Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Data loss

The Prudential is fined £50,000 for breaching the Data Protection Act

The UK’s Information Commissioner’s Office (ICO) has fined the Prudential £50,000 after an administrative error in two accounts that led to tens of thousands of pounds, meant for an individual’s retirement fund, ending up in the wrong account.

This is the first monetary penalty served by the ICO that doesn’t relate to a significant data loss.

The original error, in March 2007, was caused when the records of both customers, who share the same first name, surname and date of birth, were mistakenly merged.

The problem was eventually resolved in September 2010. This was despite the company being alerted to the mistake on several occasions, including a letter from one of the customers in late April 2010 which clearly indicated his address had not changed for over 15 years. The company failed to investigate thoroughly at this point and the penalty imposed today relates to the inaccuracy then present which continued for a further six months.

Stephen Eckersley, ICO Head of Enforcement, said:

“Organisations must make sure the information they hold on their customers’ files is accurate and kept up to date in order to comply with the Data Protection Act. In this case two customer files were consistently confused and the company failed to remedy the situation despite being alerted to the problem on more than one occasion before it was finally resolved.

“This case would be considered farcical were it not for the serious sums of money involved.”
Last year the public made more complaints about the way money lenders were handling their information than for any other sector. Around 15% of the almost 13,000 data protection complaints received by the ICO during the last financial year were due to concerns relating to this group, with inaccurate data the third most complained about issue across all sectors.

Commenting on the ICO’s concerns in this area, Stephen Eckersley continued:

“While data losses may make the headlines, most people will contact our office about inaccuracies and other issues relating to the misuse of their information. Inaccurate information on a customer’s record, particularly when the record relates to an individual’s financial affairs, can have a significant impact on someone’s life.

“We hope this penalty sends a message to all organisations, but particularly those in the financial sector, that adequate checks must be in place to ensure people’s records are accurate. Staff should also receive adequate training on how to manage and maintain them, with any concerns fully investigated in order to ensure problems are addressed at an early stage.”

Prudential has committed to staff training and an improvement in processes to ensure that the accuracy of customers’ records is maintained at all times.

 .

Cyber Criminals Shifting to Smaller, More Opportunistic Attacks; External Attacks, Especially Hacking, on Rise

Verizon logo
Image via Wikipedia

Verizon have released their Data Breach Investigations Report 2011 and as usual with the Verizon report there is a lot to take in.

The investigations by Verizon and the U.S. Secret Service discovered that data breaches had dropped from 144 million in 2009 to only 4 million in 2010, representing the lowest volume of data loss since the report’s launch in 2008.

 The percentage of internal breaches fell massively from 49% to 16% which the report claim is due to the large increase in external attacks rather than a fall in internal breaches.

Key results from the 2011 report shown in the Verizon press release are below:  

  • Focus on essential controls. Many enterprises make the mistake of pursuing exceptionally high security in certain areas while almost completely neglecting others.  Businesses are much better protected if they implement essential controls across the entire organization without exception.
  • Eliminate unnecessary data.  If you do not need it, do not keep it.  For data that must be kept, identify, monitor and securely store it.  
  • Secure remote access services. Restrict these services to specific IP addresses and networks, minimizing public access to them. Also, ensure that your enterprise is limiting access to sensitive information within the network.
  • Audit user accounts and monitor users with privileged identity. The best approach is to trust users but monitor them through pre-employment screening, limiting user privileges and using separation of duties.  Managers should provide direction, as well as supervise employees to ensure they are following security policies and procedures.
  • Monitor and mine event logs.  Focus on the obvious issues that logs pick up, not the minutiae. Reducing the compromise-to-discovery timeframe from weeks and months to days can pay huge dividends.  
  • Be aware of physical security assets. Pay close attention to payment card input devices, such as ATMs and gas pumps, for tampering and manipulation.

Verizon Recommendations for Enterprises

  • Large-scale breaches dropped dramatically while small attacks increased.  The report notes there are several possible reasons for this trend, including the fact that small to medium-sized businesses represent prime attack targets for many hackers, who favor highly automated, repeatable attacks against these more vulnerable targets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers.
  • Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused by external sources.  Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percent of attacks.  Partner-related attacks continued to decline, and business partners accounted for less than 1 percent of breaches.
  • Physical attacks are on the rise.  After doubling as a percentage of all breaches in 2009, attacks involving physical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs, gas pumps and point-of-sale terminals.  The data indicates that organized crime groups are responsible for most of these card-skimming schemes.
  • Hacking and malware is the most popular attack method.  Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data.  The most common kinds of malware found in the caseload were those involving sending data to an external entity, opening backdoors, and keylogger functionalities.
  • Stolen passwords and credentials are out of control.  Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security.  Failure to change default credentials remains an issue, particularly in the financial services, retail and hospitality industries.

Download the report here

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: