Search

Brian Pennington

A blog about Cyber Security & Compliance

Month

December 2015

More fines next year for nuisance call companies

Companies making nuisance calls have been warned to expect more fines in 2016.

The ICO imposed more than a million pounds worth of penalties for nuisance calls and text messages in 2015, with the same amount in the pipeline for early 2016.

The fines included:

  • £295,000 of fines for companies offering call blocking or nuisance call prevention services
  • A £80,000 fine to a PPI claims firm that sent 1.3million text messages
  • A £200,000 fine to a solar panels company that made six million nuisance calls
  • A £130,000 fine to a pharmacy company that was selling customer details to postal marketing companies

Total fines related to nuisance marketing in 2015:

  • £400,000 fines for nuisance texts (Help Direct UK Ltd; Oxygen Ltd; UKMS Money Solutions Ltd)
  • £575,000 fines for nuisance calls (Direct Assist Ltd; Point One Marketing Ltd; Cold Call Elimination Ltd; Home Energy & Lifestyle Management Ltd (HELM); Home Energy & Lifestyle Management Ltd;  Nuisance Call Blocker Ltd; Telecom Protection Service Ltd)
  • £130,000 fine for selling customer records for marketing (Pharmacy 2U Ltd)
  • £30,000 fine for sending marketing email (Telegraph Media Group Ltd)

Total: £1,135,000. 

Andy Curry, ICO Enforcement Group Manager, said:

Nuisance marketing calls frustrate people. The law is clear around what is allowed, and we’ve been clear that we will fine companies who don’t follow the law. That will continue in 2016. We’ve got 90 ongoing investigations, and a million pounds worth of fines in the pipeline

The ICO received around 170,000 concerns in 2015 from people who’ve received nuisance calls and texts, a similar number to the previous year (2014: 175,330). PPI claims prompted the most complaints, followed by accident claims. Areas identified as emerging sectors for nuisance calls and texts included call blocking services, oven cleaning services and industrial hearing injury claims.

The following are examples of complaints showed the level of distress that calls can cause:

Telecom Protection Service:

“I was recovering from major surgery at the time and the call caused me distress. The caller was very smooth talking and did not make it clear that he was selling a commercial service that was nothing to do with the TPS. The call was frankly misleading.”

HELM:

“I am receiving daily updates regarding a friend in hospital, and am expecting the worst. When these calls come in I expect it to be from the hospital.”

Cold Call Elimination:

“This company has ‘conned’ my mother out of £84.99 for an unnecessary service … my parents are 87 and 86 respectively; my father is suffering from dementia.”

“I am looking after my elderly mother who has terminal cancer. She initially answered and I could see I needed to intervene as I could hear the sales guy not giving up. I took the phone and asked him who he was and what he wanted. He got quite annoyed that I had intervened and I told him we were not interested.”

Point One Marketing:

“Very upset and angry that my mum, who has dementia, was talked into giving credit card details when it would have been obvious to the caller that she had dementia. This caused my mum distress because I had to explain why her debit card had to be cancelled and what she had done. This has caused both of us great distress. Had I not checked her call log and … the number that had called her I would not have known it had happened at all.”

Utilities Oil Gas Risk Infograph

PCI SSC revises date for migrating off vulnerable SSL and early TLS encryption

Following significant feedback from the global PCI community and security experts, the Payment Card Industry Security Standards Council (PCI SSC) has announced a change to the date that organizations who process payments must migrate to TLS 1.1 encryption or higher.

The original deadline date for migration, June 2016, was included in the most recent version of the PCI Data Security Standard, version 3.1 (PCI DSS 3.1), which was published in April of 2015. The new deadline date, June 2018, will be included in the next version of the PCI Data Security Standard, which is expected in 2016.

Early market feedback told us migration to more secure encryption would be technically simple, and it was, but in the field a lot of business issues surfaced as we continued dialog with merchants, payment processors and banks,” said Stephen Orfei, General Manager, PCI SSC. “We want merchants protected against data theft but not at the expense of turning away business, so we changed the date. The global payments ecosystem is complex, especially when you think about how much more business is done today on mobile devices around the world. If you put mobile requirements together with encryption, the SHA-1 browser upgrade and EMV in the US, that’s a lot to handle. And it means it will take some time to get everyone up to speed. We’re working very hard with representatives from every part of the ecosystem to make sure it happens as before the bad guys break in.

Some payment security organizations service thousands of international customers all of whom use different SSL and TLS configurations,” said Troy Leach, Chief Technology Officer, PCI SSC. “The migration date will be changed in the updated Standard next year to accommodate those companies and their clients. Other related provisions will also change to ensure all new customers are outfitted with the most secure encryption into the future. Still, we encourage all organizations to migrate as soon as possible and remain vigilant. Staying current with software patches remains an important piece of the security puzzle

In addition to the migration deadline date-change, the PCI Security Standards Council has updated:

  • A new requirement date for payment service providers to begin offering more secure TLS 1.1 or higher encryption
  • A requirement for new implementations to be based on TLS 1.1 or higher
  • An exception to the deadline date for Payment Terminals, known as “POI” or Points of Interaction.

Merchants are encouraged to contact their payment processors and / or acquiring banks for detailed guidance on upgrading their ecommerce sites to the more secure encryption offered by TLS 1.1 or higher.

PCI Security Standards council announces 2016 special interest group election results

The Payment Card Industry Security Standards Council (PCI SSC), has announced the election results for its 2016 Special Interest Group (SIG) project. 

Special Interest Groups are community-led initiatives that address important security challenges related to PCI Security Standards. One new Special Interest Group is selected every year, but groups may run for more than 12 months in order to complete the agreed-upon goals. 

PCI member organizations, including merchants, financial institutions, service providers and associations, voted on five proposed Special Interest Group topics submitted by their peers. The winning topic selected for 2016 was, “Best Practices for Safe E-Commerce 

The new Special Interest Group is slated to kick off in January 2016

The Council invites PCI member organizations and assessors interested in getting involved in this SIG project to register on the PCI SSC website by 4 January 2016.  

The community choose from among five strong proposals, so it was certainly not an easy decision,” said Jeremy King, International Director, PCI SSC. “We are encouraged by how many Participating Organizations were involved in the submission and election process this year. SIGs continue to be an excellent vehicle for putting their expertise to work to improve payment card security globally

 

How to Hack a Car – an infograph

How a Car Hack Attack Is Happening [Infographic]

how-car-hack-attacks-are-happening-infographic-large

Originally posted on Coinspeaker, here.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: