Brian Pennington

A blog about Cyber Security & Compliance


January 2012

Council fined £140,000 for five serious data breaches

The five serious data breaches – all involving children’s social service reports being sent to the wrong recipients – happened at Midlothian Council and occurred between January and June 2011.

  • One breach concerned papers concerned with the status of a foster carer being sent to 7 healthcare professionals who had no need to see them
  • Another case was of the minutes of a child protection conference being sent in error to the former address of a mother’s partner, where they were opened and read by his ex-partner. The papers also contained personal data about the children’s mother

The first breach occurred in January 2011 but did not come to light until March

Ken Macdonald, Assistant Commissioner for Scotland said:

“Information about children’s care, as well as details about their health and wellbeing, is some of the most sensitive information a local authority holds. It is of vital importance that this information is protected and that robust policies are followed before it is disclosed.   

“The serious upset that these breaches would have caused to the children’s families is obvious and it is extremely concerning that this happened five times in as many months. I hope this penalty acts as a reminder to all organisations across Scotland and the rest of the UK to ensure that the personal information they handle is kept secure.”

The ICO’s investigation found that all five breaches could have been avoided if the council had put adequate data protection policies, training and checks in place.

The ICO has ordered the council to take action to keep the personal information they handle secure. The council has recovered all of the information mistakenly sent to the wrong recipients and will now check all records to ensure that the details they hold are up-to-date.


Aftermath of a Data Breach

Ponemon Institute, sponsored by Experian®, has released the findings of their Aftermath of a Data Breach study.

The study was conducted to learn what organizations did to recover from the financial and reputational damage of a data breach involving customer and consumer records.

Consumer and customer information collected by organizations is at great risk due to employee negligence, insider maliciousness, system glitches or attacks by cyber criminals. Since 2005, according to the Privacy Rights Clearinghouse (PRC), 543 million records containing sensitive information have been breached. PRC says this number is conservative because they track only those breaches that are reported in the media and many states do not require companies to report data breaches to a central clearinghouse.

In 2011, what is considered the biggest consumer data breach ever occurred. As reported by PRC, as many as 250 million consumers received notices telling them that their email addresses and names were exposed. Another significant data breach took place at the end of the year and involved the theft of credit card information.

The organizations represented in this study have had at least one data breach involving customer and consumer records in the past 24 months.

A summary of the study is below: 

All of the organizations in the study had at least one data breach involving consumer information and 85% report that more than one breach involving customer/consumer data occurred in the past 24 months.

In the aftermath of a data breach, IT respondents believe the following:

  • They are more confident than senior leadership about the ability to keep customer data secure from future breaches.
  • By far, negligent employees, temporary employees or contractors make organizations vulnerable to future breaches. Accordingly, conducting training and awareness programs and enforcing security policies should be a priority for organizations.
  • Privacy and data protection became a greater priority for senior leadership following the breach. As a result, IT security budgets for most organizations in this study increased.
  • They are concerned that customer data stolen from their organizations will be used to commit identity fraud.
  • The top three actions believed to reduce the negative consequences of the data breach are hiring legal counsel, assessing the harm to victims and employing forensic experts.
  • Lessons learned from the data breach are to limit the amount of personal data collected, limit sharing with third parties and limit the amount of personal data stored.

In Ponemon’s previous study, Reputation Impact of a Data Breach, the findings reveal that it can take a year to restore an organization’s reputation with an average loss of $332 million in the value of its brand.

For purposes of this study, they asked respondents to focus on the one data breach they believe had the most significant financial and reputational impact on their organizations. The study is organized according to the following three topics:

  • Circumstances of the data breach
  • Response to the data breach
  • Impact of the breach on privacy and data protection practices

In most cases, sensitive data lost or stolen was not encrypted

  • 60% of respondents say the customer data that was lost or stolen was not encrypted
  • 24% said the data was encrypted
  • 16% are unsure

Organizations report that their most sensitive data was lost or stolen

Respondents to the study were asked to focus on the one data breach that had the most severe consequences for their organizations.

What type of data did your organization lose? %
Name 85
Address 69
Email   address 70
Telephone   number 58
Age 43
Gender 35
Employer 20
Educational background 18
Credit card or bank payment information  45
Credit or payment history 41
Password/PIN 48
Social Security number (SSN) 33
Driver’s license number 29
Other (please   specify) 9
Don’t know 11

Insiders and third parties are most often the cause of the data breach

What was   the main cause of the data breach?  %
Negligent insider 34
Malicious insider 16
Outsourcing data to a third party 19
Systems glitch 11
Cyber attack 7
Data lost in physical delivery 5
Failure to shred confidential documents 6
Other 2

Data breaches reduce an organization’s productivity

50% of respondents say the most negative consequence of the breach was the loss of productivity. In the aftermath of a data breach, key employees may be diverted from their usual responsibilities to help the organization respond to and resolve the data breach.

This is followed by

  • 41% a loss of customer loyalty
  • 34% legal action

Data breach response strategies need improvement

  • 50% believe the organization made the best possible effort following the data breach
  • 30% say that it was successful in preventing any negative consequences from the data breach
  • 27% believe their data breach notification efforts increased customer and consumer trust in their organization
  • 63% believe their senior leadership views privacy and data protection as a greater priority than before the breach

Prompt notification and assessment of harm to victims are the steps most often taken in response to a data breach

The study reveals that the top three data breach response activities

  1. prompt notification to regulators as required by law
  2. prompt notification to victims by letter
  3. careful assessment of the harm to victims

New steps are taken to reduce negative consequences

Prompt notification to victims is no longer considered most helpful in reducing the negative consequences of the data breach.

The respondents indicated that the most helpful steps are:

  • retaining outside legal counsel
  • carefully assessing the harm to victims
  • hiring forensic experts

Credit monitoring and identity protection services are not often offered to victims

Despite the fact that many organizations lose the loyalty of their customers following a data breach services that might maintain or even strengthen the customer’s relationship with organization are not offered as frequently on a voluntary basis.

  • 30% say they offer credit monitoring services
  • 19% say they offer identity protection services such as credit monitoring and other identity theft protection measures, including fraud resolution, scans and alerts.

If services are offered, they are provided for one year or less

Company’s data will be used to commit other types of identity fraud

While many of the respondents are confident about protecting their customers’ personal information, 64% say they are concerned that now that the data may be in the hands of criminals it will be used to commit other types of identity fraud.

Impact of a breach on privacy & data protection practices in the aftermath of a breach, senior leadership believes the organization is more vulnerable to a breach

  • 49% of respondents say senior leadership believes the organization is more vulnerable to future data breaches
  • 27% of the IT respondents say the organization is more vulnerable, indicating their confidence in preventing future breaches
  • 28% believe their customers’ personal information is at greater risk since the data breach occurred

Lessons learned may improve privacy and data protection practices

Responding to the breach improved organizations’ understanding about how to investigate a future breach.

  • 66% say that the experience of investigating the causes of the breach will help them in determining the root causes of future breaches
  • 61% believe employees are more aware of the need to protect sensitive and confidential information. Training and awareness is the most often cited activity put in place to prevent future data breaches

Privacy and data protection became more of a priority and IT security resources increased following the data breach

  • 61% of respondents say their organizations increased the security budget
  • 28% hired additional IT security staff
  • 9% say they increased the budget for the compliance staff
  • 4% say they hired additional privacy office staff

Organizations are now minimizing the amount of personal data collected, shared and stored

  • 31% say the data breach had no affect on how the organization uses personal data yet
  • 49% now say they limit the amount of personal data collected
  • 48% now limit the sharing of this data with third parties
  • 42% say the organization limits the amount of personal data stored
  • 27% say the organization now limits the amount of personal information used for marketing purposes

Ponemon’s Conclusion

We conducted this study to better understand how a data breach affects organizations over the long term. It is interesting to note that it took a serious data breach that had both financial and reputational consequences to make privacy and data protection a greater priority and allocate additional resources to the IT security function. While many respondents were unable to determine the root cause of the data breach, there is a consensus among respondents that insider negligence is making their organizations vulnerable to a data breach. As a result, organizations are investing in training and awareness and technologies that minimize the human factor risk.

The findings also show the concern organizations have about losing the loyalty of their customers. Of the IT practitioners surveyed, few felt that prompt notification to victims is helpful in reducing the negative consequences of the data breach. This suggests that compliance with data breach notifications laws is not sufficient if an organization is concerned about customer loyalty and reputation.

For a full copy of the Ponemon / Experian study click here (registration is required).


RSA’s January 2012 Online Fraud Report

Below is a summary of RSA’s Jnauary 2012 Online Fraud Report:-


In 2011, approximately one in every 300 emails circulating the web was deemed to contain elements pointing to phishing. Most phishing content targeted the public sector, which was followed by the SME business sector.

Compared with the total numbers of phishing attacks recorded in 2010, phishing numbers have increased considerably through the past year. The cumulative number of phishing attacks recorded through 2011 was 279,580—a 37% increase from 2010.

In 2011, phishing attacks also received better coverage around the globe, with brands targeted from 31 different geographies and phishing emails communicated in 16 different languages – reaching an even more diverse crowd of Internet users. The top countries in which the most brands were attacked include: the U.S., the UK, Australia, Canada, India, and Brazil.


Looking at the year in phishing, it is clear that phishing has become easier than ever before with more automated toolkits available. In fact, some cybercriminals are known to invest all their efforts into phishing attacks only. On average, every phishing attack yields a $4,500 profit in stolen funds for the fraudster, a number which keeps this work-from-home endeavor rather lucrative.

Attack numbers have been increasing annually, and although phishing is one of the oldest online scams, and user awareness is higher than ever, it seems that web users still fall for phishing, unknowingly parting with their credentials over convincing enough replicas of websites they have come to trust.

With the ease of production and the enhanced quality of today’s attacks, the forecasted outlook for 2012 calls for yet another year riddled with hundreds of thousands of phishing attacks worldwide. As the phenomenon continues to spread, it stands to reason that phishing will move on to even more geographies, target more brands and be spread in more languages in 2012.

Phishing Attacks per Month

In December, phishing volumes decreased 26 percent with 21,119 unique phishing attacks identified by RSA worldwide. The UK continued to be country most targeted by phishing attacks in December, suffering 50 percent of global volume while the U.S. continued to be the top hosting country – hosting 52 percent of the world’s phishing attacks in December.

Number of Brands Attacked

In December, 256 brands were targeted through phishing attacks, marking an 18 percent decrease from November. The number of new brands attacked for the first time decreased from 13 brands in November to six brands in December.

US Bank Types Attacked

Last month, the portion of brands targeted in the U.S. credit union sector decreased three percent as did the portion of brands targeted by phishing in the U.S. regional banks sector (decreasing seven percent). The portion of attacked brands representing U.S. nationwide banks increased ten percent from 76 percent to 86 percent. This represents the highest portion of brands in the U.S. nationwide banking sector targeted by phishing in the last year.

Top Countries by Attack Volume

The UK was the country most targeted by phishing once again in December – targeted by 50 percent of all attacks – for the fourth consecutive month. The U.S. was the second most targeted country with 28 percent of all phishing attacks.

Since this time last year, the top five countries that have endured the highest volume of phishing include the UK, the U.S., South Africa, Canada and Brazil. In terms of the languages used in phishing attacks, English is still the most dominant, followed by Portuguese, Spanish and Dutch.

Top Countries by Attacked Brands

Together, the U.S. and UK accounted for 43 percent of the world’s targeted brands, while the brands of 14 additional countries accounted for a total of 39 percent of phishing attacks in December.

Top Hosting Countries

In December, the US hosted 52 percent of the world’s phishing attacks, a nine percent decrease from November. Germany and Russia were the second top hosts with five percent of attacks. A surprising entrance came from Japan as a top host in December, accounting for four percent of attacks.

The RSA December Online Fraud Report Summary is here.

The RSA November Online Fraud Report Summary is here.

The RSA October Online Fraud Report Summary is here.

The RSA September Online Fraud Report Summary is here.


RSA’s December Online Fraud Report

Below is a summary of RSA’s December Online Fraud Report:

November saw DNS Poisoning, aka Pharming, making the headlines on more than one occasion: To name a few, the online threat showcased in the high-profile hijacking of several Brazilian ISPs’ DNS servers; an incident that resulted in millions of Brazilian users being infected with a banking Trojan. As well, the FBI arrested half a dozen Estonian based cybercriminals last month in connection with a fraudulent DNS-rerouting scheme that enabled the gang to rake in $14 Million in fraudulent advertising revenue. In view of November’s DNS-related incidents, this month’s highlight sheds light on the Domain Name System (“DNS”), including:

  • What the DNS system is
  • How it works
  • Potential threats as exemplified in recent cases
  • Prevention and mitigation measures


The Domain Name System (“DNS”) is a system designed to facilitate locating an internet resource, and can be likened to a phone directory, which ‘resolves’ people’s names to their respective phone numbers. In much the same way, DNS servers resolve web domains (such as to their correct IP addresses (for example,


The Domain Name System is a distributed, hierarchical system that issues queries from a user’s computer to other domain name servers until the IP address of the requested resource is located. When an online user enters a domain name in a browser’s address bar, for example,, the query undergoes the following flow of events:

  1. The OS queries a local file called Hosts, also known as the Hosts File. (In Windows systems, the file is located here: [LocalDisk]/Windows/system32/drivers/etc.) The Hosts file maps domains, aka “hosts,” to their IP address. (This is relevant to some operating systems, in which a query is first issued to the local Hosts file, before it is issued to external resources.)
  2. If the IP address of the host is not defined in the Hosts file, the OS queries the user’s local DNS cache. (You can view your local DNS cache by running the command ipconfig /displaydns.)
  3. If the appropriate IP address is not located in the user’s local DNS cache, the OS issues a query to the ISP’s DNS servers (or the user’s organization’s DNS servers).
  4. The ISP checks the cache of its own DNS servers, and if the resource for the host is not cached, it then issues a query to the root name servers to find the DNS server responsible for the relevant top level domain (TLD). For example, a query for the domain would be forwarded to the .com root name server (which is the authoritative DNS server for .com domains).
  5. The TLD server locates the authoritative name server for, which would normally be configured as
  6. The authoritative name server,, locates the IP address for, and resolves the query.
  7. The OS queries the IP address of, and retrieves its content (the actual website).


Potential threats to the integrity of the DNS query chain include classic pharming, DNS Cache Poisoning, Rogue DNS servers, and local pharming. These threats are explained below, along with relevant cases that made the headlines in November.

  • Classic Pharming
  • DNS Cache Poisoning
  • Rogue DNS Servers
  • Local Pharming


How can pharming be prevented? A set of specifications, issued as part of a larger industry-wide effort, called the Domain Name System Security Extensions (DNSSEC), consists of specifications that enable authentication of DNS responses, in an effort to improve the reliability of DNS responses and thwart DNS-poisoning efforts. The central idea behind DNSSEC is to enable DNS query responses to be authenticated using a digital signature. A digitally signed DNS query enables a user to verify whether the information received in response to a DNS query matches the information served by the authoritative DNS server for that domain, ensuring that the DNS response is correct and complete.

How can a pharming attack be mitigated once launched? An outsourced solution, such as the RSA Fraud Action Anti-Pharming Service, is designed to handle DNS poisoning attacks from the detection phase to the threat’s complete shutdown. To detect pharming on a particular entity’s website, RSA deploys dedicated servers that actively monitor the Internet in search for poisoned DNS servers.

Phishing Attacks per Month

In November, phishing volume increased 18 percent – with 28,365 unique attacks detected by RSA. Compared to the same time last year (November 2010 vs. November 2011), phishing volume has increased 69%.

Number of Brands Attacked

Last month, 313 brands were targeted within phishing attacks, marking a five percent increase. F55% of the brands targeted last month endured less than five attacks each. This figure is slightly higher than the 51% recorded in October. It appears that an increasing number of brands are enduring less than five attacks per month as phishers look to expand the list of brands added to their target list.

US Bank Types Attacked

The portion of brands targeted in the U.S. credit union sector decreased five percent, while brands targeted with phishing in the regional US banking sector saw a four percent increase. In addition, the portion of phishing attacks against nationwide U.S. banks increased two percent.

Top Countries by Attack Volume

In September 2011, the UK overtook the U.S.’s ostensibly perpetual position as the country that endured the highest volumes of phishing attacks each month. In November, the UK remains the country that has suffered the highest volume of phishing attacks with 51% of attacks launched against entities in the UK.

The U.S. endured the second highest volume, 23%, less than half of the attacks experienced by the UK, followed by South Africa (8%) and Canada (6%).

Top Countries by Attacked Brands

Through November, a total of 20 countries endured one percent or more of the world’s phishing attacks. Together, the U.S. and UK accounted for 43% of the world’s targeted brands, while the brands of eleven additional countries accounted for a total of 35% of phishing attacks in November.

Top Hosting Countries

In November, the US hosted 61% of the world’s phishing attacks, a seven percent increase from October. Nine of the top ten hosting countries in November retained their status from October with Poland replacing the Ukraine on that chart.

The RSA November Online Fraud Report Summary is here.

The RSA October Online Fraud Report Summary is here.

The RSA September Online Fraud Report Summary is here.

European Privacy Day 2012 – 28th January

The 28th January will be the European Privacy day for 2012.

Official logo of the European Data Protection ...

The campaign states that “2011 was a year with privacy discussions about Facebook, use of hacking by journalists, use of intelligent CCTV by police forces, use of twitter during urban riots, face recognition, smart houses and smart viewing of houses, and ICT for active ageing.”

The campaign has a the backing off most of Europe’s Data Protection Agencies e.g. the UK’s Information Commissioners Office and the European Data Protection Supervisor.


The European Data Protection Supervisor (EDPS) is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies. He does so by monitoring the EU administration’s processing of personal data; advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.

Download the Privacy EDPS booklet here.


The Information Commissioner’s Office’s (ICO) mission is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. We rule on eligible complaints, give guidance to individuals and organisations, and take appropriate action when the law is broken. You can find out more about us in this section.

To coincide with the European Privacy Day the UK Information Commissioner has launch a campaign called Access Aware which calls on individuals be more careful when accessing Personally identifiable Information (PII).

The Access Aware tool kit can be downloaded here.

Access Aware is one of the first outcomes of the ICO’s information rights priority work. Banking and finance companies as well as health bodies have been identified as the worst performing sectors in relation to handling subject access requests.

  • The most complained about sector are the lenders. In 2010/11, over a third (34%) of completed data protection specific complaints concerning financial institutions were about mishandled subject access requests.
  • In 2010/11, almost half (45%) of data protection specific complaints about health bodies concerned mishandled requests.
  • In the same year, 34% of data protection specific complaints in the policing and criminal justice sector were about subject access.

Speaking on the 27th January 2012, ahead of the Privacy Day, the UK Information Commissioner, Christopher Graham said:

“Organisations that handle personal information need to remember that customer records are not simply their property – the individuals who do business with them also have rights. We are seeing far too many complaints that could easily have been avoided if they’d been given serious and timely consideration.

“The result of mishandling requests is not simply a blip on customer service satisfaction levels, it can cause individuals a great deal of upset. The people who are making these requests are not doing it for fun; the vast majority are seeking resolutions to real problems – such as being refused credit or making important decisions about their health. I hope businesses and bodies that handle personal data use European Data Protection Day as a prompt to think about ways to improve their subject access request handling. Our Access Aware materials have been designed to help them do just that.”


Cybersource’s 2012 UK Online Fraud Report

Cybersource have produced their eighth UK Online Fraud Report– 2012, a summary of the report is below.

The respondents to this year’s report came from a balanced group of merchant, classified as:

  • Medium business (annual online revenue of £500,000-£5m)
  • Large business (£5m-£25m)
  • Very large business (more than £25m)
  • Small business respondents (less than £500,000) accounted for 23% of the survey base

Respondent base

  • 20% Travel (excludes airlines, which are covered by a separate global fraud report)
  • 28% Physical goods
  • 28%. Services
  • 24% Digital goods

Looking forward to 2012, the largest proportion of merchants (42%) expects to see fraud rates unchanged. On average, 37% foresee higher rates though there is a noticeable difference between expectations of the digital goods market versus the other sectors covered by this report; a lower proportion of digital merchants (31%) expect rates to grow.

Cards Remain Prevalent with Small Merchants

Credit and debit cards remain the most popular form of payment acceptance by some margin (nearly double the next most prevalent payment method). Whilst PayPal is less popular amongst larger merchants it is accepted by 52% of the very smallest merchants; furthermore 65% of digital goods respondents stated that they offer this payment method. Bank transfers have also gained in popularity, now accepted by 61% of small merchants and particularly prevalent in the services sector (64%) where direct debit (42%) is also popular.

Cash on delivery or, more importantly, in-store payment/pick-up is now an option for 26% of merchants, and is more common amongst the middle tier than the very largest. The biggest merchants are more likely to offer gift cards and certificates, accepted by 43% versus 11% of the smallest businesses (larger organisations may have their own programmes or be part of wider industry initiatives).

Mobile operator billing now forms part of the income stream for 8% of merchants, and is focused on the top end (online revenues more than £25m) where 15% of companies now accept payments this way. Overall, 38% of companies have a mobile-optimised commerce site, with the travel sector leading the way (56%). 26% of respondents have their own mobile app, rising to 30% for the physical goods businesses. Given the potential development costs, it is the largest companies that are much more likely to have an app (43%) versus the smallest (7%).

 Over a third of businesses expect their total losses from fraud to grow in 2012

Percentage of orders rejected on the fear of fraud

  • merchants are rejecting on average 4.3% of incoming orders due to suspicion of fraud
  • 31% of merchants report that they are rejecting more than one in 20 orders on suspicion of fraud

Martin Pearce Head of Loss Prevention at was quoted in the report saying:

“The role of fraud prevention is an ever changing one; as the fraudster adapts so there is a need for the merchant to change in line with that behaviour. Key to this is the ability to detect fraudulent behaviour as close to real time as possible and then adapt, making changes quickly to counteract the latest threat. I liken fraud prevention to a game of chess; taking skill and strategic planning to get it right, especially when you are potentially playing a few moves behind the fraudster. Customer needs are ever changing too, with merchants looking to ensure that order and delivery/collection mechanisms are as easy and convenient as possible. Mobile devices have been playing an increasingly important role in transaction growth over the last few years, with a wide, and evolving, array of devices now on the market, all with internet access. Apps are also evolving; shifting from information stores to become purchasing and fulfilment instruments.

My view is that fraud hasn’t changed, but fraudsters have. They are more organised and being given new platforms through which to conduct activity. Any new purchasing process or platform is of real interest to the fraud community and will receive a lot of attention. You should ensure that your business is prepared, and able to manage such transactions (good and bad). Any success on behalf of the fraudster is likely to lead to further abuse at some stage.

Finally, whilst much focus is placed on identifying fraudulent behaviour, it is just as important to recognise the behaviour of good customers. Fraud identification is similar to looking for needles in haystacks; if you are adept at identifying good behaviour then you can substantially reduce the size of haystack at the start of the process; cutting your manual review workload and making the needles (or fraudsters) easier to spot and handle. In my experience, utilising tenure thresholds and monitoring on-going transaction behaviour can certainly help to identify genuine buyers. Furthermore, encouraging customers to manage their online activity via a dedicated user account area on your website not only provides you with valuable marketing data; you also gain much deeper insight into who your trusted customers are and how they behave.”

Find the full report here.

See CyberSource’s 2011 report on UK Online Fraud, summary here.

Also, CyberSource Brings World’s Largest Fraud Detection Radar to Online Merchants  post here.


Data Protection & Breach Readiness Guide

The Online Trust Alliance (OTA) has release it’s 2012 Data Protection & Breach Readiness Guide, a comprehensive guide outlining key questions and recommendations to help businesses in breach prevention and incident management.

This post is a summary of their results and guidance.

Craig Spiezle, Executive Director and President of the Online Trust Alliance said

Last year, more than 125 million people were affected by data loss incidents. Combined with the increased awareness of these high visibility incidents and aggressive data collection and sharing practices, consumers’ trust and online confidence is under attack. By following the recommendations in this guide we have an opportunity to enhance online trust and promote the vitality of the internet”

Rob McKenna, Washington State Attorney General and 2011-12 President of the National Association of Attorneys General said

“Today’s consumer is often aware of when their personal data is collected and wants to ensure that businesses protect it. The Online Trust Alliance’s resources are a valuable tool for businesses committed to ensuring customers’ privacy and security”

John Roberson, Executive Director, Small Business Development Resource Center, Chicagoland Chamber of Commerce said

“Businesses need to look holistically at data privacy and ask, ‘What is the compelling business reason to keep customer data?’ When you have a data incident, the more data you have stored – and compromised – the more damaging it can be for both the individual and the company. The OTA guide gives key insights into questions that companies need to ask themselves to protect their customers and delivers information for any business developing, implementing, or updating their privacy policies and notices”

“The Internet has become the land of opportunity for scams and, unfortunately, we see thousands of them every year,” notes Genie Barton, Vice President of the Council of Better Business Bureaus and director of its Online Behavioral Advertising Program. “Consumers need assurances that they can trust the companies they do business with to secure their data, and the OTA Data Protection & Breach Readiness Guide is a great tool to help businesses protect themselves and their customers. BBB is happy to recommend it to businesses large and small, and we are delighted to help build a safer Internet for all by supporting excellent initiatives such as this guide.”

The 2012 Guide recommends that businesses need to accept three fundamental truths about data:

  1. The data they collect includes some form of Personally Identifiable Information (PII) or “covered information”
  2. If a business collects data it will experience a data loss incident at some point
  3. Data stewardship is everyone’s responsibility

2011 incidents, the highlighted statistics:

  • 558 breaches
  • 126 million records
  • 76% server exploits
  • 92% avoidable
  • $318 cost per record – an increase of over $100 per user record from 2009
  • $7.2 million average cost of each breach
  • $6.5 billion impact to U.S. businesses

The 558 incidents were recorded by the Privacy Rights Clearinghouse (PRC) and the Open Security Foundation reported and were broken into specific sectors, details below:

  • Education (schools and colleges) 13%
  • Government agencies 15%
  • Health care providers 29%
  • Business 43%

Compared to 2010, the sectors with the highest percentage change were:

  • Healthcare with an 11% increase
  • Business incidents decreased by 13%

In Verizon’s 2011 Data Breach Notification report, 50% of all data breaches were through hacking (up 10% over 2010) and 49% incorporated malware (up 11% over 2010). Most alarming is that 96% were avoidable through simple steps and internal controls.

The implications of a breach to the organization can be grave, for example:

  • An employee of Massachusetts General Hospital left 192 patient records on a subway, the hospital was fined $1M by the US Health and Human Services
  • The Massachusetts eHealth Collaborative, a 35-person non-profit, experienced a single laptop theft that cost them over $300,000 in legal, private investigation, credit monitoring and media consultancy fees. Employees also spent over 600 hours dealing with the damage that the breach caused to their brand and reputation.

The report offers the following guidance:

Data Incident Plan Framework

An effective Data Incident Plan (DIP) includes a playbook that describes the fundamentals of a plan that can be deployed on a moment’s notice. Organizations need to be able to quickly determine the nature and scope of the incident, take immediate steps to contain it, ensure that forensics evidence is not accidentally ruined and immediately initiate steps to notify regulators, law enforcement officials and the impacted users of the loss.

Risk Assessment/Prevention

To help maximize business continuity, organizations are encouraged to self-audit their level of preparedness by surveying key management leaders the following questions:

  1. Do you know what sensitive information is maintained by your company, where it is stored and how it is kept secure?
  2. Do you have an accounting of all stored data including backups and archived data?
  3. Do you have a map of data workflows both within your organization and your vendors’ organizations to identify points of vulnerability?
  4. Do you have a 24/7 incident response team in place?
  5. Is management aware of the regulatory requirements related specifically to your business?
  6. Have you conducted an audit of your data flows across your company and vendors, including a privacy and security review of all data collection and management activities?
  7.  Are you prepared to communicate to customers, partners and stockholders during an incident?
  8. Do you have access credentials in the event key staff is not available?
  9. Do you have a employee contact list to contact in the event of a breach, and is updated with contact information on a quarterly basis?
  10. Are employees trained and prepared to notify management in the case of accidental data loss or a malicious attack? Are employees reluctant to report such incidents for fear of disciplinary action or termination?
  11. Have you coordinated with all necessary departments with respect to breach readiness? (For example information technology, corporate security, marketing, governance, fraud prevention, privacy compliance, HR and regulatory teams).
  12. Do you have a privacy review and audit system in place for all data collection activities including that of third-party/cloud service providers? Have you taken necessary or reasonable steps to protect users’ confidential data?
  13. Do you review the plan on a regular basis to reflect key changes? Do key staff members

The report identifies 19 steps that are required by an organisation if they are to be effectively prepared to handle a data breach:

  1. Data Classification
  2. Audit & Validate Data Access
  3. Forensics, Intrusion Analysis & Auditing
  4. Data Loss Prevention Technologies
  5. Data Minimization
  6. Data Destruction Policies
  7. Inventory System Access & Credentials
  8. Creating an Incident Response Team
  9. Establish Vendor and Law Enforcement Relationships
  10. Create a Project Plan
  11. Determine Notification Requirements
  12. Communicate & Draft Appropriate Responses
  13. Providing Assistance & Possible Remedies
  14. Employee Awareness & Readiness Training
  15. Analyse the Legal Implications
  16. Funding & Budgeting
  17. Critique & Post Mortem Analysis
  18. Implement Steps to Help Curb Misuse of Your Brand, Domain & Email
  19. International Considerations

The complete OTA  guide is available here.


Lose memory stick: go straight to court, do not pass go and do collect damage to reputation…

Praxis Care Limited breached the UK Data Protection Act and the Isle of Man Data Protection Acts by failing to secure Personally Identifiable Information (PII).

An unencrypted memory stick was lost on the Isle of Man in August 2011 and contained personal information relating to

  • 107 Isle of Man residents
  • 53 Northern Ireland residents

Some of the information was sensitive and related to individuals’ care and mental health

Praxis Care Limited has informed all affected individuals about the loss and no complaints have yet been received by the regulators.

Christopher Graham, UK Information Commissioner, said:

 “Carrying people’s personal information around on an unencrypted memory stick is clearly unacceptable. The fact that some of the personal details stored on the device were out of date and so surplus to requirements makes this breach all the more concerning.

“The ICO will continue to work closely with other data protection regulators where it is clear that a data breach extends across national boundaries.”

Iain McDonald, Isle of Man Data Protection Supervisor, said:

“Today’s joint action aims to send a clear message to organisations that a lax attitude to data security will not be tolerated by either the ODPS or the ICO. We will continue to work with regulators in other countries to ensure that our residents’ personal information is protected.”


Fraud could be costing UK hotels over £2 billion a year

Credit cardPKF (UK) LLP and the Centre for Counter Fraud Studies at University of Portsmouth (CCFS) have produced a document titled, “the resilience to fraud of the UK hotel sector”.

The document was based upon a series of questions to hotels with the results shown both statistically and graphically.

The survey was supported by HOSPA, the Hospitality Professionals Association, formerly BAHA.

Report Background

There are just over 46,000 hotels and guest houses in the UK, and the hotel industry is a significant sector of the economy, with an annual turnover of around £40 billion. Applying figures derived from the latest global research showing that an average of 5.7% of expenditure is lost to fraud and error, such losses could cost the hotels’ sector more than £2 billion a year.

Each time the Government’s national fraud Authority make their annual estimate, the figures rise as the estimation improves, and it is already likely that the £1.9 billion losses estimated for the travel, leisure and transportation sectors in January 2011 will be superseded in January 2012. It is a serious issue for companies operating within the sector and one that has far reaching consequences for the health and financial stability of our industry, as well as the quality and price of the service that consumers enjoy.

 Across the UK economy as a whole, the Government’s National Fraud Authority estimates that £38.4 billion is lost to fraud, with £1.9 billion of the losses relating to the leisure, travel and transportation sectors

A summary of the survey results is below:-

Hotel companies performed best in the following areas:

  • 88% of respondents indicated that they had adopted a ‘zero tolerance’ approach
  • 85% indicated that they had arrangements in place to ensure that suspected frauds were promptly reported
  • 85% also indicated that they considered applying all types of sanctions where fraud was found to be present
  • Over 76% had a clear policy on the application of sanctions
  • 69% had reports concerning fraud discussed at board level
  • 89% of respondents indicated that they had adopted a ‘zero tolerance’ approach

Hotel companies performed worst in the following areas:

  • Only 30% sought to estimate the cost of fraud or used losses estimates to make judgements about how much to invest in countering fraud
  • Only 23% reviewed the effectiveness of counter fraud work
  • 35% ensured that counter fraud staff regularly refreshed their skills
  • 88% stated that they had a zero-tolerance approach but only 38% monitored the development of anti-fraud cultures (potentially a worrying contrast between rhetoric and reality)
  • Less than 40% deployed analytical intelligence techniques to detect fraud
  • 27% sought to estimate the cost of fraud or used losses estimates to make judgements about how much to invest in countering fraud

Jim Gee, director of Counter Fraud Services at PKF, chair of the Centre of Counter Fraud Studies at University of Portsmouth and co-author of the report, said that

“hopefully the loss of £2b to the industry through fraud was large enough to grab the attention of hotel bosses at a time when the sector was facing an increasingly challenging operating environment.” 

“The good news is that these losses can be reduced,” he said. “Research shows that fraud can be cut by up to 40% within 12 months. Hoteliers need to be proactive in their approach to tackling fraud – responding and reacting to individual incidents is not enough. To successfully minimise fraud, organisations need to take steps to change human behaviour and to remove opportunities for fraudsters.

Find the full report here.

Also see 77% of Hospitality Sector Mistakenly Believe They Are PCI Compliant.

Health worker convicted of obtaining patient details unlawfully

Juliah Kechil, formerly known as Merritt, a former Health Care Assistant in the outpatients department at the Royal Liverpool University Hospital has pleaded guilty to unlawfully obtaining patient information by accessing the medical records of five members of her ex-husband’s family in order to obtain their new telephone numbers.

She was convicted under section 55 of the Data Protection Act at Liverpool City Magistrates Court today.

She was fined £500 and also ordered to pay £1,000 towards prosecution costs and a £15 victim surcharge.

Ms Kechil accessed the medical records of the five individuals between July and November 2009. Royal Liverpool University Hospital began an investigation in November 2009 when the defendant’s father-in-law contacted the hospital after receiving nuisance calls which he suspected had been made by his former daughter-in-law. Having changed his phone number in July 2009 following unwanted calls from Ms Kechil, he was immediately concerned that there had been a breach of patient confidentially.

Ms Kechil had no work-related reasons to access their records and she accessed the information for her own personal gain without the consent of her employer. The accesses were traced through audit trails which were linked to the defendant’s smartcard ID.

Head of Enforcement, Steve Eckersley, said:

“Unlawfully obtaining other people’s information for personal gain is a serious offence which can have potentially devastating effects. Ms Kechil accessed medical records for entirely personal reasons. The breach of their privacy would obviously have been very distressing for the individuals involved.

“People should be able to feel confident that their personal details will be stored securely and only accessed when there is a legitimate business need. We will always push for the toughest penalties against individuals who abuse this trust.” 

Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of a financial penalty of up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court. The ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.

Another recent breach of the Data Protection Act by someone accessing Medical Data – Illicit access of medical records leads to a breach of the Data Protection Act


Security is still the biggest technology challenge for retailers

In a communications survey of 60 retailers conducted by Iconnyx the number one challenge to retailers is Security with 47% identifying it as their biggest issue.

The full list of technology challenges for retailers are:

Challenge %
Security 47%
Data storage 20%
Mobile 17%
Ecommerce 10%
Cloud 7%

57% of respondents ranked PCI compliance as a very important business issue.

Other reported business issues were listed

  • answering customer calls
  • synchronisation between Point of Sale and card payment machines
  • reducing the overall cost of connectivity to stores

Tim Walker, Iconnyx Managing Director explains:

 “It’s surprising to see that cloud is low on the list of retailer concerns, given that security and PCI compliance is top of the list.

This signals that for retailers, cloud-based technologies are neither seen as a solution or an issue. In either instance, use of the cloud can resolve security concerns and could be explored as a reliable means of addressing retailers’ issues,

The full press release can be found here.


Create a free website or blog at

Up ↑

%d bloggers like this: