Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Encryption

2018 changes to PCI DSS v3.2

Several PCI DSS requirements from version 3.2 come into effect at the end of January, 2018 (that’s just five months from now!).

Here is a list of some of the changes that will come into effect:-

3.5.1: Full documentation of all cryptographic architecture (service providers only)

6.4.6:  Change management processes that include verification of any PCI DSS impact for changes to systems or networks

8.3.x:  MFA for all non-console access to CDE.  This requirement has been the subject of much discussion, and we expect many entities to require remediation.

10.8:   Detection and reporting of all critical security control system failures (service providers only)

11.3.4.1: Penetration testing must now be performed every 6 months, as well as after any segmentation changes. (service providers only)

12.4.1: Executive management must establish PCI responsibilities and compliance program management (service providers only)

12.11.x: Quarterly personnel reviews P&P’s (service providers only)

PCI SSC revises date for migrating off vulnerable SSL and early TLS encryption

Following significant feedback from the global PCI community and security experts, the Payment Card Industry Security Standards Council (PCI SSC) has announced a change to the date that organizations who process payments must migrate to TLS 1.1 encryption or higher.

The original deadline date for migration, June 2016, was included in the most recent version of the PCI Data Security Standard, version 3.1 (PCI DSS 3.1), which was published in April of 2015. The new deadline date, June 2018, will be included in the next version of the PCI Data Security Standard, which is expected in 2016.

Early market feedback told us migration to more secure encryption would be technically simple, and it was, but in the field a lot of business issues surfaced as we continued dialog with merchants, payment processors and banks,” said Stephen Orfei, General Manager, PCI SSC. “We want merchants protected against data theft but not at the expense of turning away business, so we changed the date. The global payments ecosystem is complex, especially when you think about how much more business is done today on mobile devices around the world. If you put mobile requirements together with encryption, the SHA-1 browser upgrade and EMV in the US, that’s a lot to handle. And it means it will take some time to get everyone up to speed. We’re working very hard with representatives from every part of the ecosystem to make sure it happens as before the bad guys break in.

Some payment security organizations service thousands of international customers all of whom use different SSL and TLS configurations,” said Troy Leach, Chief Technology Officer, PCI SSC. “The migration date will be changed in the updated Standard next year to accommodate those companies and their clients. Other related provisions will also change to ensure all new customers are outfitted with the most secure encryption into the future. Still, we encourage all organizations to migrate as soon as possible and remain vigilant. Staying current with software patches remains an important piece of the security puzzle

In addition to the migration deadline date-change, the PCI Security Standards Council has updated:

  • A new requirement date for payment service providers to begin offering more secure TLS 1.1 or higher encryption
  • A requirement for new implementations to be based on TLS 1.1 or higher
  • An exception to the deadline date for Payment Terminals, known as “POI” or Points of Interaction.

Merchants are encouraged to contact their payment processors and / or acquiring banks for detailed guidance on upgrading their ecommerce sites to the more secure encryption offered by TLS 1.1 or higher.

500 European Business Leaders attend the PCI Security Standards Council Community Meeting

This week business leaders and security professionals gathered in Nice, France to discuss payment based security and especially PCI DSS and P2Pe. 

Jeremy King PCI Security Standards Council International Director said, The new European Commission Payment Services Directive 2 along with the European Banking Authority Guidelines for Securing Internet Payments have clear and detailed requirements for organisations in protecting cardholder data. Add to that the soon to be released General Data Protection Regulation which covers all data security, and you have a massive increase in data security, which when implemented will impact all organisations in Europe and beyond, 

These regulations will force organisations to take security seriously, and PCI provides the most complete set of data security standards available globally. Establishing good data security takes time and effort. Organisations need to know these regulations are coming and put a plan in place now for ongoing security

With 70% of all card fraud coming from Card-Not-Present (CNP), a figure that surpasses the previous 2008 record which was set during the EMV chip migration, it is a critical time for the industry. 

A significant amount of the conference was spent on new and developing technologies including::

  • Cloud – Daniel Fritsche of Coalfire presented on Virtualisation and the Cloud
  • Mobile – several presentations including the Smart Payments Association
  • Point to Point Encryption (P2PE) – Andrew Barratt of Coalfire delivered a panel discussion
  • Tokenisation – A presentation by Lufthansa Systems 

Jeremy King added. PCI is committed to helping organisations globally improve their data security. Our range of standards, and especially our supporting documents, are designed to help all companies improve and protect their data security. The annual Community Meeting is a big part of our efforts to engage with companies from all sectors, sharing and exchanging information to ensure they have the very best level of security 

We must work together to tackle card-not-present fraud with technologies such as point-to-point encryption and tokenisation that devalue data and make it useless if stolen by criminals.

Attendees included experts from Accor Hotels, , British Telecommunications, Capita, Coalfire Systems Limited, Accor Hotels, Lufthansa, Virgin Trains, Vodat International and hundreds of others.

Who breached the Data Protection Act in 2014? Find the complete list here.

2014 was another busy year for the Information Commissioners Office with yet more breaches of the Data Protection Act.

There are normally three types of punishments administered by the ICO

  1. Monetary. The most serious of the actions and one normally reserved for organisational entities.
  2. Undertaking. Typically applied when an organisation has failed to adhere to good business practise and needs the helping guidance of the ICO
  3. Prosecutions. Normally reserved for individuals who have blatantly breached the Act.
  4. Enforcements. A requirement on an organisation or individual to desist from specific activities.

Below is a summary of the ICO’s activity in 2014 across all three “punishment” areas.

Monetary penalty notices

A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are to HM Treasury.

  • 22 August 2014 a monetary penalty of £90,000 was issued to Kwik Fix Plumbers Ltd for continually making nuisance calls targeting vulnerable victims. In several cases, the calls resulted in elderly people being tricked into paying for boiler insurance they didn’t need.
  • 5 December 2014 a monetary penalty of £70,000 was issued to Manchester Ltd after sending unsolicited text messages and appeared on the recipients’ mobile phone to have been sent by “Mum”.
  • 05 November 2014 a monetary penalty of £7,500 was issued to Worldview Limited following a serious data breach where a vulnerability on the company’s site allowed attackers to access the full payment card details of 3,814 customers
  • 01 October 2014 a monetary penalty of £70,000 was issued to fine to EMC Advisory Services Limited for making hundreds of nuisance calls. The company was responsible for 630 complaints to the ICO and the TPS between 1 March 2013 and 28 February 2014. They failed to make sure that those registered with the TPS, or who’d previously asked not to be contacted, weren’t being called.
  • 26 August 2014 a monetary penalty of £180,000 to the Ministry of Justice over serious failings in the way prisons in England and Wales have been handling people’s information
  • 28 July 2014 a monetary penalty of £50,000 fine to Reactiv Media Limited after an investigation discovered they had made unsolicited calls to hundreds of people who had registered with the Telephone Preference Service (TPS).
  • 23 July 2014 a monetary penalty of £150,000 to Think W3 Limited after a serious breach of the Data Protection Act revealed thousands of people’s details to a malicious hacker.
  • 03 April 2014 a monetary penalty of £50,000 Amber UPVC Fabrications Ltd (T/A Amber Windows) after an investigation discovered they had made unsolicited marketing calls to people who had registered with the Telephone Preference Service (TPS).
  • 19 March 2014 a monetary penalty of £100,000 to Kent Police after highly sensitive and confidential information, including copies of police interview tapes, were left in a basement at the former site of a police station.
  • 07 March 2014 a monetary penalty of £200,000 to the British Pregnancy Advice Service. Hacker threatened to publish thousands of names of people who sought advice on abortion, pregnancy and contraception.
  • 11 January 2014 a monetary penalty of £185,000 to Department of Justice Northern Ireland after a filing cabinet containing details of a terrorist incident was sold at auction.

ICO statement on Monetary Penalties

Undertakings

Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.

  • 19 December 2014 Treasury Solicitors Department. A follow up has been completed to provide an assurance that the Treasury Solicitors Department has appropriately addressed the actions agreed in its undertaking signed February 2014.
  • 19 December 2014 Wirral Metropolitan Borough Council. A follow up has been completed to provide an assurance that Wirral Metropolitan Borough Council has appropriately addressed the actions agreed in its undertaking signed April 2014.
  • 19 December 2014 Caerphilly County Borough Council. A council that ordered covert surveillance on a sick employee must review its approach after an Information Commissioner’s Office (ICO) investigation. The ICO found the Council breached the Data Protection Act when it ordered the surveillance of an employee suspected of fraudulently claiming to be sick.
  • 15 December 2014 St Helens Metropolitan Borough Council. A follow up has been completed to provide an assurance that St Helens Metropolitan Borough Council has appropriately addressed the actions agreed in its undertaking signed June 2014.
  • 01 December 2014 Dudley Metropolitan Borough Council. A follow up has been completed to provide an assurance that Dudley Metropolitan Borough Council has appropriately addressed the actions agreed in its undertaking signed April 2014.
  • 28 November 2014 Oxfordshire County Council. A follow up has been completed to provide an assurance that Oxfordshire County Council as appropriately addressed the actions agreed in its undertaking signed June 2014.
  • 28 November 2014 Aspers (Milton Keynes) Limited. A follow up has been completed to provide an assurance that Aspers (Milton Keynes) Limited has appropriately addressed the actions agreed in its undertaking signed June 2014.
  • 26 November 2014 Department of Justice Northern Ireland. A follow up has been completed to provide an assurance that the Department of Justice Northern Ireland has appropriately addressed the actions agreed in its undertaking signed May 2014.
  • 17 November 2014 London Borough of Barking and Dagenham. A follow up has been completed to provide an assurance that London borough of Barking and Dagenham has appropriately addressed the actions agreed in its undertaking signed April 2014.
  • 05 November 2014 Student Loans Company. A follow up has been completed to provide an assurance that Student Loans Company has appropriately addressed the actions agreed in its undertaking signed April 2014.
  • 05 November 2014 Royal Veterinary College. A follow up has been completed to provide an assurance that The Royal Veterinary College has appropriately addressed the actions agreed in its undertaking signed October 2013.
  • 24 October 2014 Gwynedd Council. An Undertaking to comply with the seventh data protection principle has been signed by Gwynedd Council following two breaches of the Data Protection Act.
  • 24 October 2014 Disclosure and Barring Service. An undertaking to comply with the first data protection principle has been signed by the Disclosure and Barring Service.
  • 08 October 2014 South Western Ambulance Service NHS Trust. An undertaking to comply with the first, third and seventh data protection principles has been signed by South Western Ambulance Service NHS Trust. This includes the completion of a Privacy Impact Assessment in respect of data sharing. This follows an investigation whereby patient data related to 45, 431 data subjects was shared with a Clinical Commissioning Group (‘CCG’) without a legal basis to do so. There were also security concerns surrounding the manner in which the data was stored on discs when being distributed to the CCG.
  • 08 October 2014 Weathersby Limited. An undertaking to comply with the seventh data protection principle has been signed by Weathersby Limited after the company failed to secure an internal server properly, resulting in personal data relating to clients being made available on the internet.
  • 07 October 2014 Basildon and Thurrock University Hospitals NHS Foundation Trust. An undertaking to comply with the seventh data protection principle has been signed by Basildon and Thurrock University Hospitals NHS Foundation Trust. This follows an investigation into two reported incidents involving disclosures of personal data to third parties in error.
  • 25 September 2014 Norfolk Community Health & Care NHS Trust. An undertaking to comply with the first, third and seventh data protection principle has been signed by Norfolk Community Health & Care NHS Trust. This follows an investigation involving the inadvertent sharing of data with a referral management centre.
  • 22 September 2014 Oxford Health NHS Foundation Trust. An undertaking to comply with the seventh data protection principle has been signed by Oxford Health NHS Foundation Trust.  This follows an investigation into two separate incidents involving disclosures of personal data.
  • 09 September 2014 Isle of Scilly Council. An undertaking to comply with the seventh data protection principle has been signed by the Council of the Isle of Scilly. This follows an investigation into two separate incidents. The first relating to confidential information which was part of a disciplinary hearing being sent unredacted to third parties.
  • 28 August 2014 Racing Post. An undertaking to comply with the seventh data protection principle has been signed by the Racing Post. This follows an investigation whereby the Racing Post website was subject to an internet based SQL injection attack which gave access to a customer database. The data included customer registration details relating to 677,335 data subjects.
  • 13 August 2014 Wokingham Borough Council. A follow up has been completed to provide an assurance that Wokingham Borough Council has appropriately addressed the actions agreed in its undertaking signed April 2014.
  • 11 August 2014 Thamesview Estate Agents Ltd. An undertaking to comply with the seventh data protection principle has been signed by Thamesview Estate Agents Ltd after the company continued to leave papers containing personal information on the street despite a previous warning. The papers were stored in transparent bags and the information was clearly visible to anyone who walked past.
  • 18 July 2014 The Moray Council. A follow up has been completed to provide an assurance that The Moray Council has appropriately addressed the actions agreed in its undertaking signed May 2014.
  • 09 July 2014 Betsi Cadwaladr University Health Board. An undertaking to comply with the seventh data protection principle has been signed by Betsi Cadwaladr University Health Board after sensitive information was sent to the wrong address.
  • 27 June 2014 Oxfordshire County Council. An undertaking to comply with the seventh data protection principle has been signed by Oxfordshire County Council. This follows an investigation whereby a solicitor had removed a number of documents from the office but had dropped these in a street near their home. The sensitive personal data related to three child protection cases concerning 22 data subjects.
  • 23 June 2014 Aspers (Milton Keynes) Limited. An undertaking to comply with the seventh data protection principle has been signed by Aspers (Milton Keynes) Limited, following an email which was sent in error to an recipient outside of the organisation.
  • 19 June 2014 Department of Justice Northern Ireland. An undertaking to comply with the seventh data protection principle has been signed by Department of Justice Northern Ireland. This follows the sale of a filing cabinet that contained documents originating from within the Northern Ireland Prison service. The documents contained personal data, as defined by section 1 of the Data Protection Act 1998 (the Act), which was sensitive in nature.
  • 17 June 2014 Aberdeenshire Council. An undertaking to comply with the seventh data protection principle has been signed by Aberdeenshire Council after a paper file was lost by an employee of the Adult Mental Health section of the council’s Social Work service. The employee had placed the file on the roof of his car before driving off.
  • 16 June 2014 Cardiff and Vale University Health Board. A follow up has been completed to provide an assurance that Cardiff and Vale University Health Board has appropriately addressed the actions agreed in its undertaking signed October 2013.
  • 09 June 2014 Worcestershire Health and Care NHS Trust. An undertaking to comply with the seventh data protection principle has been signed by Worcestershire Health and Care NHS Trust. This follows an investigation whereby the local press were handed a patient handover sheet containing details of 18 patients.
  • 02 June 2014 Jephson Homes Housing Association Ltd. An undertaking to comply with the seventh data protection principle has been signed by Jephson Homes Housing Association Ltd. This follows an investigation into the disclosure in error of several documents containing third party personal data when providing documents to an individual as part of a litigation process.
  • 30 May 2014 Panasonic UK. A follow up has been completed to provide an assurance that Panasonic UK has appropriately addressed the actions agreed in its undertaking signed October 2013.
  • 30 May 2014 St Helens Metropolitan Borough Council. An undertaking to comply with the seventh data protection principle has been signed by St Helens Metropolitan Borough Council after child’s foster placement address was disclosed in error.  Investigations identified that Council had selected the correct recipient and had redacted the majority of documents disclosed however the address was missed on one document.
  • 30 May 2014 London Borough of Barking & Dagenham. An undertaking to respond in a quicker and more effective manner to losses of personal data has been signed by London Borough of Barking & Dagenham. This follows an investigation into the loss of a file containing medical data relating to eleven children, which discovered that although the council knew where the file was, it had still not been retrieved five months later.
  • 27 May 2014 Student Loans Company. An undertaking to comply with the seventh data protection principle has been signed by the Student Loans Company Limited following an investigation by the ICO into three separate incidents involving the disclosure of documents to the incorrect recipients.  The investigation identified that whilst checking procedures were in place documents containing sensitive personal data were subject to fewer checks than those containing less sensitive data.
  • 16 May 2014 Great Ormond Street Hospital for Children NHS Foundation Trust. A follow up has been completed to provide an assurance that Great Ormond Street Hospital for Children NHS Foundation Trust has appropriately addressed the actions agreed in its undertaking signed November 2013.
  • 12 May 2014 The Moray Council. An undertaking to comply with the seventh data protection principle has been signed by The Moray Council. This follows an investigation into the loss of a file containing adoption meeting papers at a café in the local area.
  • 25 April 2014 Dudley Metropolitan Borough Council. An undertaking to comply with the seventh data protection principle has been signed by Dudley Metropolitan Borough Council. This follows an investigation whereby a social worker had left a case file containing sensitive personal data at a client’s home. The case file outlined child welfare concerns and disclosed the identity of the source.
  • 15 April 2014 Wirral Borough Council. An undertaking to comply with the seventh data protection principle has been signed by Wirral Borough Council after social services records containing sensitive personal information were sent to the wrong addresses on two occasions. The information, which was disclosed in February and April 2013, included sensitive personal details relating to two families living in the borough and in one case included details of a criminal offence committed by one of the family members.
  • 15 April 2014 Wokingham Borough Council. An undertaking to comply with the seventh data protection principle has been signed by Wokingham Borough Council, after sensitive social services records relating to the care of a young child were lost. The information, which had been requested by a family member, was lost after the delivery driver left the documents outside the requester’s home in August 2013.
  • 11 April 2014 Royal Borough of Windsor and Maidenhead. A follow up has been completed to provide an assurance that the Royal Borough of Windsor and Maidenhead has appropriately addressed the actions agreed in its undertaking signed September 2013.
  • 28 March 2014 Barking, Havering & Redbridge University Hospitals NHS Trust. An undertaking to comply with the seventh data protection principle has been signed by Barking, Havering & Redbridge University Hospitals NHS Trust. This follows an investigation by the ICO into a series of fax related incidents which revealed that the Trust had a very low attendance rate for Information Governance training.
  • 20 March 2014 Disclosure and Barring Service. An undertaking to comply with the first data protection principle has been signed by the Disclosure and Barring Service.
  • 14 March 2014 Cardiff City Council. A follow up has been completed to provide an assurance that Cardiff City Council has appropriately addressed the actions agreed in its undertaking signed August 2013.
  • 13 March 2014 Neath Care. An undertaking to comply with the seventh data protection principle has been signed by Neath Care. This follows the disclosure of ten client care service delivery plans which were found by a member of the public in the street. The care service delivery plans related to elderly people and contained confidential client information on matters such as personal care, medication and key safe numbers.
  • 26 February 2014 Treasury Solicitor’s Department. An undertaking to comply with the seventh data protection principle has been signed by the Treasury Solicitor’s Department. The data controller agreed to put measures in place to ensure the security of the personal data it handles.
  • 24 January 2014 Hillingdon Hospitals NHS Foundation Trust. A follow up has been completed to provide an assurance that Hillingdon Hospitals NHS Foundation Trust has appropriately addressed the actions agreed in its undertaking signed September 2013.
  • 10 January 2014 Northern Health and Social Care Trust. A follow up has been completed to provide an assurance that Northern Health and

Prosecution

  • 13 November 2014 Harkanwarjit Dhanju. A former pharmacist working for West Sussex Primary Care Trust has been prosecuted for unlawfully accessing the medical records of family members, work colleagues and local health professionals. Harkanwarjit Dhanju was fined £1000, ordered to pay a £100 victim surcharge and £608.30 prosecution costs.
  • 11 November 2014 Matthew Devlin. Company director Matthew Devlin has been fined after illegally accessing one of Everything Everywhere’s (EE) customer databases. Devlin used details of when customers were due a mobile phone upgrade to target them with services offered by his own telecoms companies.
  • 22 August 2014 Dalvinder Singh. A Birmingham banker has been fined after he admitted reading his colleagues bank accounts. He worked in Santander UK’s suspicious activity reporting unit at their Leicester office. His role investigating allegations of money laundering meant he was able to view customer accounts. But he used his access to look at eleven colleagues’ accounts, to learn how much their salaries and bonuses were.
  • 06 August 2014 A Plus Recruitment Limited. A recruitment company has been prosecuted today at Doncaster Magistrates Court for failing to notify with the ICO. A Plus Recruitment Limited pleaded guilty and was fined £300 and ordered to pay costs of £489.95 and a victim surcharge of £30.
  • 05 August 2014 1st Choice Properties (SRAL). A property lettings and management company has been prosecuted for failing to notify with the ICO at Uxbridge Magistrates Court today. 1st Choice Properties (SRAL) was convicted in the defendant’s absence and fined £500, ordered to pay costs of £815.08 and a victim surcharge of £50.
  • 15 July 2014 Jayesh Shah. The owner of a marketing company trading as Vintels has been prosecuted for failing to notify the ICO of changes to his notification at Willesden Magistrates Court today. Jayesh Shah was fined £4000, ordered to pay costs of £2703 and a £400 victim surcharge.
  • 14 July 2014 Hayden Nash Consultants. A recruitment company has been prosecuted for failing to notify with the ICO at Reading Magistrates Court today. Hayden Nash Consultants entered a guilty plea and was fined £200, ordered to pay costs of £489.85 and a £20 victim surcharge.
  • 10 July 2014 Stephen Siddell. A former branch manager for Enterprise Rent-A-Car has been prosecuted for unlawfully stealing the records of almost two thousand customers before selling them to a claims management company. Stephen Siddell was fined £500, ordered to pay a £50 victim surcharge and £264.08 in prosecution costs.
  • 09 July 2014 Global Immigration Consultants Limited. A legal advice company has been prosecuted for failing to notify with the ICO at Manchester Magistrates Court today. Global Immigration Consultants Limited entered a guilty plea and was fined £300, ordered to pay costs of £260.18 and a £30 victim surcharge.
  • 06 June 2014 Darren Anthony Bott. The director of a pensions review company has been prosecuted for failing to notify with the ICO. Darren Anthony Bott of Allied Union Ltd entered a guilty plea and was fined £400, ordered to pay costs of £218.82 and a £40 victim surcharge.
  • 05 June 2014 API Telecom. A telecoms company has been prosecuted by the ICO for failing to comply with an information notice in Westminster Magistrates’ Court yesterday. The company, API Telecom, entered a guilty plea and was fined £200, ordered to pay full costs of £489.85 and the victim surcharge was imposed.
  • 13 May 2014 QR Lettings. A property company has been prosecuted by the ICO for failing to notify under section 17 of the Data Protection Act. QR Lettings pleaded guilty at a hearing on 13 May 2014 at Birkenhead Magistrates Court. The company was fined £250, ordered to pay costs of £260 and a £30 victim surcharge.
  • 25 April 2014 Barry Spencer. A man who ran a company that tricked organisations into revealing personal details about customers has been ordered to pay a total of £20,000 in fines and prosecution costs, as well as a confiscation order of over £69,000 at a hearing at Isleworth Crown Court.
  • 25 April 2014 Allied Union Limited. A pension review company has been prosecuted by the ICO for failing to notify under section 17 of the Data Protection Act.  Allied Union Limited pleaded guilty at a hearing on 25 April 2014 at Swansea Magistrates Court. The company was fined £400, ordered to pay costs of £338.11 and a victim surcharge of £40.
  • 25 March 2014 Help Direct UK Limited. A financial advisors has been prosecuted by the ICO for failing to notify under section 17 of the Data Protection Act. Help Direct UK Limited pleaded guilty at a hearing on 25 March 2014 at Swansea Magistrates Court. The company was fined £250, ordered to pay costs of £248.83 and a victim surcharge of £25.
  • 12 March 2014 Boilershield Limited. A plumbing company and its director have been prosecuted by the ICO for failing to notify under section 17 of the Data Protection Act. Boilershield Limited and its director, Mohammod Ali, pleaded guilty at a hearing on 12 March 2014 at Bromley Magistrates. They were both fined £1,200, ordered to pay costs of £196.87 and a victim surcharge of £120.
  • 11 March 2014 Becoming Green (UK) Ltd. A Cardiff-based green energy deal company, Becoming Green (UK) Ltd, has been prosecuted by the Information Commissioner’s Office after failing to notify the ICO that it handled customers’ personal data. The offence was uncovered when the company was being monitored following concerns about compliance.
  • 24 January 2014 ICU Investigations Limited. Six men who were part of a company that tricked organisations into revealing personal

Enforcements

  • 19 November 2014 Grampian Health Board (NHS Grampian). The Information Commissioner’s Office has ordered NHS Grampian to take action to make sure patients’ information is better protected.
  • 12 November 2014 Hot House Roof Company. The ICO has issued an enforcement notice against Hot House Roof Company ordering them to stop making nuisance marketing calls. The company had failed to honour suppression requests and repeatedly made calls to a number of individuals despite their being TPS registered.
  • 21 October 2014 Abdul Tayub. The Information Commissioner’s Office has served Abdul Tayub with an enforcement notice after he was found to be sending unsolicited marketing mail by electronic means without providing information as to his identity and without prior consent.
  • 12 September 2014 All Claims Marketing Limited. The Information Commissioner’s Office has served All Claims Marketing Limited with an enforcement notice after the company was found to be sending unsolicited marketing mail by electronic means without providing information as to its identity.
  • 03 September 2014 Winchester and Deakin Limited. The Information Commissioner’s Office has served Carmarthen-based direct marketing company Winchester and Deakin Limited (also trading as Rapid Legal and Scarlet Reclaim) with an enforcement notice ordering them to stop making nuisance calls. The move comes after an investigation discovered they had made unsolicited marketing calls to people who had registered with the Telephone Preference Service (TPS) or who had asked not to be contacted.
  • 16 June 2014 DC Marketing Limited. The ICO has issued an enforcement notice against DC Marketing Limited after the company made hundreds of nuisance calls to try and get people to purchase solar panels partly financed by the Green Deal Home Improvement Fund. An ICO investigation found the company also frequently gave a false name to avoid detection.
  • 29 May 2014 Wolverhampton City Council. The ICO has issued an enforcement notice against Wolverhampton City Council, following an investigation into a data breach at the council that occurred in January 2012. The breach was caused when a social worker, who had not received data protection training, sent out a report to a former service user detailing their time in care. However, the social worker failed to remove highly sensitive information about the recipient’s sister that should not have been included.
  • 03 April 2014 Amber UPVC Fabrications Ltd (T/A Amber Windows). The ICO has issued an enforcement notice against Amber Windows ordering them not to call subscribers who have previously told them not to ring or subscribers who have not consented to them calling and have registered the number with the TPS for at least the required 28 days.
  • 10 March 2014 Isisbyte Limited. The ICO has served an enforcement notice on Isisbyte Limited after the company was found to be making unsolicited marketing calls without providing information as to their identity.
  • 10 March 2014 SLM Connect Limited. The ICO has served an enforcement notice on SLM Connect Limited after the company was found to be making unsolicited marketing calls without providing information as to their identity.

Who has breached the Data Protection Act in 2012? Find the complete list here.

Who breached the Data Protection Act in 2013? Find the complete list here.

Data Breaches for the first quarter of 2014

Safenet Infographic on Data Breaches in the first quarter of 2014

The European Cybercrime Centre – one year on

What are the main future cybercrime threats on the horizon? And how has the European Cybercrime Center (EC3) contributed to protect European citizens and businesses since its launch in January 2013? 

These questions are at the core of an EC3 report presented today, and discussed at a conference organised by the Commission, with participants from law enforcement authorities, national and EU institutions and the private sector.

Criminal behaviour is changing fast, exploiting technological developments and legal loopholes. Criminals will continue to be creative and deploy sophisticated attacks to make more money, and we must be able to keep up with them. The expertise of the EC3 is helping us to fight this battle and boost European cooperation. Through several successful, far-reaching operations in the past year, the European Cybercrime Centre has already earned well-deserved fame amongst law enforcement agencies”, said Commissioner for Home Affairs Cecilia Malmström.

Troels Örting, Head of the European Cybercrime Centre added: “In the 12 months since EC3 opened we have been extremely busy helping EU law enforcement authorities to prevent and investigate cross-border cybercrime. I am proud and satisfied with our results so far, however we cannot rest on our laurels. I am especially worried about the increasingly complex forms of malware that are surfacing, along with more technologically advanced cyber-scams, and the so-called ‘sextortion’ of minors. We have only seen the tip of the iceberg, but EC3, backed by our valued stakeholders and partners, is dedicated to supporting Member States’ future frontline cybercrime operations.

According to a recent Eurobarometer

  • 12% of European internet users have had their social media or email account hacked
  • 7% have been the victim of credit card or banking fraud online

EC3 achievement highlights

The main task of the European Cybercrime Centre is to disrupt the operations of organised crime networks that commit serious and organised cybercrime (for more details, see MEMO/13/6 and infographics).Concretely, the EC3 supports and coordinates operations and investigations conducted by Member States’ authorities in several areas. Recent examples include:

High-tech crimes (cyber-attacks, malware)

In its first year, the EC3 assisted in the coordination of 19 major cybercrime operations, for instance: 

  • Two major international investigations (Ransom and Ransom II) were concluded, related to so-called Police Ransomware – a type of malware that blocks the victim’s computer, accusing the victim of having visited illegal websites containing child abuse material or other illegal activity. Criminals request the payment of a “fine” to unblock the victim’s computer, making the Ransomware look as if it comes from a legitimate law enforcement agency. Cybercriminals convince the victim to pay the ‘fine’ of around €100 through two types of payment gateways – virtual and anonymous. The criminals investigated by EC3 infected tens of thousands of computers worldwide, bringing in profits in excess of one million euros per year. 13 arrests were made (mainly in Spain) and the networks were broken up.
  • EC3 has also supported several international initiatives in the areas of botnet takedowns, disruption and investigation of criminal forums and malware attacks against financial institutions, such as the recent takedown of the ZeroAccess botnet together with Microsoft and high-tech crime units from the German BKA, Netherlands, Latvia, Luxembourg and Switzerland.

Online child sexual exploitation

At present, EC3 supports 9 large child sexual exploitation police operations within the European Union. In the first year of EC3, significant efforts – jointly with many Member States and non-EU cooperation partners – were put into combating the illegal activities of paedophiles engaged in the online sexual exploitation of children using hidden services.

EC3 is involved in many operations and joint investigations targeting the production and distribution of child abuse material on various internet platforms. It is providing ongoing operational and analytical support to investigations on the dark net, where paedophiles trade in illicit child abuse material in hidden forums, as well as to investigations into ‘sextortion’. Sextortion is the term given to the phenomenon where child abusers gain access to inappropriate pictures of minors and use the images to coerce victims into further acts or the abuser will forward the images to family and friends of the victim.

Payment fraud

The EC3 is currently providing operational and analytical support to 16 investigations, regarding payment fraud. In 2013 it supported investigations resulting in three different international networks of credit card fraudsters being dismantled: 

  • One operation led to the arrest of 29 suspects who had made a 9 million Euro profit by compromising the payment credentials of 30,000 credit card holders. 
  • The second network that was tackled resulted in 44 arrests during the operation (which followed 15 previous arrests; 59 arrests in total) in several Member States, two illegal workshops for producing devices and software to manipulate Point-of-Sale terminals dismantled, illegal electronic equipment, financial data, cloned cards, and cash seized. The organised crime group had affected approximately 36.000 bank/credit card holders in 16 European countries. 
  • The third operation targeted an Asian criminal network responsible for illegal transactions and the purchasing of airline tickets. Two members of the criminal gang, travelling on false documents, were arrested at Helsinki airport. Around 15,000 compromised credit card numbers were found on seized computers. The network had been using card details stolen from cardholders worldwide. In Europe, over 70,000 euros in losses were suffered by card holders and banks. 
  • An operation against airline fraudsters using fraudulent credit cards to purchase airline tickets was coordinated by the EC3 in 38 airports from 16 European countries. During the operation, more than 200 suspicious transactions were reported by the industry and 43 individuals were arrested (followed by another 74 arrests after the action day; 117 arrests in total). These were all found to be linked to other criminal activities, such as the distribution of credit card data via the internet, intrusions into financial institutions’ databases, other suspicious transactions, drug trafficking, human smuggling, counterfeit documents including IDs, and other types of fraud. Some of those detained were already wanted by judicial authorities under European Arrest Warrants.

Future threats and trends in cybercrime

Currently, around 2, 5 billion people worldwide have access to the internet and estimates suggest that around another 1, 5 billion people will gain access in the next four years. As our online life, with all its immense advantages, will continue to grow, so will our exposure to online crime. In its first yearly report, the EC3 looks at future cybercrime threats and trends. Among others, it points to the following: 

Growing ranks of criminals. The threshold for stepping into the business of cybercrime is becoming very low. Already now, a complete underground economy has developed, where all sorts of criminal products and services are traded, including, drugs, weapons, hired killings, stolen payment credentials and child abuse. Any kind of cybercrime can be procured even without technical skills – password cracking, hacking, tailor-made malware or DDoS attacks.

More demand. It is expected that the demand for and use of cybercrime services will increase, resulting in an even stronger growth of the development, testing and distribution of malware; building and deployment of botnets; theft and trade in payment credentials as well as money laundering services.

Increased sophistication. The development of more aggressive and resistant types of malware is expected. This includes ransomware with more advanced encryption complexity; more resilient botnets; and banking malware and Trojans with advanced sophistication, in order to circumvent protection measures by financial institutions.

Even more global. Due to rapidly spreading internet connectivity, cybercrime originating in Southeast Asia, Africa and South America will grow.

Going mobile. A shift of malware development is expected towards the operation on, and distribution through, mobile devices.

Smarter distribution. New ways of distributing aggressive and resistant types of malware are expected in the coming years. There is also an increasing, worrying trend of offering child abuse through live streaming, which leaves police without evidence unless intercepted at the time of transmission.

Increased need for money-laundering. Criminals will seek easy ways of cashing and laundering profits. Targeting large numbers of citizens and small to mid-sized companies for relatively small amounts is a scenario likely to continue. But also the use of payment credentials for online purchases will grow. The demand for e-currencies and other anonymous payment systems will rise further.

Targeting of cloud services. The hacking of cloud services becomes more and more interesting for criminals. It is expected that criminals will increasingly aim at hacking such services for the purpose of spying, retrieval of credentials and extortion.

To address these developments and fight a crime that by its very nature knows no borders or jurisdictions, the EC3 will continue to provide operational support to law enforcement agencies from EU Member States and from non-EU cooperation partners. It will further develop its expertise in training and capacity building, strategic analysis and digital forensic support.

Reproduced from http://europa.eu/index_en.htm

Employees and Companies Not Taking BYOD Security Seriously

For the second year in a row, Coalfire examined the BYOD trend for interconnected employees and what it means for companies and the protection of their corporate data. Most organizations want the increase in productivity that mobile devices offer, but the majority do not provide company-owned tablets or mobile phones as a cost-saving measure. Employees who want to use these devices must buy their own and are all too often left to secure potentially private information themselves.

RSA’s September 2013 Online Fraud Report featuring a review of “education in the cybercriminal world”

RSA‘s September 2013 Online Fraud Report discusses the improvement in cybercriminal skills and how education offered online with support of tutors, course work and counselling is increasing the threat to businesses and people alike.

RSA have seen an increase in ads by established criminals advertising courses they commonly carry out via Skype videoconferencing. To add value, “teachers” are offering interesting fraud courses, following those up with individual tutorials (Q&A sessions) after students join their so-called schools.

Fraud-as-a-Service (FaaS) strives to resemble legitimate business models, fraudster trade schools further offer ‘job placement’ for graduates through their many underground connections with other experienced criminals. Interestingly, some of the “teachers” go the extra mile and vouch for students who show “talent” so that they can join the underground communities they would otherwise not be able to access.

Some cybercrime professors even enforce a rigid absentee policy:

  • Students must give a 2 hour advanced notice if they cannot attend.
  • Students who fail to notify ahead of time are fined 50% of the fee, and rescheduled for the next class.
  • Students who fail to pay absentee fees will forfeit the entire deposited fee.

The following section presents some examples of cybercrime schooling curriculums exposed by RSA fraud analysts.

Beginners’ cybercrime classes

The first level is designed for beginners, teaching the basics of online financial fraud. The Cybercrime Course Curriculum:

  • The Business of Fraud – Credit cards, debit cards, drop accounts, how all it works, who are the clients, prices, risks
  • Legal Aspects – How to avoid being caught by the authorities. What can be used against you in a court of law? Building Your Business Where to find clients? How to build a top-notch fraud service
  • Transaction Security – How to avoid getting scammed and shady escrow services
  • Price per lecture 2,500 Rubles (about $75 USD)

Courses in card fraud

Criminals further offer the much in demand payment card fraud classes – one course per payment card type. Card Fraud Course Curriculum:

  • The Business – Drops, advertising, accomplices, chat rules and conventions
  • Legal Security – Dealing with law enforcement: who is accountable for the crime in organized groups, what can be collected as evidence
  • Building Your Business – Invaluable tips that will help develop your service to top level, and help acquire customers
  • Security of Transactions – Common patterns of rippers/ripping, how to identify scams, how to use escrow services
  • Price per lecture 2,500 Rubles (about $75 USD)
  • Price per course 2,500 Rubles (about $75 USD) Both courses 4,000 Rubles (about $120 USD)

Anonymity and security course

Stressing the importance of avoiding detection and maintaining anonymity, this course teaches a fraudster the art of avoiding detection, and how to erase digital “fingerprints”. The tutoring vendor offers practical lessons in configuring a computer for complex security and anonymity features. This course includes a theoretical and a practical section, with a duration estimated at four hours. Anonymity Course Curriculum:

  • Configuring and using Anonymity tools – Antivirus and firewall, Windows security(ports and ‘holes’), virtual keyboards, shutting off browser logging, eliminating history/traces on the PC, applications for permanent data removal, data encryption on the hard drive, Anonymizer applications, VPN – installation/configuration, using SOCKS – where to buy them, hiding one’s DNS server, dedicated servers, TOR browsers, safe email mailboxes, using disposable email, using a cryptic self-destruct flash drive, creating cryptic self-destruct notes, extra advanced topic – tools for remotely liquidating a hard drive
  • Botnets – Independent study (online document/site link provided)
  • Using Chat Channels – Using ICQ, Skype, Jabber, registering Jabber on a safe server, OTR/GPG encryption in a Jabber chat, passing a key and chatting on a secure channel via Jabber
  • Legal – Electronic evidence one might be leaving behind, and that can be used against fraudsters by law enforcement
  • Price per course – 3,300 Rubles (about $99 USD) $35 – additional charge for installing VPN

Mule Herding Course Curriculum:

  • Theory section (2-3 hrs.) – Fundamentals – opening a mule-recruitment service, legal and practical security measures, finding accomplices and partners
  • Practical section (3-5 hrs.) – Receive a prepared transaction to handle, and earn 10% on this initial transaction (if one succeeds). If the student fails, a second transaction will be offered, at a cost of 1,500 Rubles ($45 USD) and no percentage earned.
  • Upon successful completion of the test, fraudsters receive official confirmation by public notice from the lecturer in the community. This part is only open to students who have completed the theory section, and have set up the anonymity and security tools and have the additional tools required for the transaction

One-on-one tutorials and consultations

With a money-back guarantee promised to students, one crime school offers personal one-on-one tutorials and problem solving sessions via Skype. Special tutorial topics:

  • Banking and Credit Cards – “Black and white” credit, fake documents, banking algorithms and security measures (Russian Federation only)
  • Debit Cards – The finer details of working with debit cards and setting up a service (Russian Federation only)
  • Registering and using Shell Corporations – Legal issues and practical problems in using Shell Corporations for fraud (Russian Federation only)
  • Legal Liability Issues – Your legal rights, practical advice on interaction with law enforcement agencies, counselling services even while under investigation (Russian Federation only)
  • Setting up Anonymity – Practical help in setting up anonymity, and answers to questions from the course (any country)
  • Price 2,000 Rubles (about $60) per hour

The school of carding

Approaching the subject that is highest in demand in the underground, vendors have opened schools for carding – teaching the different ways to use payment cards in fraud scenarios. One vendor offers classes on a daily basis, at two levels of expertise, and indicates that he gives his personal attention to each student. The vendor also assures his students that his resources (compromised data) are fresh, personally tested by him, and never before made available on any ‘public’ lists.

School of Carding – Basic Curriculum:

  • Current Working BINs – Credit card BIN numbers that have been verified as successful in carding scenarios.
  • Websites for Clothing, Electronics, etc. – Which merchants make the best targets for carding?
  • Tips and Tricks – Extra insights from personal experience.
  • Price $25 USD

School of Carding – Advanced Curriculum

  • BINs and Banks – Recommended BIN numbers that give best results in carding
  • Tested sites – A list of tested e-commerce sites recommended for carding clothing, electronic goods, and more.

Phishing Attacks per Month

RSA identified 33,861 phishing attacks launched worldwide in August, marking a 25% decrease in attack volume from July. Based on this figure, it is estimated phishing resulted in an estimated $266 million in losses to global organizations in August.

US Bank Types Attacked

U.S. nationwide banks remained the most targeted with two out of three phishing attacks targeted at that sector in August while U.S. regional banks saw an 8% increase in phishing attacks.

Top Countries by Attack Volume

The U.S. remained the most targeted country in August with 50% of the total phishing volume, followed by the UK, Germany and India which collectively accounted for approximately 30% of phishing volume.

Top Countries by Attacked Brands

In August, 26% of phishing attacks were targeted at brands in the U.S., followed by the UK, Australia and India.

Top Hosting Countries

Four out of every ten phishing attacks were hosted in the U.S. in August. Canada, the Netherlands and the UK collectively hosted 25% of phishing attacks.

Previous 3 RSA Online Fraud Report Summaries

.

3 simple tips to improve security in the cloud

In Sophos’s 2013 Security Threat Report they provided 3 tips on how to be more secure when using the cloud.

The tips are simple but straight to the point so I thought I would share them.

  1. Apply web-based policies using URL filtering, controlling access to public cloud storage websites and preventing users from browsing to sites you’ve declared off-limits. 
  2. Use application controls to block or allow particular applications, either for the entire company or for specific groups. 
  3. Automatically encrypt files before they are uploaded to the cloud from any managed endpoint. An encryption solution allows users to choose their preferred cloud storage services, because the files are always encrypted and the keys are always your own. And because encryption takes place on the client before any data is synchronized, you have full control of the safety of your data. You won’t have to worry if the security of your cloud storage provider is breached. Central keys give authorized users or groups access to files and keep these files encrypted for everyone else. Should your web key go missing for some reason, maybe the user simply forgot the password, the security officer inside the enterprise would have access to the keys in order to make sure the correct people have access to that file.

.

 

Blog at WordPress.com.

Up ↑

%d bloggers like this: