Hiring

Are you a cyber security expert with a reputation for delivering engaging training? We are recruiting trainers to join our team of expert associates who deliver in-house and external training courses throughout the UK and worldwide.

We are one of Europe’s leading information law training companies with a 20 year track record of delivering practical and engaging training which makes the complex simple. We recently won the Information and Records Management Society (IRMS) Supplier of the year award for 2022-23. This is the second consecutive year we have won this award.

Despite recently expanding our team, we are seeing an increase in global demand for our courses and consulting services from both the public and private sectors. We need more talented trainers who enjoy the challenge of explaining difficult concepts in a practical, jargon-free manner.

We have opportunities for full time trainers and those who wish to add an extra “string to their bow” without leaving their day job. What is important is that you are enthusiastic about Cyber Security and passionate about teaching it.

If you think you have what it takes to become an Act Now trainer, please get in touch with your CV explaining your knowledge and experience of delivering training and consultancy services in Cyber Security. 

Cyber Security Breaches Survey 2022: What DPOs need to know

Cyber security breaches are on the rise. Virtually every day there is a news story about a high profile organisation being hacked and personal data being lost or stolen. Last week the BBC reported that thousands, if not millions, of people could have lost money in the second largest crypto hack in history. Ronin Network, a key platform powering the popular mobile game Axie Infinity, has had $615m (£467m) stolen. More recently UK retailer, The Works has been forced to shut shops temporarily and suspend new stock deliveries after a cyber-attack.

And it’s not just the private sector. In January we learnt that Gloucester City Council’s website was hacked affecting online revenue and benefits, planning and customer services. The work of Russian hackers(allegedly) could take up to six months to resolve and affected servers and systems may need to be rebuilt.

Data Protection Officers need to be aware of the latest incidents and advice when it comes to cyber security breaches. The recently published DCMS Cyber Security Breaches Survey is important reading for all DPOs. It explores the policies, processes, and approaches to cyber security for businesses, charities, and educational institutions. It also considers the different forms of cyber-attack these organisations face, as well as how they are impacted and their response.

Cyber Attacks

The survey results show that in the last 12 months, 39% of UK businesses identified a cyber-attack. Of these, the most common threat vector was phishing attempts (83%). Of the 39%, around one in five (21%) identified a more sophisticated attack type such as a denial of service, malware, or ransomware attack. Despite its low prevalence, organisations cited ransomware as a major threat, with 56% of businesses having a policy not to pay ransoms. Note recently the GDPR fine issued to a firm of solicitors who suffered such an attack. Interestingly they too chose not to pay the hackers. 

Frequency and Impact

Within the group of organisations reporting cyber-attacks, 31% of businesses and 26% of charities estimate they were attacked at least once a week. One in five businesses (20%) and charities (19%) say they experienced a negative outcome as a direct consequence of a cyber-attack, while one third of businesses (35%) and almost four in ten charities (38%) experienced at least one negative impact. It is interesting that the survey focussed on charities too. July 2021 saw the first GDPR fine to a charity. The transgender charity Mermaids was fined £25,000 after the ICO found that it had failed to implement an appropriate level of security to its internal email systems, which resulted in documents or emails containing personal data being searchable and viewable online by third parties through internet search engine results.

Cost of Attacks

The survey found the average estimated cost of all cyber attacks in the last 12 months was £4,200. Considering only medium and large businesses; the figure rises to £19,400. Of course such incidents also mean a loss of reputation and customer trust. In October 2020, the ICO fined British Airways £20million for a cyber security breach which saw the personal and financial details of more than 400,000 customers being accessed by hackers. British Airways also had to settle legal claims for compensation from affected customers. 

Cyber Hygiene

The government guidance ‘10 Steps to Cyber Security’ breaks down the task of protecting an organisation into 10 key components. The survey finds 49% of businesses and 40% of charities have acted in at least five of these 10 areas. In particular, access management surveyed most favourably, while supply chain security was the least favourable.

Board Engagement

Around four in five (82%) of boards or senior management within UK businesses rate cyber security as a ‘very high’ or ‘fairly high’ priority, an increase on 77% in 2021. 72% in charities rate cyber security as a ‘very high’ or ‘fairly high’ priority. Additionally, 50% of businesses and 42% of charities say they update the board on cyber security matters at least quarterly. Our new webinar “GDPR and the Charity Sector Webinar” is ideal for raising awareness amongst charity trustees.

Size Differential

Larger organisations are correlated throughout the survey with enhanced cyber security, likely as a consequence of increased funding and expertise. For large businesses’ cyber security; 80% update the board at least quarterly, 63% conducted a risk assessment, and 61% carried out staff training; compared with 50%, 33% and 17% respectively for all businesses. Our GDPR Essentials e learning course contains a specific module on keeping data safe which warns of the most common cyber hacking/phishing tactics.  

Risk Management

Just over half of businesses surveyed (54%) have acted in the past 12 months to identify cyber security risks, including a range of actions, where security monitoring tools (35%) were the most common. Qualitative interviews however found that limited board understanding meant the risk was often passed on to; outsourced cyber providers, insurance companies, or an internal cyber colleague.

Outsourcing and Supply Chain

Small, medium, and large businesses outsource their IT and cyber security to an external supplier 58%, 55%, and 60% of the time respectively, with organisations citing access to greater expertise, resources, and standard for cyber security. Consequently, only 13% of businesses assessed the risks posed by their immediate suppliers, with organisations saying that cyber security was not an important factor in the procurement process.

Incident Management

Incident management policy is limited with only 19% of businesses having a formal incident response plan, while 39% have assigned roles should an incident occur. In contrast, businesses show a clear reactive approach when breaches occur, with 84% of businesses saying they would inform the board, while 73% would make an assessment of the attack.

External engagement

Outside of working with external cyber security providers, organisations most keenly engage with insurers, where 43% of businesses have an insurance policy that cover cyber risks. On the other hand, only 6% of businesses have the Cyber Essentials certification and 1% have Cyber Essentials plus, which is largely due to relatively low awareness. The importance of this was highlighted in the recent GDPR fine issued to Tuckers solicitors.

The DCMS Cyber Security Breaches Survey is important reading for all Data Protection Officers and IT staff. Aligning with the National Cyber Strategy, it is used to inform government policy on cyber security. It should also be used to stay abreast of cyber security developments and formulate your own organisation’s cyber security strategy.  

Our Managing Personal Data Breaches workshop will examine the law and best practice in this area, drawing on real-life case studies, to identify how organisations can position themselves to deal appropriately with data security incidents and data breaches, in order to minimise the impact on customers and service users and mitigate reputational damage.

Ticketmaster Fined £1.25m Over Cyber Attack

0_MGP_CHP_270618TICKETMASTER_0736ticketmasterJPG

GDPR fines are like a number 65 bus. You wait for a long time and then three arrive at once. In the space of a month the Information Commissioner’s Office (ICO) has issued three Monetary Penalty Notices. The latest requires Ticketmaster to pay £1.25m following a cyber-attack on its website which compromised millions of customers’ personal information.  

The ICO investigation into this breach found a vulnerability in a third-party chatbot built by Inbenta Technologies, which Ticketmaster had installed on its online payments page. A cyber-attacker was able to use the chatbot to access customer payment details which included names, payment card numbers, expiry dates and CVV numbers. This had the potential to affect 9.4million Ticketmaster customers across Europe including 1.5 million in the UK. 

As a result of the breach, according to the ICO, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6000 cards were replaced by Monzo Bank after it suspected fraudulent use. The ICO said these bank and others had warned Ticketmaster of suspected fraud. Despite these warnings it took nine weeks to start monitoring activity on its payments page. 

The ICO found that Ticketmaster failed to: 

  • Assess the risks of using a chat-bot on its payment page 
  • Identify and implement appropriate security measures to negate the risks 
  • Identify the source of suggested fraudulent activity in a timely manner 

James Dipple-Johnstone, Deputy Information Commissioner, said: 

“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not. 

Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud. 

The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.” 

In a statement, Ticketmaster said:  

“Ticketmaster takes fans’ data privacy and trust very seriously. Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO.
We plan to appeal [against] today’s announcement.” 

Ticketmaster’s appeal will put the ICO’s reasoning and actions, when issuing fines, under judicial scrutiny. This will help GDPR practitioners faced with similar ICO investigations.   

Ticketmaster is also facing civil legal action by thousands of fraud victims. Law firm Keller Lenkner, which represents some of these victims, said: 

“While several banks tried to alert Ticketmaster of potential fraud, it took an unacceptable nine weeks for action to be taken, exposing an estimated 1.5 million UK customers,” said Kingsley Hayes, the firm’s head of cyber-crime.  

Data Protection Officers are encouraged to read the Monetary Penalty Notice as it not only sets out the reasons for the ICO’s conclusion but also the factors it has taken into account in deciding to issue a fine and how it calculated the amount. This fine follows hot on the heels of the British Airways and Marriott fines which also concerned cyber security breaches. (You can read more about the causes of cyber security breaches in our recent blog post.) 

75% of fines issued by the ICO under GDPR relate to cyber security. This is a top regulatory priority for the ICO as well as supervisory authorities across Europe.
Data Protection Officers should place cyber security at the top of their learning and development plan for 2021.  

We have some places available on our forthcoming Cyber Security for DPOs workshop. This and other GDPR developments will be covered in our next online GDPR update workshop.

Cyber Security and GDPR Compliance

photo-1584433144859-1fc3ab64a957

Olu Odeniyi writes…

Data Protection Officers (DPOs), and others who work in data protection, will know that a fundamental requirement of GDPR is to protect personal data ”against accidental loss, destruction or damage, using appropriate technical or organisational measures” as stipulated in the sixth data protection principle in Article 5. As the recent British Airways data breach fine has shown, failure to comply can be costly.

Article 32 further requires measures to be implemented to ensure a level of security appropriate to the risk  including “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”. Other GDPR provisions, including article 24 and article 25, demand similar requirements. As threats to complying with these articles emanate from malicious activity, mistakes, process weaknesses and software application vulnerabilities, it is clear that cyber security is an essential element of GDPR compliance.

Although many organisations rely on the IT department, the Chief Information Security Officer (CISO) or the Senior Information Risk Officer (SIRO) to lead implementation of cyber security controls, DPOs need a good understanding  of this topic to most effectively discharge their responsibilities and ensure compliance. 

What is Cyber Security?

The first step is to understand what cyber security is and what it is not. Various definitions exist. Most people associate cyber security with digital services, computerised devices and other forms of information technology. Protection against accidental and malevolent activity, unauthorised data access and preservation of services are fundamental cyber security goals but there’s more. 

Cyber security touches the very heart of how we live work and play within the fourth industrial revolution as highlighted by the founder of the World Economic Forum. Boundaries between work and home life have never been so blurred.
Government engagement around the world is increasingly conducted via digital services and individuals can barely avoid interacting with online services on a daily basis. 

While numerous standards and frameworks exist to help drive best practice, each organisation needs to contextualise what cyber security means for itself. A survey of the most common standards and frameworks will be left for a later blog (some are highlighted further down in this article), yet every organisation should scope and detail its own meaningful definition of cyber security. High level definitions can be utilised if required to achieve this from respected organisations such as the National Cyber Security Centre (NCSC) or the National Institute of Standards and Technology (NIST)

However, it’s a myth to think cyber security is a standard or a framework of itself and that only technology is involved. People utilise technology and digital services by means of a process or procedure. Therefore, effective cyber security comprises people, process and technology and many breaches could have been avoided given changes to either of these three areas. The remainder of this blog introduces cyber security under each of these headings.

People

It is often stated that people are the greatest weakness when it comes to cyber security, but it doesn’t have to be this way – they can be the strongest defence. The National Cyber Security Centre (NCSC) has performed leading research around people centric cyber security which organisations can benefit from. Staff know the issues they face better than anyone else and should be included in the risk analysis. By understanding productivity roadblocks, working pressures and specific training needs, new ways of working can be formulated to minimise breaches and security mistakes. 

For example, some groups could possibly opt to use enterprise collaboration applications (e.g. Microsoft Teams) to eradicate or decrease emails being sent to the wrong recipients. Watch the NCSC video or read the transcript for more information on developing people centric cyber security.

Security awareness training conducted well can be effective and significantly help prevent data and security breaches. Nonetheless, developing a security culture takes an organisation to the next level as staff develop their own sense of how to best protect the organisation and personal data. Culture change isn’t an overnight occurrence.
Focused effort and dedicated resources are required but the results will be worth it. 

Developing a security culture involves engaging with staff and seeking their input.
Small group sessions, organisation wide campaigns and open communication forums are some of the many approaches to transform cultures. Useful reading on the human aspects of cyber security can be found in the Cyber Security Culture Guidelines: Behavioural Aspects of Cyber Security report by  the European Union Agency for Cyber Security (ENISA).

It is important to ensure security measures and controls don’t hinder staff productivity or increase the likelihood that they will circumvent organisation policies. As the NCSC video above states, “if security doesn’t work for people, it doesn’t work”.

Process

Earlier this year I was asked to advise on a serious data breach where sensitive data had been disclosed. It so happened the breach could have been avoided if either processes, staff action or if different technology had otherwise been deployed. The role of policies, processes, guidelines and procedures in cyber security shouldn’t be underestimated, especially with large contingents of remote workers during a pandemic. (Read about the data protection challenges of remote working here)

Start by reviewing your organisation’s cyber and/or information security policies if they exist. Consider when the last updates were made and read the documents several times, making notes on their suitability or any glaring gaps. Check if any standards or frameworks are in use such as the ISO 27000 Information Security Family or the NIST Cyber Security Framework. Many others exist too. If so, familiarise yourself with the associated literature and determine where you can begin to get involved. 

Alternatively, you could be the staff member who introduces standards and frameworks into your organisation. You’ll likely need senior management support and the suggestion may have been considered previously. Either way, established best practice can help organisations review processes and streamline cyber security risk assessments. As mentioned previously, be sure to engage with staff who’ll likely see many process security risks for their departments that are blind to others.

At the very least, view the NCSC Risk management guidance which explains and recommends various concepts behind risk assessments. Combining cyber security risk assessments with Data Protection Impact Assessment (DPIAs) may also be an option in some cases. However, remember that while cyber security is essential for personal data protection, it extends to protecting the entire organisation too.

Technology

The use and maintenance of technology and digital services by staff, contractors and third-party suppliers forms the basis of technological aspects of cyber security. Online services, cloud computing and connected devices, or any other internet mediums through which data flows, are all cyber security concerns. Technology includes devices found in “smart homes” fitted with a degree of automation and the so-called Internet of Things (IoT), where numerous gadgets are connected online through a local network. Governments around the world are attempting to offer advice to mitigate the cyber risks associated with IoT devices. The UK Department for Digital, Culture, Media and Sport (DCMS) published a  Code of Practice for Consumer IoT Security in 2018, although widespread adoption is in its infancy.

Technology is also used to strengthen cyber defences through a number of security applications, which deliver varying levels of protection depending on how often they are updated. Basic anti-virus programs have long since been accompanied by a suite of new security applications many of which are connected to cloud-based detection engines which rely on Artificial Intelligence (AI) to improve performance. Nonetheless, a sound risk management methodology should always be established prior to investing in new protective technologies – benefits of the expected decrease in risk need to ideally be measurable and potential loss ought to supersede or equal expenditure. 

A great way to bring an organisations’ technical cyber security controls to a baseline standard is by adopting Cyber Essentials, a UK government backed scheme designed to guard against the most common cyber threats. Cyber Essentials outlines 5 control themes – firewalls, secure configuration, user configuration, malware protection and patch management. Organisations can become certified to Cyber Essentials in two ways – self-certification and Cyber Essentials Plus, where hands-on technical verification is carried out by an independent certified body.

Putting it all Together

Although this blog has described the people, process and technology aspects of cyber security separately, in reality all three areas need to be considered simultaneously.
A cyber security risk methodology should always form the heart of any cyber security defence strategy as part of overall business risk management. Those responsible for cyber security should also ensure they keep themselves updated as the security landscape has been changing rapidly, both in terms of malicious or accidental attacks and defences. The good news is that with a concerted effort, organisations can adequately protect themselves and their staff.

Olu will be examining this subject further in our Cyber Security for DPOs workshop in November. A few places left. Our GDPR Essentials E learning course is ideal for training frontline staff. In just over 30 minutes they will learn about the key provisions of GDPR and how to keep personal data safe.