Tag: cyber security

What Recent Cyber Attacks Can Teach Us About Cyber Resilience

Cyber security incidents have become a regular feature of the news cycle.
From attacks on major retailers to breaches affecting public bodies and critical infrastructure, organisations of all sizes are facing increasing threats from cyber criminals. 

In Episode 4of the Guardians of Data podcast  Ibrahim Hasan spoke with Olu Odeniyi about cyber security through the lens of the recent cyberattacks on major UK retailers. They explored how businesses can build resilience and trust in the face of growing threats, the future of cyber security and practical tips for all of us to stay ahead of the hackers.  The following is an abridged transcript of the podcast: 

Cyber threats are becoming more sophisticated

Cyber criminals are constantly adapting their methods. While ransomware remains a major threat, organisations are also facing attacks involving artificial intelligence, supply chain vulnerabilities, compromised Internet of Things devices and even
state-sponsored actors.  

One of the most significant developments is the increasing use of AI by criminals. Generative AI can create convincing phishing emails, impersonate trusted individuals and help less skilled attackers launch sophisticated campaigns. In the past, poorly written emails were often a warning sign of fraud. Today, AI can produce polished and convincing communications that are much harder to identify as malicious. At the same time, defenders are using AI to improve detection, automate routine tasks and strengthen security monitoring.  

The growing risk of social engineering 

Many recent cyber attacks have not relied on advanced technical exploits.
Instead, attackers have targeted people. Social engineering remains one of the most effective methods of gaining access to systems. Criminals impersonate trusted individuals, helpdesk staff or suppliers to persuade employees to reveal information, reset passwords or approve access requests. 

The attack on Marks & Spencer reportedly involved attackers posing as IT support personnel to trick individuals into resetting credentials and disabling security controls. Once inside the network, attackers were able to move through systems and cause significant disruption. 

This highlights an important point. Technology alone cannot prevent cyber attacks. Security depends on people, processes and technology working together. 

Supply chain attacks are a growing concern

Modern organisations rely heavily on suppliers, contractors and service providers. While this brings efficiency and specialist expertise, it also creates additional cyber risk. Supply chain attacks occur when criminals compromise a third party in order to gain access to their target. Rather than attacking a large organisation directly, attackers often look for weaker points elsewhere in the supply chain. 

The recent retail attacks demonstrate how interconnected organisations have become. Even businesses with mature security programmes can be affected if a trusted supplier is compromised. This means organisations must look beyond their own systems and assess the security of the wider ecosystem they depend upon. 

Why resilience matters

One of the key themes from the discussion was resilience. No organisation can eliminate cyber risk completely. The question is not whether an attack will occur, but how well prepared an organisation is to respond. 

The Co-op’s response to a recent attack illustrates this point. Having experienced previous incidents, the organisation had invested in preparation and incident response planning. This enabled it to detect suspicious activity quickly and take action to limit the damage. 

Early detection is critical. The sooner an attack is identified, the sooner organisations can activate response plans and contain the threat. Cyber resilience means understanding risks, preparing for incidents and ensuring the business can continue operating when problems occur.

Multi-factor authentication is essential but not enough

Multi-factor authentication (MFA) remains one of the most effective security controls available. However, not all forms of MFA provide the same level of protection. 
Many organisations rely on simple push notifications sent to mobile devices.
Attackers have learned how to exploit this through what is known as MFA fatigue.
In these attacks, criminals repeatedly trigger authentication requests in the hope that a user will eventually approve one by mistake. 

Organisations should therefore consider stronger authentication methods, particularly for privileged accounts. Hardware security keys and passkeys offer significantly greater protection and are more resistant to phishing attacks. 

Security controls should be based on risk, with the strongest protections applied to accounts that could cause the most damage if compromised. 

Privileged accounts remain a prime target

Attackers often focus on obtaining privileged or administrator-level access. 
Once criminals gain control of these accounts, they can access sensitive information, disable security tools and move freely through systems. This was highlighted in the discussion of recent retail breaches, where attackers reportedly sought to obtain elevated access after gaining an initial foothold. 

Organisations should ensure privileged access is tightly controlled, regularly reviewed and granted only when necessary. The principle of least privilege remains one of the most effective ways of reducing risk. 

Observability and monitoring are becoming critical

A recurring challenge in cyber security is that many organisations do not realise they have been compromised until weeks or even months after the initial breach. During that time, attackers can explore systems, steal information and establish persistence. Improved monitoring and observability can help organisation identify unusual behaviour more quickly. Understanding what normal activity looks like makes it easier to spot anomalies that could indicate an attack. The ability to detect threats early can significantly reduce the impact of an incident. 

What can individuals do?

Cyber security is not solely an organisational responsibility. Individuals also play an important role in protecting their personal information. Some practical steps include: 

* Using strong and unique passwords for every account. 

* Using a password manager to store credentials securely. 

* Enabling multi-factor authentication wherever possible. 

* Using passkeys where supported. 

* Avoiding the reuse of passwords across different services. 

* Being cautious about the information shared online. 

* Monitoring accounts following any reported data breach. 

Criminals frequently combine information gathered from different sources to make scams appear more convincing. Limiting the amount of personal information available online can reduce this risk. 

The recent wave of cyber-attacks offers several important lessons: 

1. Treat cyber security as a board-level responsibility. 

2. Strengthen supply chain security and vendor oversight. 

3. Invest in incident response planning and regular testing. 

4. Adopt stronger forms of multi-factor authentication. 

5. Limit privileged access and apply the principle of least privilege. 

6. Improve monitoring and threat detection capabilities. 

7. Provide regular staff awareness training focused on social engineering. 

8. Build resilience so the organisation can continue operating during an incident. 

The cyber threat landscape is unlikely to become simpler. The combination of increasing digitalisation, AI-driven attacks, global interconnectivity and geopolitical tensions means organisations will continue to face growing challenges. At the same time, regulation and governance requirements are likely to increase as governments seek to improve cyber resilience across both the public and private sectors. The organisations that succeed will be those that treat cyber security as a business issue rather than simply an IT issue. 

Listen to the full Episode 4with Olu.  

Previous episodes of the Guardians of Data podcast have featured Jen Persson, a privacy campaigner, explaining the privacy implications of the Government’s new plans for children’s data and Tahir Latif discussing how to build responsible and ethical AI systems.

New Podcast: Lessons from Cyber Breaches

Act Now is pleased to bring you episode 4 of the Guardians of Data podcast. This is a show where we explore the world of information law and information governance; from privacy and AI to cybersecurity and freedom of information.  

The topic of this episode is cyber security. Every week we read about organisations being hacked, held to ransom or their data being stolen. The BBC recently discovered, through an FOI request, that around 10 million people had their data stolen when Transport for London (TfL) was hacked in 2024, making it one of the biggest hacks in British history. The so-called Scattered Spider crime group, breached TfL’s internal computer systems, disrupting its online services and causing £39m of damage. 

And the breakout of war in the Middle East has significantly increased the risk of cyber-attack. The National Cyber Security Centre (NCSC) recently warned that organisations should prepare for the risk of collateral damage from Iran-linked hacktivists. It said those with a presence in the region should consider boosting the monitoring of their IT systems and follow the centre’s guidelines for dealing with a heightened threat of cyber-attacks. 

In this podcast we talk about cyber security through the lens of the recent cyberattacks on major UK retailers. In just the past few months, household names like, Jaguar Land Rover, Gucci, Marks & Spencer and Co-op have suffered significant disruption from ransomware attacks and other cyber incidents. These caused empty shelves, disrupted online orders and shook customer trust. 

To help us unpack what happened and what lessons we can all take away, we are joined by Olu Odeniyi a Cyber Security expert and trusted advisor with more than 30 years’ experience in this field. In our conversation, we also explore how businesses can build resilience and trust in the face of growing threats, the future of cybersecurity and practical tips for all of us to stay ahead of the hackers.  

Download and listen here, or on your preferred podcast app. 
Available on Apple Podcasts, Spotify, and all major podcast platforms. 

Previous episodes of the Guardians of Data podcast have featured Jon Baines, talking about his career as a Data Protection specialist and the hot issues in information governance, and Lynn Wyeth discussing the recent controversy around Grok AI and Maurice Frenkel talking about 20 years of the Freedom of Information Act.

Is the CrowdStrike Outage a Personal Data Breach under GDPR?

Friday’s global IT outage, caused by the CrowdStrike software update, is likely to continue to have an impact on critical systems this week. NHS England says that health service IT systems are back online but has warned that there may still be disruption, particularly with GP services who may need time to rebook appointments.

The question now for Data Protection Officers, in the UK and EU, is whether the CrowdStrike outage is a personal data breach under the UK and EU GDPR (hereinafter referred to as GDPR, since the law is effectively the same).  If it is, it may need to be reported to the data protection regulator (in the UK, the Information Commissioner’s Office(ICO)) and even to the individuals whose services have been affected e.g. patients, customers and service users.

Before making this decision, DPOs need to go back to first principles. The law on reporting data breaches is set out in Article 33 and 34 of the GDPR. Article 33 states:

“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Commissioner , unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification under this paragraph is not made within 72 hours, it shall be accompanied by reasons for the delay.”

The term “personal data breach” has a very specific meaning which is set out by Article 4:

“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

So to even start to consider whether an incident needs to be reported, a DPO needs to consider whether it is “a breach of security” and, if it is, whether this breach has led to the consequences set out in Article 4 above i.e. accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

In deciding this question, many have jumped straight to focussing on the consequences of the incident; because it led to many organisations unable to access critical data which had a considerable impact on individuals; for example, GPs being unable to access patient medical records. They say it is a personal data breach due to lack of availability of data. They rely on the ICO guidance which states:

“A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is accidentally lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.”

The European Data Protection Board (EDPB) guidance also classes lack of availability of personal data as a key factor. In footnote 18 on page 8, it states that:

“It is well established that “access” is fundamentally part of “availability”. See, for example, NIST SP80053rev4, which defines “availability” as: “Ensuring timely and reliable access to and use of information,” … CNSSI-4009 also refers to: “Timely, reliable access to data and information services for authorized users”. …   ISO/IEC 27000:2016 also defines “availability” as “Property of being accessible and usable upon demand by an authorized entity”

For an alternative view on the meaning of “loss” in Article 4, it is worth reading Jon Baines personal blog.

Few have considered the first aspect of the definition of a personal data breach, set out in Article 4 i.e. Is the CrowdStrike incident a “breach of security”? The cause of the incident has been identified as an update CrowdStrike made to its cloud-based software product called Falcon. When CrowdStrike pushed the update, which interacts with other parts of computer systems and software like Microsoft’s Windows products, it caused a malfunction that disabled those systems and their widely used pieces of software the world over. In short the outage was caused by a planned software update which went wrong; ironically the software intended to protect against crashes and disruptions in vital computer systems ended up crashing them!

In a post on X, formerly Twitter, Geroge Kurtz, president and CEO of CrowdStrike said:

“ This is not a security incident or cyberattack.The issue has been identified, isolated and a fix has been deployed.”

Some would say, “he would say that wouldn’t he!” Our point is, when deciding whether to report an incident as a personal data breach, rather than first focussing on the consequences, DPOs should first consider whether it is a “breach of security” or, perhaps in this case, planned maintenance (albeit which went disastrously wrong). EDPB guidance says:

“To be clear, where personal data is available due to planned maintenance being carried out this is not a “breach of security” as defined in Article 4(12).”

Of course even if the CrowdStrike incident is not a reportable data breach, this does not mean that there will be no repercussions for organisations who suffered an outage. The GDPR includes stand-alone obligations on Data Controllers to ensure they have technical and organisational measures to keep personal data safe and secure.

We have two workshops coming up (How to Increase Cyber Security in your Organisation and Cyber Security for DPOs) which are ideal for organisations who wish to up skill their employees about cyber security. See also our Managing Personal Data Breaches Workshop

Stolen NHS Data Published on Dark Web

A large volume of NHS data has been published by a ransomware group on the dark web. This follows the recent cyber attack on NHS Dumfries and Galloway, when cyber criminals were able to access a significant amount of data including patient and
staff-identifiable information. Data relating to a small number of patients was released in March, and the cyber criminals had threatened that more would follow.

Reacting to the latest publication of data, NHS Dumfries and Galloway Chief Executive Julie White said: “This is an utterly abhorrent criminal act by cyber criminals who had threatened to release more data.

“We should not be surprised at this outcome, as this is in line with the way these criminal groups operate.

“Work is beginning to take place with partner agencies to assess the data which has been published. This very much remains a live criminal matter, and we are continuing to work with national agencies including Police Scotland, the National Cyber Security Centre and the Scottish Government.”

Mrs White added: “NHS Dumfries and Galloway is conscious that this may cause increased anxiety and concern for patients and staff, with a telephone helpline sharing the information hosted at our website available from tomorrow.

“Data accessed by the cyber criminals has now been published onto the
dark web – which is not readily accessible to most people.”

“Recognising that this is a live criminal matter, we continue to follow the very clear guidance being provided to us by national law enforcement agencies.”

NHS Dumfries and Galloway advised people to be alert for any attempts to access their work and personal data. It has also set up a helpline for anyone concerned about the attack and is working with police and other agencies as investigations continue.

In December last year, NHS Fife was formally reprimanded by the Information Commissioner’s Office (ICO) following an incident where an unauthorised individual accessed sensitive patient information.

We have two workshops coming up (How to Increase Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security. 

The British Library Hack: A Chapter in Ransomware Resilience

In a stark reminder of the persistent threat of cybercrime, the British Library has confirmed a data breach incident that has led to the exposure of sensitive personal data, with materials purportedly up for auction online. An October intrusion by a notorious cybercrime group targeted the library, which is home to an extensive collection, including over 14 million books.

Recently, the ransomware group Rhysida claimed responsibility, publicly displaying snippets of sensitive data, and announcing the sale of this information for a significant sum of around £600k to be paid in cryptocurrency.

While the group boasts about the data’s exclusivity and sets a firm bidding deadline (today 27th November 2023), the library has only acknowledged a leak of what seems to be internal human resources documents. It has not verified the identity of the attackers nor the authenticity of the sale items. The cyber attack has significantly disrupted the library’s operations, leading to service interruptions expected to span several months.

In response, the library has strengthened its digital defenses, sought expert cybersecurity assistance, and urged its patrons to update their login credentials as a protective measure. The library is working closely with the National Cyber Security Centre and law enforcement to investigate, but details remain confidential due to the ongoing inquiry.

The consequences of the attack have necessitated a temporary shutdown of the library’s online presence. Physical locations, however, remain accessible. Updates can be found the British Library’s X (née twitter) feed. The risk posed by Rhysida has drawn attention from international agencies, with recent advisories from the FBI and US cybersecurity authorities. The group has been active globally, with attacks on various sectors and institutions.

The British Library’s leadership has expressed appreciation for the support and patience from its community as it navigates the aftermath of the cyber attack.

What is a Ransomware Attack?

A ransomware attack is a type of malicious cyber operation where hackers infiltrate a computer system to encrypt data, effectively locking out the rightful users. The attackers then demand payment, often in cryptocurrency, for the decryption key. These attacks can paralyse organisations, leading to significant data loss and disruption of operations.

Who is Rhysida?

The Rhysida ransomware group first came to the fore in May of 2023, following the emergence of their victim support chat portal hosted via the TOR browser. The group identifies as a “cybersecurity team” who highlight security flaws by targeting victims’ systems and spotlighting the supposed potential ramifications of the involved security issues.

How to prevent a Ransomware Attack?

Hackers are becoming more and more sophisticated in ways they target our personal data. We have seen this with banking scams recently. However there are some measures we can implement personally and within our organisations to prevent a ransomware attack.

  1. Avoid Unverified Links: Refrain from clicking on links in spam emails or unfamiliar websites. Hackers frequently disseminate ransomware via such links, which, when clicked, can initiate the download of malware. This malware can then encrypt your data and hold it for ransom​​.

  2. Safeguard Personal Information: It’s crucial to never disclose personal information such as addresses, NI numbers, login details, or banking information online, especially in response to unsolicited communications​​.

  3. Educate Employees: Increasing awareness among employees can be a strong defence. Training should focus on identifying and handling suspicious emails, attachments, and links. Additionally, having a contingency plan in the event of a ransomware infection is important​​.

  4. Implement a Firewall: A robust firewall can act as a first line of defence, monitoring incoming and outgoing traffic for threats and signs of malicious activity. This should be complemented with proactive measures such as threat hunting and active tagging of workloads​​.

  5. Regular Backups: Maintain up-to-date backups of all critical data. In the event of a ransomware attack, having these backups means you can restore your systems to a previous, unencrypted state without having to consider ransom demands.

  6. Create Inventories of Assets and Data: Having inventories of the data and assets you hold allows you to have an immediate knowledge of what has been compromised in the event of an attack whilst also allowing you to update security protocols for sensitive data over time.

  7. Multi-Factor Authentication: Identifying legitimate users in more than one way ensures that you are only granting access to those intended. 

These are some strategies organisations can use as part of a more comprehensive cybersecurity protocol which will significantly reduce the risk of falling victim to a ransomware attack. 

Join us on our workshop “How to increase Cyber Security in your Organisation” and Cyber Security for DPO’s where we discuss all of the above and more helping you create the right foundations for Cyber resilience within your organisation. 

£4.4 Million GDPR Fine for Construction Company 

This month the UK Information Commissioner’s Office has issued two fines and one Notice of Intent under GDPR. 

The latest fine is three times more than that imposed on Easylife Ltd on 5th October. Yesterday, Interserve Group Ltd was fined £4.4 million for failing to keep personal information of its staff secure.  

The ICO found that the Berkshire based construction company failed to put appropriate security measures in place to prevent a cyber-attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email. The compromised data included personal information such as contact details, national insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information. 

The Phishing Email 

In March 2020, an Interserve employee forwarded a phishing email, which was not quarantined or blocked by Interserve’s IT system, to another employee who opened it and downloaded its content. This resulted in the installation of malware onto the employee’s workstation. 

The company’s anti-virus quarantined the malware and sent an alert, but Interserve failed to thoroughly investigate the suspicious activity. If they had done so, Interserve would have found that the attacker still had access to the company’s systems. 

The attacker subsequently compromised 283 systems and 16 accounts, as well as uninstalling the company’s anti-virus solution. Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable. 

The ICO investigation found that Interserve failed to follow-up on the original alert of a suspicious activity, used outdated software systems and protocols, and had a lack of adequate staff training and insufficient risk assessments, which ultimately left them vulnerable to a cyber-attack. Consequently, Interserve had breached Article 5 and Article 32 of GDPR by failing to put appropriate technical and organisational measures in place to prevent the unauthorised access of people’s information. 

Notice of Intent 

Interestingly in this case the Notice of Intent (the pre cursor to the fine) was for also for £4.4million i.e. no reductions were made by the ICO despite Interserve’s representations. Compare this to the ICO’s treatment of two much bigger companies who also suffered cyber security breaches. In July 2018, British Airways was issued with a Notice of Intent in the sum of £183 Million but the actual fine was reduced to £20 million in July 2020. In November 2020 Marriott International Inc was fined £18.4 million, much lower than the £99 million set out in the original notice. 

The Information Commissioner, John Edwards, has warned that companies are leaving themselves open to cyber-attack by ignoring crucial measures like updating software and training staff: 

“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office. 

Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.” 

We have been here before. On 10th March the ICO  fined Tuckers Solicitors LLP £98,000 following a ransomware attack on the firm’s IT systems in August 2020. The attacker had encrypted 972,191 files, of which 24,712 related to court bundles.  60 of those were exfiltrated by the attacker and released on the dark web.   

Action Points  

Organisations need to strengthen their defences and have plans in place; not just to prevent a cyber-attack but what to do when it does takes place. Here are our top tips: 

  1. Conduct a cyber security risk assessment and consider an external accreditation through  Cyber Essentials. 
  1. Ensure your employees know the risks of malware/ransomware and follows good security practice. At the time of the cyber-attack, one of the two Interserve employees who received the phishing email had not undertaken data protection training. (Our GDPR Essentials  e-learning solution is a very cost effective e learning solution which contains a specific module on keeping data safe.)  
  1. Have plans in place for a cyber security breach. See our Managing Personal Data Breaches workshop.  
  1. Earlier in the year, the ICO worked with NCSC to remind organisations not to pay a ransom in case of a cyber-attack, as it does not reduce the risk to individuals and is not considered as a reasonable step to safeguard data. For more information, take a look at the ICO ransomware guidance or visit the NCSC website to learn about mitigating a ransomware threat via their business toolkit

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop.  

Are you an experienced GDPR Practitioner wanting to take your skills to the next level? Our Advanced Certificate in GDPR Practice starts on 21st November.  

Calling Cyber Security Trainers:
We are Hiring

Are you a cyber security expert with a reputation for delivering engaging training? We are recruiting trainers to join our team of expert associates who deliver in-house and external training courses throughout the UK and worldwide.

We are one of Europe’s leading information law training companies with a 20 year track record of delivering practical and engaging training which makes the complex simple. We recently won the Information and Records Management Society (IRMS) Supplier of the year award for 2022-23. This is the second consecutive year we have won this award.

Despite recently expanding our team, we are seeing an increase in global demand for our courses and consulting services from both the public and private sectors. We need more talented trainers who enjoy the challenge of explaining difficult concepts in a practical, jargon-free manner.

We have opportunities for full time trainers and those who wish to add an extra “string to their bow” without leaving their day job. What is important is that you are enthusiastic about Cyber Security and passionate about teaching it.

If you think you have what it takes to become an Act Now trainer, please get in touch with your CV explaining your knowledge and experience of delivering training and consultancy services in Cyber Security. 

Cyber Security Breaches Survey 2022: What DPOs need to know

Cyber security breaches are on the rise. Virtually every day there is a news story about a high profile organisation being hacked and personal data being lost or stolen. Last week the BBC reported that thousands, if not millions, of people could have lost money in the second largest crypto hack in history. Ronin Network, a key platform powering the popular mobile game Axie Infinity, has had $615m (£467m) stolen. More recently UK retailer, The Works has been forced to shut shops temporarily and suspend new stock deliveries after a cyber-attack.

And it’s not just the private sector. In January we learnt that Gloucester City Council’s website was hacked affecting online revenue and benefits, planning and customer services. The work of Russian hackers(allegedly) could take up to six months to resolve and affected servers and systems may need to be rebuilt.

Data Protection Officers need to be aware of the latest incidents and advice when it comes to cyber security breaches. The recently published DCMS Cyber Security Breaches Survey is important reading for all DPOs. It explores the policies, processes, and approaches to cyber security for businesses, charities, and educational institutions. It also considers the different forms of cyber-attack these organisations face, as well as how they are impacted and their response.

Cyber Attacks

The survey results show that in the last 12 months, 39% of UK businesses identified a cyber-attack. Of these, the most common threat vector was phishing attempts (83%). Of the 39%, around one in five (21%) identified a more sophisticated attack type such as a denial of service, malware, or ransomware attack. Despite its low prevalence, organisations cited ransomware as a major threat, with 56% of businesses having a policy not to pay ransoms. Note recently the GDPR fine issued to a firm of solicitors who suffered such an attack. Interestingly they too chose not to pay the hackers. 

Frequency and Impact

Within the group of organisations reporting cyber-attacks, 31% of businesses and 26% of charities estimate they were attacked at least once a week. One in five businesses (20%) and charities (19%) say they experienced a negative outcome as a direct consequence of a cyber-attack, while one third of businesses (35%) and almost four in ten charities (38%) experienced at least one negative impact. It is interesting that the survey focussed on charities too. July 2021 saw the first GDPR fine to a charity. The transgender charity Mermaids was fined £25,000 after the ICO found that it had failed to implement an appropriate level of security to its internal email systems, which resulted in documents or emails containing personal data being searchable and viewable online by third parties through internet search engine results.

Cost of Attacks

The survey found the average estimated cost of all cyber attacks in the last 12 months was £4,200. Considering only medium and large businesses; the figure rises to £19,400. Of course such incidents also mean a loss of reputation and customer trust. In October 2020, the ICO fined British Airways £20million for a cyber security breach which saw the personal and financial details of more than 400,000 customers being accessed by hackers. British Airways also had to settle legal claims for compensation from affected customers. 

Cyber Hygiene

The government guidance ‘10 Steps to Cyber Security’ breaks down the task of protecting an organisation into 10 key components. The survey finds 49% of businesses and 40% of charities have acted in at least five of these 10 areas. In particular, access management surveyed most favourably, while supply chain security was the least favourable.

Board Engagement

Around four in five (82%) of boards or senior management within UK businesses rate cyber security as a ‘very high’ or ‘fairly high’ priority, an increase on 77% in 2021. 72% in charities rate cyber security as a ‘very high’ or ‘fairly high’ priority. Additionally, 50% of businesses and 42% of charities say they update the board on cyber security matters at least quarterly. Our new webinar “GDPR and the Charity Sector Webinar” is ideal for raising awareness amongst charity trustees.

Size Differential

Larger organisations are correlated throughout the survey with enhanced cyber security, likely as a consequence of increased funding and expertise. For large businesses’ cyber security; 80% update the board at least quarterly, 63% conducted a risk assessment, and 61% carried out staff training; compared with 50%, 33% and 17% respectively for all businesses. Our GDPR Essentials e learning course contains a specific module on keeping data safe which warns of the most common cyber hacking/phishing tactics.  

Risk Management

Just over half of businesses surveyed (54%) have acted in the past 12 months to identify cyber security risks, including a range of actions, where security monitoring tools (35%) were the most common. Qualitative interviews however found that limited board understanding meant the risk was often passed on to; outsourced cyber providers, insurance companies, or an internal cyber colleague.

Outsourcing and Supply Chain

Small, medium, and large businesses outsource their IT and cyber security to an external supplier 58%, 55%, and 60% of the time respectively, with organisations citing access to greater expertise, resources, and standard for cyber security. Consequently, only 13% of businesses assessed the risks posed by their immediate suppliers, with organisations saying that cyber security was not an important factor in the procurement process.

Incident Management

Incident management policy is limited with only 19% of businesses having a formal incident response plan, while 39% have assigned roles should an incident occur. In contrast, businesses show a clear reactive approach when breaches occur, with 84% of businesses saying they would inform the board, while 73% would make an assessment of the attack.

External engagement

Outside of working with external cyber security providers, organisations most keenly engage with insurers, where 43% of businesses have an insurance policy that cover cyber risks. On the other hand, only 6% of businesses have the Cyber Essentials certification and 1% have Cyber Essentials plus, which is largely due to relatively low awareness. The importance of this was highlighted in the recent GDPR fine issued to Tuckers solicitors.

The DCMS Cyber Security Breaches Survey is important reading for all Data Protection Officers and IT staff. Aligning with the National Cyber Strategy, it is used to inform government policy on cyber security. It should also be used to stay abreast of cyber security developments and formulate your own organisation’s cyber security strategy.  

Our Managing Personal Data Breaches workshop will examine the law and best practice in this area, drawing on real-life case studies, to identify how organisations can position themselves to deal appropriately with data security incidents and data breaches, in order to minimise the impact on customers and service users and mitigate reputational damage.

Ticketmaster Fined £1.25m Over Cyber Attack

0_MGP_CHP_270618TICKETMASTER_0736ticketmasterJPG

GDPR fines are like a number 65 bus. You wait for a long time and then three arrive at once. In the space of a month the Information Commissioner’s Office (ICO) has issued three Monetary Penalty Notices. The latest requires Ticketmaster to pay £1.25m following a cyber-attack on its website which compromised millions of customers’ personal information.  

The ICO investigation into this breach found a vulnerability in a third-party chatbot built by Inbenta Technologies, which Ticketmaster had installed on its online payments page. A cyber-attacker was able to use the chatbot to access customer payment details which included names, payment card numbers, expiry dates and CVV numbers. This had the potential to affect 9.4million Ticketmaster customers across Europe including 1.5 million in the UK. 

As a result of the breach, according to the ICO, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6000 cards were replaced by Monzo Bank after it suspected fraudulent use. The ICO said these bank and others had warned Ticketmaster of suspected fraud. Despite these warnings it took nine weeks to start monitoring activity on its payments page. 

The ICO found that Ticketmaster failed to: 

  • Assess the risks of using a chat-bot on its payment page 
  • Identify and implement appropriate security measures to negate the risks 
  • Identify the source of suggested fraudulent activity in a timely manner 

James Dipple-Johnstone, Deputy Information Commissioner, said: 

“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not. 

Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud. 

The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.” 

In a statement, Ticketmaster said:  

“Ticketmaster takes fans’ data privacy and trust very seriously. Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO.
We plan to appeal [against] today’s announcement.” 

Ticketmaster’s appeal will put the ICO’s reasoning and actions, when issuing fines, under judicial scrutiny. This will help GDPR practitioners faced with similar ICO investigations.   

Ticketmaster is also facing civil legal action by thousands of fraud victims. Law firm Keller Lenkner, which represents some of these victims, said: 

“While several banks tried to alert Ticketmaster of potential fraud, it took an unacceptable nine weeks for action to be taken, exposing an estimated 1.5 million UK customers,” said Kingsley Hayes, the firm’s head of cyber-crime.  

Data Protection Officers are encouraged to read the Monetary Penalty Notice as it not only sets out the reasons for the ICO’s conclusion but also the factors it has taken into account in deciding to issue a fine and how it calculated the amount. This fine follows hot on the heels of the British Airways and Marriott fines which also concerned cyber security breaches. (You can read more about the causes of cyber security breaches in our recent blog post.) 

75% of fines issued by the ICO under GDPR relate to cyber security. This is a top regulatory priority for the ICO as well as supervisory authorities across Europe.
Data Protection Officers should place cyber security at the top of their learning and development plan for 2021.  

We have some places available on our forthcoming Cyber Security for DPOs workshop. This and other GDPR developments will be covered in our next online GDPR update workshop.

Cyber Security and GDPR Compliance

photo-1584433144859-1fc3ab64a957

Olu Odeniyi writes…

Data Protection Officers (DPOs), and others who work in data protection, will know that a fundamental requirement of GDPR is to protect personal data ”against accidental loss, destruction or damage, using appropriate technical or organisational measures” as stipulated in the sixth data protection principle in Article 5. As the recent British Airways data breach fine has shown, failure to comply can be costly.

Article 32 further requires measures to be implemented to ensure a level of security appropriate to the risk  including “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”. Other GDPR provisions, including article 24 and article 25, demand similar requirements. As threats to complying with these articles emanate from malicious activity, mistakes, process weaknesses and software application vulnerabilities, it is clear that cyber security is an essential element of GDPR compliance.

Although many organisations rely on the IT department, the Chief Information Security Officer (CISO) or the Senior Information Risk Officer (SIRO) to lead implementation of cyber security controls, DPOs need a good understanding  of this topic to most effectively discharge their responsibilities and ensure compliance. 

What is Cyber Security?

The first step is to understand what cyber security is and what it is not. Various definitions exist. Most people associate cyber security with digital services, computerised devices and other forms of information technology. Protection against accidental and malevolent activity, unauthorised data access and preservation of services are fundamental cyber security goals but there’s more. 

Cyber security touches the very heart of how we live work and play within the fourth industrial revolution as highlighted by the founder of the World Economic Forum. Boundaries between work and home life have never been so blurred.
Government engagement around the world is increasingly conducted via digital services and individuals can barely avoid interacting with online services on a daily basis. 

While numerous standards and frameworks exist to help drive best practice, each organisation needs to contextualise what cyber security means for itself. A survey of the most common standards and frameworks will be left for a later blog (some are highlighted further down in this article), yet every organisation should scope and detail its own meaningful definition of cyber security. High level definitions can be utilised if required to achieve this from respected organisations such as the National Cyber Security Centre (NCSC) or the National Institute of Standards and Technology (NIST)

However, it’s a myth to think cyber security is a standard or a framework of itself and that only technology is involved. People utilise technology and digital services by means of a process or procedure. Therefore, effective cyber security comprises people, process and technology and many breaches could have been avoided given changes to either of these three areas. The remainder of this blog introduces cyber security under each of these headings.

People

It is often stated that people are the greatest weakness when it comes to cyber security, but it doesn’t have to be this way – they can be the strongest defence. The National Cyber Security Centre (NCSC) has performed leading research around people centric cyber security which organisations can benefit from. Staff know the issues they face better than anyone else and should be included in the risk analysis. By understanding productivity roadblocks, working pressures and specific training needs, new ways of working can be formulated to minimise breaches and security mistakes. 

For example, some groups could possibly opt to use enterprise collaboration applications (e.g. Microsoft Teams) to eradicate or decrease emails being sent to the wrong recipients. Watch the NCSC video or read the transcript for more information on developing people centric cyber security.

Security awareness training conducted well can be effective and significantly help prevent data and security breaches. Nonetheless, developing a security culture takes an organisation to the next level as staff develop their own sense of how to best protect the organisation and personal data. Culture change isn’t an overnight occurrence.
Focused effort and dedicated resources are required but the results will be worth it. 

Developing a security culture involves engaging with staff and seeking their input.
Small group sessions, organisation wide campaigns and open communication forums are some of the many approaches to transform cultures. Useful reading on the human aspects of cyber security can be found in the Cyber Security Culture Guidelines: Behavioural Aspects of Cyber Security report by  the European Union Agency for Cyber Security (ENISA).

It is important to ensure security measures and controls don’t hinder staff productivity or increase the likelihood that they will circumvent organisation policies. As the NCSC video above states, “if security doesn’t work for people, it doesn’t work”.

Process

Earlier this year I was asked to advise on a serious data breach where sensitive data had been disclosed. It so happened the breach could have been avoided if either processes, staff action or if different technology had otherwise been deployed. The role of policies, processes, guidelines and procedures in cyber security shouldn’t be underestimated, especially with large contingents of remote workers during a pandemic. (Read about the data protection challenges of remote working here)

Start by reviewing your organisation’s cyber and/or information security policies if they exist. Consider when the last updates were made and read the documents several times, making notes on their suitability or any glaring gaps. Check if any standards or frameworks are in use such as the ISO 27000 Information Security Family or the NIST Cyber Security Framework. Many others exist too. If so, familiarise yourself with the associated literature and determine where you can begin to get involved. 

Alternatively, you could be the staff member who introduces standards and frameworks into your organisation. You’ll likely need senior management support and the suggestion may have been considered previously. Either way, established best practice can help organisations review processes and streamline cyber security risk assessments. As mentioned previously, be sure to engage with staff who’ll likely see many process security risks for their departments that are blind to others.

At the very least, view the NCSC Risk management guidance which explains and recommends various concepts behind risk assessments. Combining cyber security risk assessments with Data Protection Impact Assessment (DPIAs) may also be an option in some cases. However, remember that while cyber security is essential for personal data protection, it extends to protecting the entire organisation too.

Technology

The use and maintenance of technology and digital services by staff, contractors and third-party suppliers forms the basis of technological aspects of cyber security. Online services, cloud computing and connected devices, or any other internet mediums through which data flows, are all cyber security concerns. Technology includes devices found in “smart homes” fitted with a degree of automation and the so-called Internet of Things (IoT), where numerous gadgets are connected online through a local network. Governments around the world are attempting to offer advice to mitigate the cyber risks associated with IoT devices. The UK Department for Digital, Culture, Media and Sport (DCMS) published a  Code of Practice for Consumer IoT Security in 2018, although widespread adoption is in its infancy.

Technology is also used to strengthen cyber defences through a number of security applications, which deliver varying levels of protection depending on how often they are updated. Basic anti-virus programs have long since been accompanied by a suite of new security applications many of which are connected to cloud-based detection engines which rely on Artificial Intelligence (AI) to improve performance. Nonetheless, a sound risk management methodology should always be established prior to investing in new protective technologies – benefits of the expected decrease in risk need to ideally be measurable and potential loss ought to supersede or equal expenditure. 

A great way to bring an organisations’ technical cyber security controls to a baseline standard is by adopting Cyber Essentials, a UK government backed scheme designed to guard against the most common cyber threats. Cyber Essentials outlines 5 control themes – firewalls, secure configuration, user configuration, malware protection and patch management. Organisations can become certified to Cyber Essentials in two ways – self-certification and Cyber Essentials Plus, where hands-on technical verification is carried out by an independent certified body.

Putting it all Together

Although this blog has described the people, process and technology aspects of cyber security separately, in reality all three areas need to be considered simultaneously.
A cyber security risk methodology should always form the heart of any cyber security defence strategy as part of overall business risk management. Those responsible for cyber security should also ensure they keep themselves updated as the security landscape has been changing rapidly, both in terms of malicious or accidental attacks and defences. The good news is that with a concerted effort, organisations can adequately protect themselves and their staff.

Olu will be examining this subject further in our Cyber Security for DPOs workshop in November. A few places left. Our GDPR Essentials E learning course is ideal for training frontline staff. In just over 30 minutes they will learn about the key provisions of GDPR and how to keep personal data safe.