Brian Pennington

A blog about Cyber Security & Compliance


July 2013

Is your data secure?  Infographic

Hostwinds have produced a great Infographic on how data is secured. Focused on Google but the processes could be anyone or anywhere.

Who breached the Data Protection Act in the first half of 2013?

As we have passed the first half of 2013, I thought it would be a good time to publish the entire list of who fell foul of the UK Data Protection Act and were punished by the Information Commissioner (ICO).

There are three types of punishments administered by the ICO

  1. Monetary. The most serious of the actions and one normally reserved for organisational entities.
  2. Undertaking. Typically applied when an organisation has failed to adhere to good business practice and needs the helping guidance of the ICO
  3. Prosecutions. Normally reserved for individuals who have blatantly breached the Act.

Monetary penalty notices

A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are paid to HM Treasury and not to the ICO. Many argue that the ICO would be a stronger body if it had more money and penalties is a good way to generate more revenue – a self funding government department.

  • 12 July 2013 NHS Surrey. A monetary penalty notice has been served on NHS Surrey following the discovery of sensitive personal data belonging to thousands of patients on hard drives sold on an online auction site. Whilst NHS Surrey has now been dissolved outstanding issues are now being dealt with by the Department of Health.
  • 8 July 2013 Tameside Energy Services Ltd. A monetary penalty notice has been served to Tameside Energy Services Ltd after the Manchester based company blighted the public with unwanted marketing calls.
  • 18 June 2013 Nationwide Energy Services and We Claim You Gain. Monetary penalty notices have been served to Nationwide Energy Services and We Claim You Gain – both companies are part of Save Britain Money Ltd based in Swansea. The penalties were issued after the companies were found to be responsible for over 2,700 complaints to the Telephone Preference Service or reports to the ICO using its online survey, between 26 May 2011 and end of December 2012.
  • 13 June 2013 North Staffordshire Combined Healthcare NHS Trust. A monetary penalty notice has been served to North Staffordshire Combined Healthcare NHS Trust, after several faxes containing sensitive personal data were sent to a member of the public in error.
  • 7 June 2013 Glasgow City Council. A monetary penalty notice has been served to Glasgow City Council, following the loss of two unencrypted laptops, one of which contained the personal information of 20,143 people.
  • 5 June 2013 Halton Borough Council. A monetary penalty notice has been served to Halton Borough Council, in respect of an incident in which the home address of adoptive parents was wrongly disclosed to the birth family.
  • 3 June 2013 Stockport Primary Care Trust. A monetary penalty has been served to Stockport Primary Care Trust following the discovery of a large number of patient records at a site formerly owned by the Trust.
  • 20 March 2013 DM Design Bedroom Ltd. A monetary penalty has been served to DM Design Bedroom Ltd. The company has been the subject of nearly 2,000 complaints to the ICO and the Telephone Preference Service. The company consistently failed to check whether individuals had opted out of receiving marketing calls and responded to just a handful of the complaints received.
  • 15 February 2013 Nursing and Midwifery Council. A monetary penalty has been served to the Nursing and Midwifery Council. The council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. An ICO investigation found the information was not encrypted.
  • 24 January 2013 Sony Computer Entertainment Europe Limited. A monetary penalty has been served to the entertainment company Sony Computer Entertainment Europe Limited following a serious breach of the Data Protection Act. The penalty comes after the Sony PlayStation Network Platform was hacked in April 2011, compromising the personal information of millions of customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk. They failed in their bid to appeal.


Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.

  • 16 July 2013 Janet Thomas. An undertaking to comply with the seventh data protection principle has been signed by Janet Thomas. This follows a report made by a member of the public that approximately 7,435 CV files, containing personal data, were being stored unprotected on the website
  • 9 July 2013 Health & Care Professions Council (HCPC). An undertaking to comply with the seventh data protection principle has been signed by the Health & Care Professions Council (HCPC) after an incident in which papers containing personal data were stolen on a train in 2011.
  • 12 June 2013 (issued 10 September 2012) Bedford Borough Council. An undertaking to comply with the seventh data protection principle has been signed by Bedford Borough Council relating to the removal of legacy data from a social care database.
  • 2 June 2013 (issued 18 September 2012) Central Bedfordshire Council. An undertaking to comply with the seventh data protection principle has been signed by Central Bedfordshire Council relating to the removal of legacy data from a social care database and in relation to the preparation of planning application documentation for publication.
  • 31 May 2013 Leeds City Council. A follow up has been completed to provide an assurance that Leeds City Council has appropriately addressed the actions agreed in its undertaking signed November 2012.
  • May Prospect. A follow up has been completed to provide an assurance that Prospect has appropriately addressed the actions agreed in its undertaking signed January 2013.
  • 21 May 2013 (issued 9 November 2011) News Group Newspapers. An undertaking to comply with the seventh data protection principle has been signed by News Group Newspapers, following an attack on the website of The Sun newspaper in 2011.
  • 26 April 2013 The Burnett Practice. An undertaking to comply with the seventh data protection principle has been signed by The Burnett Practice. This follows an investigation whereby an email account used by the practice had been subject to a third party attack. The email account subject to the attack was used to provide test results to patients and included a list of names and email addresses.
  • 4 April 2013 East Riding of Yorkshire Council. An undertaking to comply with the seventh data protection principle has been signed by the East Riding of Yorkshire Council, following incidents last year in which personal data was inappropriately disclosed.
  • 25 January 2013 Mansfield District Council. An undertaking to comply with the seventh data protection principle has been signed by the Managing Director of Mansfield District Council. This follows a number of incidents where personal data of housing benefit claimants was disclosed to the wrong landlord.
  • 16 January 2013 Prospect. An undertaking to comply with the seventh data protection principle has been signed by the union Prospect. This follows an incident in which two files containing personal details of approximately 19,000 members of the union had been sent to an unknown third party email address in error.


  • 23 May 2013 A former manager of a health service based at a council-run leisure centre in Southampton has been prosecuted under section 55 of the Data Protection Act for unlawfully obtaining sensitive medical information relating to over 2,000 people.
  • 8 April 2013 A Hertfordshire estate agent has been prosecuted under section 17 of the Data Protection Act after failing to notify with the ICO.
  • 12 March 2013 A former receptionist at a GP surgery in Southampton has been prosecuted under section 55 of the Data Protection Act for unlawfully obtaining sensitive medical information relating to her ex-husband’s new wife.

Also read

List of businesses targeted by global hacking ring that stole 160 million credit and debit card numbers

List of businesses targeted from 2005 to 2012 by an international hacking ring that stole more than 160 million credit and debit card numbers, according to an indictment announced Thursday in Newark, N.J. The government did not provide figures in each case of the number of card numbers stolen, or of the estimated losses. It also said not all of the breaches of corporate computer networks resulted in financial losses. 

  • 7-Eleven Inc., based in Dallas. Starting in 2007, malware placed on its network, resulting in the theft of an undetermined number of credit and debit card numbers.
  • Carrefour S.A., French multinational retailer. Starting in 2007, computer networks breached, about 2 million credit card numbers were covertly removed.
  • Commidea Ltd., European provider of electronic payment processing for retailers. In 2008, malware used in other attacks found on its networks; about 30 million card numbers covertly removed.
  • Dexia Bank Belgium. In 2008 and 2009, malware placed on its network, with theft of card numbers resulting in about $1.7 million in losses.
  • Discover Financial Services Inc., issuer of Discover Card and owner of Diners Club charge card network. In 2011, malware placed on network of Diners Singapore, exposing more than 500,000 Diners credit cards and causing losses of about $312,000.
  • Dow Jones Inc., publisher of news, business and financial information. In or before 2009, malware placed on network, about 10,000 sets of log-in credentials stolen.
  • Euronet, based in Leawood, Kan., global provider of electronic payment processing. In 2010 and 2011, malware placed on its network, resulting in theft of about 2 million card numbers.
  • Global Payment Systems, based in Atlanta, one of world’s largest electronic transaction processing companies. In 2011-12, malware placed on its payment processing system; more than 950,000 card numbers stolen, losses of nearly $93 million.
  • Hannaford Brothers Co., supermarket chain operating in northeastern U.S. In 2007, malware placed on network of related company, resulting in theft of about 4.2 million card numbers.
  • Heartland Payment Systems Inc., based in Princeton, N.J., one of world’s largest credit and debit card payment processing companies. Starting in 2007, malware placed on its payment processing system, resulting in theft of more than 130 million card numbers, losses of about $200 million.
  • Ingenicard US Inc., based in Miami, provider of international electronic cash cards. In 2012, malware placed on its network resulted in theft of cards used to withdraw more than $9 million within 24 hours.
  • J.C. Penney Co., based in Plano, Texas. Starting in 2007, malware placed on its network.
  • JetBlue Airways, based in Long Island City, N.Y. Starting in 2008, malware placed on portions of computer network that stored employee data.
  • Leading Abu Dhabi bank, identified only as “Bank A.” In 2010-11, malware placed on computer networks, facilitating theft of card numbers.
  • Nasdaq, the largest U.S. electronic stock exchange, which offers its customers online access to their accounts. Starting in 2007, malicious software, or malware, was placed on its computer network, resulting in the theft of log-in credentials. Prosecutors said its trading platform was not affected.
  • Visa Inc., manager of the Visa brand, providing payment processing services through a centralized network. In 2011, malware placed on network, about 800,000 card numbers stolen.
  • Wet Seal Inc., retailer based in Foothill Ranch, Calif. In 2008, malware placed on network.

 Copyright 2013 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

RSA’s July 2013 Online Fraud Report featuring the Carberp Trojan Code

RSA’s July 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below

Be it internal disagreements within the Carberp team, or law enforcement pressure following the arrests in 2012, the Carberp cyber gang members have disbanded, leaving their Trojan code publicly available following a failed attempt to sell it. Reminiscent of the ZeuS Trojan’s source code leak, we can expect a few things to happen following the incident. But before doing so, let’s review the events that followed the ZeuS leak in 2011.

An attempt to sell the ZeuS source code in an underground forum for, according to some estimates, as high as $100,000 started in early 2011. Following the failed sale, Slavik, the developer of ZeuS, handed over the code to a cyber rival, Gribodemon, the notorious SpyEye developer. The underground, abuzz with the news, keenly awaited the release of a merged, mighty SpyEye-ZeuS variant. Before one could be released, the ZeuS code was leaked and made publicly available.

As predicted by many, different offspring began appearing, built on top of the ZeuS v2.0.8.9 codebase, and included Ice IX and Odin (both appearing in 2011), and most considerably, Citadel making its appearance in early 2012.

As opposed to Ice IX, that mainly fixed bugs in the ZeuS code, Citadel was a major leap forward in terms of the malware’s functionality. Citadel not only repaired bugs in ZeuS, but deployed clever security measures to protect the malware and its infrastructure, as well as provided numerous new plug-ins to boost the Trojan’s functionality. In terms of a Fraud-as-a-Service (FaaS) business offering, Citadel became a lucrative commercial operation, offering its “customers” a CRM, paid tech support and constant version updates. In fact, Citadel was so successful that botmasters started replacing/upgrading existing bots with the malware.

Starting in mid-2012, RSA researchers began noticing the slow demise of commercial Trojan offerings. In April, the Ice IX business shut down with the disappearance of its developer; SpyEye then made its exit in May; and in a surprising turn of events, Citadel’s spokesperson – “Aquabox”, was banned from the only forum he was selling on (following a quarrel over customer support).

So, if history repeats itself, what are we to expect? With the above in mind, the following may transpire:

We’ll see a proliferation of Carberp-based attacks. While this is likely less probable, the leak could spawn an entire business of low-level developers recompiling Carberp and offering it for sale “as is,” with no further feature developments or bug fixes. To demonstrate, the ZeuS code that once sold for $3,000 to $5,000 is now readily available for as low as $11 in the underground. In terms of Trojan operation and feature set, Carberp is far more complex than ZeuS and less organized for the untrained cybercriminal, making it less appealing for would-be botmasters (or script kiddies). Not to mention the major weaknesses reported in the Carberp server-side, that make it “easier to hack than SpyEye” according to one security researcher. With the abundance of ZeuS and ZeuS-based malware – according to RSA’s Anti-Fraud Command Center (AFCC), this malware’s share is over 83% of all Trojan attacks and at very cheap prices, it would be surprising to see Carberp make a big impact in this strong market segment.

The Carberp code spawns a commercial offspring and/or offerings. This scenario is more likely. As mentioned previously, Carberp is an extremely sophisticated piece of malware, boasting bootkit functionality. As a result, it is more likely that the code will be picked up by a cybercrime gang looking to develop the next big thing in malware. With the trend towards privatizing malware development operations, the underground is currently lacking a (true) commercial Trojan; this vacuum may provide the right time and place for such an offering. Development may continue in closed, private groups, which develop the software for their own criminal purposes.

RSA conclusion
There’s never a dull moment in cybercrime and the Carberp code leak only adds fuel to that fire. The complexity of Carberp makes it less appealing as an “as-is” offering, but organized professional cybercrime teams may see the opportunity to be the first to finally offer a new, commercial Trojan based on the Carberp code, in the now very privatized underground.

RSA FraudAction Research Labs continues to investigate and analyze the code and will publish its findings as those are made

Phishing Attacks per Month

RSA identified 35,831 phishing attacks launched worldwide in June, marking a 3% drop in attack volume from May, and a 31% decline year-over-year in comparison to June 2012

US Bank Types Attacked

Nationwide banks remained the most targeted by phishing in June, with 76% of phishing volume directed at them. Regional banks saw a 6% decrease in volume while credit unions witnessed a 3% increase.

Top Countries by Attack Volume

The U.S. remained the country enduring the highest volume (55%) of phishing attacks in June – a 5% increase from May. The UK was the second most targeted at 10% of volume, followed by Canada, South Africa, India, and the Netherlands.

Top Countries by Attacked Brands

U.S. brands remained the most targeted by phishing at 25% of volume, followed by the UK and India. Other countries’ brands that were targeted heavily by phishing in June include Australia, Italy, China, Canada and France.

Top Hosting Countries

The U.S. remained the top hosting country in June, having hosted 45% of global phishing attacks, followed by Canada that hosted 9% of attacks. Chile and Turkey were both introduced as top hosts for phishing, each hosting 3% of phishing attacks for the month.

Previous 3 months of RSA Online Fraud Report Summaries

The RSA June 2013 Online Fraud Report Summary

The RSA April 2013 Online Fraud Report Summary

The RSA March 2013 Online Fraud Report Summary

Outside of London Slough is the largest fraud centre but is still smaller that the Top 10 London zones

CIFAS, the UK’s Fraud Prevention Service have revealed emerging hotspots of fraud activity in the UK during the first six months of 2013. While fraud remains at its most concentrated within the area of densest population (the boroughs of Greater London), some other, perhaps more surprising, areas have been shown to be fraud epicentres during the first half of the year.

In particular, postal districts around Slough, Luton, St Albans, Leicester and Coventry are areas where fraudulent activity has been most prevalent, as opposed to larger urban centres such as Birmingham, Manchester, and Glasgow.

London: the capital of fraud

With the highest population levels of the UK, it is unsurprising that London is the area where the highest number of confirmed frauds has been committed during the first half of 2013. 

CIFAS Communications Manager, Richard Hurley, comments: That fraud is at its most prevalent in London is not surprising. This has been the case for many years. A larger population means more individuals who may consider making fraudulent applications, but it also means that there are more potential victims for an organised identity criminal. The top ten postal areas, however, show a divergence of locations within the Greater London boroughs: from Wembley and Enfield to East Ham and Barking, and from Woolwich and Thamesmead to Croydon. This shows that any notion that fraud is concentrated solely within a specific area of London is not true and that fraud can, and will, take place anywhere 

Greater London  Break down of areas  
Postal area Name No. of confirmed frauds
E6 East Ham District 840
SE18 Woolwich District 751
IG11 Barking 740
EN3 Enfield 722
CR0 Croydon 691
SE1 South Eastern Head District 647
SE28 Thamesmead District 629
E7 Forest Gate District 575
E16 Victoria  Docks & North Woolwich District 570
HA0 Wembley 564

Other fraud hotspots are not the most populous UK centres

Outside the postal areas that fall within the Greater London boroughs, however, there are some notable clusters of activity – and these are not to be found in other large centres of population within the UK. Instead, the SL1 and LU1 postal areas (Slough and Luton) are the areas with the highest levels of fraud, while the Coventry and Leicester postcode areas both feature more than once in the top ten areas outside London (four times and twice respectively).

Richard Hurley concludes: What these figures prove is that fraud will take place anywhere. While Coventry and Leicester, for example, are populous cities, it is surprising to see these areas identified as having higher levels of fraud than other, much larger, cities. This demonstrates that fraud is no longer a crime that can simply be thought of as occurring in the largest cities. But it also presents a challenge to individuals and organisations based in these areas. It is vital that both work together with a view to diminishing the risks, not least to ensure that individuals understand what precisely constitutes fraud. For example, it is important that individuals and organisations share the responsibility of ensuring that personal data is protected from identity fraudsters who might be targeting these areas

Rest of the UK
Postal area Name No. of confirmed frauds
SL1 Slough 441
LU1 Luton 377
AL10 Hatfield 368
CV1 Coventry 334
LE2 Leicester 334
CV3 Coventry 314
NN1 Northampton 301
LE3 Leicester 299
CV2 Coventry 272
CV6 Coventry 242

Infographic: BYOD Security is still a problem

Insufficient BYOD security management and lax exit processes puts organisations at risk.

Merchants and Aquirers to Share PCI Lessons Learned at PCI SSC Community Meetings

The PCI Security Standards Council (PCI SSC), have announced PCI in Practice sessions for the 2013 PCI Community Meetings in Las Vegas, Nevada; Nice, France; and Kuala Lumpur, Malaysia. Case studies from members of the PCI community will share best practices in implementing payment card security programs.

PCI in Practice sessions for the North American and European Community Meetings will feature Chase Paymentech, Southwest Airlines and Time Warner Cable, Reliant Security, BT PLC and the Pan-Nordic Card Association. Australia Post will discuss its PCI journey at the Asia-Pacific Community Meeting:

  • The Importance of Merchant and Acquirer Communications Chase Paymentech, David Wallace, vice president of global merchant compliance; Southwest Airlines, Shawn Irving, senior manager of information security systems; Time Warner Cable, Erika Root, director, internal controls compliance, PCI Professional (PCIP) and Internal Security Assessor (ISA)
  • Secure Payment Systems Implementation – QIR in practice Reliant Security, Mark Weiner, managing partner, PCI Qualified Integrator & Reseller (QIR)
  • Successful Acquirer Collaboration on PCI – A Nordic case study Pan-Nordic Card Association, Mats Henriksson
  • QSAC Engagement – Tracing the PCI compliance journey of a multi-national corporation BT PLC, Sarah Nicholson, security policy & compliance manager; Candice Pressinger, head of group PCI-DSS compliance
  • Achieving and Maintaining Compliance – One approach to the PCI DSS journey Australia Post, Janelle Bull, risk manager, CardSafe program; Sharon Jokic, program director, CardSafe program

To register for the 2013 Meetings:

The Community Meetings are about sharing experiences and best practices with a large audience of peers for improved payment security,” said Bob Russo, general manager, PCI Security Standards Council. “And learning from one another is one of the best ways we as a community can continue to work together to increase payment card data protection globally. We’re looking forward to this year’s PCI in Practice sessions to hear about how these organizations representing different industries and geographies are effectively addressing PCI security within their unique business

Infographic: Email Security Perception v Reality

Overconfident Employees and Lack of Email Security Tools Lead to Risky Behavior

A study by SilverSky, reveals that when it comes to email security in the workplace, 98% of employees believe they demonstrate either equally secure or more secure behaviours than their colleagues.

The study examines corporate email security habits and perceptions, and is based on an online, quantitative survey conducted in July 2013. Respondents included 119 business professionals at U.S. organizations across a variety of industries.

Key findings from the study include:

  • 43% of respondents indicated they were “very concerned about email security and go above and beyond the company prescribed procedures” to protect their business communications.
  • 30% of respondents claimed to be “much more security conscious” than their co-workers.
  • 56% have accidently sent an email to the wrong person while at work
  • 53% have received unencrypted, risky corporate data (credit card numbers, social security numbers, etc.) via emails or email attachments.
  • One in five respondents know of someone within their organization who has been caught and reprimanded for sending out sensitive information without adhering to corporate protocol.
  • 53% were quick to single out co-workers, saying they’ve received unencrypted, sensitive data – such as sensitive attachments, social security numbers, protected health information, and valuable corporate secrets – via email
  • 17% admitted to sending out this risky data themselves.
  • 32% of organizations currently use an email data loss prevention (DLP) solution
  • 21% use an email encryption solution
  • 46% of respondents indicated that email security could be improved within their organizations

This study points to a strong “superiority bias” effect, or inflated employee overconfidence, when it comes to corporate email security. However, this overconfidence could be potentially dangerous for businesses, as it could lead to poor email security habits, which ultimately lead to real legal, regulatory and reputational risks through data loss.

How many times have you been slapped with a speeding ticket in the past year? Now think about how many times you’ve driven over the speed limit in the same time period, my guess is for most of us, that number is significantly higher,” said Andrew Jaquith, Chief Technology Officer and SVP, Cloud Strategy at SilverSky.

The new SilverSky study draws many parallels between email security habits and driving habits. The vast majority of drivers perceive themselves to be attentive, safe operators, but in reality, most speed, eat and talk or text while behind the wheel. Likewise, many employees consider their email security behaviours to be superior to those of their colleagues. However, this hubris is likely to lead to careless behaviour that could have serious consequences for the organization

Blog at

Up ↑

%d bloggers like this: