Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Encryption

2018 changes to PCI DSS v3.2

Several PCI DSS requirements from version 3.2 come into effect at the end of January, 2018 (that’s just five months from now!).

Here is a list of some of the changes that will come into effect:-

3.5.1: Full documentation of all cryptographic architecture (service providers only)

6.4.6:  Change management processes that include verification of any PCI DSS impact for changes to systems or networks

8.3.x:  MFA for all non-console access to CDE.  This requirement has been the subject of much discussion, and we expect many entities to require remediation.

10.8:   Detection and reporting of all critical security control system failures (service providers only)

11.3.4.1: Penetration testing must now be performed every 6 months, as well as after any segmentation changes. (service providers only)

12.4.1: Executive management must establish PCI responsibilities and compliance program management (service providers only)

12.11.x: Quarterly personnel reviews P&P’s (service providers only)

Advertisements

PCI SSC revises date for migrating off vulnerable SSL and early TLS encryption

Following significant feedback from the global PCI community and security experts, the Payment Card Industry Security Standards Council (PCI SSC) has announced a change to the date that organizations who process payments must migrate to TLS 1.1 encryption or higher.

The original deadline date for migration, June 2016, was included in the most recent version of the PCI Data Security Standard, version 3.1 (PCI DSS 3.1), which was published in April of 2015. The new deadline date, June 2018, will be included in the next version of the PCI Data Security Standard, which is expected in 2016.

Early market feedback told us migration to more secure encryption would be technically simple, and it was, but in the field a lot of business issues surfaced as we continued dialog with merchants, payment processors and banks,” said Stephen Orfei, General Manager, PCI SSC. “We want merchants protected against data theft but not at the expense of turning away business, so we changed the date. The global payments ecosystem is complex, especially when you think about how much more business is done today on mobile devices around the world. If you put mobile requirements together with encryption, the SHA-1 browser upgrade and EMV in the US, that’s a lot to handle. And it means it will take some time to get everyone up to speed. We’re working very hard with representatives from every part of the ecosystem to make sure it happens as before the bad guys break in.

Some payment security organizations service thousands of international customers all of whom use different SSL and TLS configurations,” said Troy Leach, Chief Technology Officer, PCI SSC. “The migration date will be changed in the updated Standard next year to accommodate those companies and their clients. Other related provisions will also change to ensure all new customers are outfitted with the most secure encryption into the future. Still, we encourage all organizations to migrate as soon as possible and remain vigilant. Staying current with software patches remains an important piece of the security puzzle

In addition to the migration deadline date-change, the PCI Security Standards Council has updated:

  • A new requirement date for payment service providers to begin offering more secure TLS 1.1 or higher encryption
  • A requirement for new implementations to be based on TLS 1.1 or higher
  • An exception to the deadline date for Payment Terminals, known as “POI” or Points of Interaction.

Merchants are encouraged to contact their payment processors and / or acquiring banks for detailed guidance on upgrading their ecommerce sites to the more secure encryption offered by TLS 1.1 or higher.

500 European Business Leaders attend the PCI Security Standards Council Community Meeting

This week business leaders and security professionals gathered in Nice, France to discuss payment based security and especially PCI DSS and P2Pe. 

Jeremy King PCI Security Standards Council International Director said, The new European Commission Payment Services Directive 2 along with the European Banking Authority Guidelines for Securing Internet Payments have clear and detailed requirements for organisations in protecting cardholder data. Add to that the soon to be released General Data Protection Regulation which covers all data security, and you have a massive increase in data security, which when implemented will impact all organisations in Europe and beyond, 

These regulations will force organisations to take security seriously, and PCI provides the most complete set of data security standards available globally. Establishing good data security takes time and effort. Organisations need to know these regulations are coming and put a plan in place now for ongoing security

With 70% of all card fraud coming from Card-Not-Present (CNP), a figure that surpasses the previous 2008 record which was set during the EMV chip migration, it is a critical time for the industry. 

A significant amount of the conference was spent on new and developing technologies including::

  • Cloud – Daniel Fritsche of Coalfire presented on Virtualisation and the Cloud
  • Mobile – several presentations including the Smart Payments Association
  • Point to Point Encryption (P2PE) – Andrew Barratt of Coalfire delivered a panel discussion
  • Tokenisation – A presentation by Lufthansa Systems 

Jeremy King added. PCI is committed to helping organisations globally improve their data security. Our range of standards, and especially our supporting documents, are designed to help all companies improve and protect their data security. The annual Community Meeting is a big part of our efforts to engage with companies from all sectors, sharing and exchanging information to ensure they have the very best level of security 

We must work together to tackle card-not-present fraud with technologies such as point-to-point encryption and tokenisation that devalue data and make it useless if stolen by criminals.

Attendees included experts from Accor Hotels, , British Telecommunications, Capita, Coalfire Systems Limited, Accor Hotels, Lufthansa, Virgin Trains, Vodat International and hundreds of others.

Who breached the Data Protection Act in 2014? Find the complete list here.

2014 was another busy year for the Information Commissioners Office with yet more breaches of the Data Protection Act.

There are normally three types of punishments administered by the ICO

  1. Monetary. The most serious of the actions and one normally reserved for organisational entities.
  2. Undertaking. Typically applied when an organisation has failed to adhere to good business practise and needs the helping guidance of the ICO
  3. Prosecutions. Normally reserved for individuals who have blatantly breached the Act.
  4. Enforcements. A requirement on an organisation or individual to desist from specific activities.

Below is a summary of the ICO’s activity in 2014 across all three “punishment” areas.

Monetary penalty notices

A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are to HM Treasury.

  • 22 August 2014 a monetary penalty of £90,000 was issued to Kwik Fix Plumbers Ltd for continually making nuisance calls targeting vulnerable victims. In several cases, the calls resulted in elderly people being tricked into paying for boiler insurance they didn’t need.
  • 5 December 2014 a monetary penalty of £70,000 was issued to Manchester Ltd after sending unsolicited text messages and appeared on the recipients’ mobile phone to have been sent by “Mum”.
  • 05 November 2014 a monetary penalty of £7,500 was issued to Worldview Limited following a serious data breach where a vulnerability on the company’s site allowed attackers to access the full payment card details of 3,814 customers
  • 01 October 2014 a monetary penalty of £70,000 was issued to fine to EMC Advisory Services Limited for making hundreds of nuisance calls. The company was responsible for 630 complaints to the ICO and the TPS between 1 March 2013 and 28 February 2014. They failed to make sure that those registered with the TPS, or who’d previously asked not to be contacted, weren’t being called.
  • 26 August 2014 a monetary penalty of £180,000 to the Ministry of Justice over serious failings in the way prisons in England and Wales have been handling people’s information
  • 28 July 2014 a monetary penalty of £50,000 fine to Reactiv Media Limited after an investigation discovered they had made unsolicited calls to hundreds of people who had registered with the Telephone Preference Service (TPS).
  • 23 July 2014 a monetary penalty of £150,000 to Think W3 Limited after a serious breach of the Data Protection Act revealed thousands of people’s details to a malicious hacker.
  • 03 April 2014 a monetary penalty of £50,000 Amber UPVC Fabrications Ltd (T/A Amber Windows) after an investigation discovered they had made unsolicited marketing calls to people who had registered with the Telephone Preference Service (TPS).
  • 19 March 2014 a monetary penalty of £100,000 to Kent Police after highly sensitive and confidential information, including copies of police interview tapes, were left in a basement at the former site of a police station.
  • 07 March 2014 a monetary penalty of £200,000 to the British Pregnancy Advice Service. Hacker threatened to publish thousands of names of people who sought advice on abortion, pregnancy and contraception.
  • 11 January 2014 a monetary penalty of £185,000 to Department of Justice Northern Ireland after a filing cabinet containing details of a terrorist incident was sold at auction.

ICO statement on Monetary Penalties

Undertakings

Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.

  • 19 December 2014 Treasury Solicitors Department. A follow up has been completed to provide an assurance that the Treasury Solicitors Department has appropriately addressed the actions agreed in its undertaking signed February 2014.
  • 19 December 2014 Wirral Metropolitan Borough Council. A follow up has been completed to provide an assurance that Wirral Metropolitan Borough Council has appropriately addressed the actions agreed in its undertaking signed April 2014.
  • 19 December 2014 Caerphilly County Borough Council. A council that ordered covert surveillance on a sick employee must review its approach after an Information Commissioner’s Office (ICO) investigation. The ICO found the Council breached the Data Protection Act when it ordered the surveillance of an employee suspected of fraudulently claiming to be sick.
  • 15 December 2014 St Helens Metropolitan Borough Council. A follow up has been completed to provide an assurance that St Helens Metropolitan Borough Council has appropriately addressed the actions agreed in its undertaking signed June 2014.
  • 01 December 2014 Dudley Metropolitan Borough Council. A follow up has been completed to provide an assurance that Dudley Metropolitan Borough Council has appropriately addressed the actions agreed in its undertaking signed April 2014.
  • 28 November 2014 Oxfordshire County Council. A follow up has been completed to provide an assurance that Oxfordshire County Council as appropriately addressed the actions agreed in its undertaking signed June 2014.
  • 28 November 2014 Aspers (Milton Keynes) Limited. A follow up has been completed to provide an assurance that Aspers (Milton Keynes) Limited has appropriately addressed the actions agreed in its undertaking signed June 2014.
  • 26 November 2014 Department of Justice Northern Ireland. A follow up has been completed to provide an assurance that the Department of Justice Northern Ireland has appropriately addressed the actions agreed in its undertaking signed May 2014.
  • 17 November 2014 London Borough of Barking and Dagenham. A follow up has been completed to provide an assurance that London borough of Barking and Dagenham has appropriately addressed the actions agreed in its undertaking signed April 2014.
  • 05 November 2014 Student Loans Company. A follow up has been completed to provide an assurance that Student Loans Company has appropriately addressed the actions agreed in its undertaking signed April 2014.
  • 05 November 2014 Royal Veterinary College. A follow up has been completed to provide an assurance that The Royal Veterinary College has appropriately addressed the actions agreed in its undertaking signed October 2013.
  • 24 October 2014 Gwynedd Council. An Undertaking to comply with the seventh data protection principle has been signed by Gwynedd Council following two breaches of the Data Protection Act.
  • 24 October 2014 Disclosure and Barring Service. An undertaking to comply with the first data protection principle has been signed by the Disclosure and Barring Service.
  • 08 October 2014 South Western Ambulance Service NHS Trust. An undertaking to comply with the first, third and seventh data protection principles has been signed by South Western Ambulance Service NHS Trust. This includes the completion of a Privacy Impact Assessment in respect of data sharing. This follows an investigation whereby patient data related to 45, 431 data subjects was shared with a Clinical Commissioning Group (‘CCG’) without a legal basis to do so. There were also security concerns surrounding the manner in which the data was stored on discs when being distributed to the CCG.
  • 08 October 2014 Weathersby Limited. An undertaking to comply with the seventh data protection principle has been signed by Weathersby Limited after the company failed to secure an internal server properly, resulting in personal data relating to clients being made available on the internet.
  • 07 October 2014 Basildon and Thurrock University Hospitals NHS Foundation Trust. An undertaking to comply with the seventh data protection principle has been signed by Basildon and Thurrock University Hospitals NHS Foundation Trust. This follows an investigation into two reported incidents involving disclosures of personal data to third parties in error.
  • 25 September 2014 Norfolk Community Health & Care NHS Trust. An undertaking to comply with the first, third and seventh data protection principle has been signed by Norfolk Community Health & Care NHS Trust. This follows an investigation involving the inadvertent sharing of data with a referral management centre.
  • 22 September 2014 Oxford Health NHS Foundation Trust. An undertaking to comply with the seventh data protection principle has been signed by Oxford Health NHS Foundation Trust.  This follows an investigation into two separate incidents involving disclosures of personal data.
  • 09 September 2014 Isle of Scilly Council. An undertaking to comply with the seventh data protection principle has been signed by the Council of the Isle of Scilly. This follows an investigation into two separate incidents. The first relating to confidential information which was part of a disciplinary hearing being sent unredacted to third parties.
  • 28 August 2014 Racing Post. An undertaking to comply with the seventh data protection principle has been signed by the Racing Post. This follows an investigation whereby the Racing Post website was subject to an internet based SQL injection attack which gave access to a customer database. The data included customer registration details relating to 677,335 data subjects.
  • 13 August 2014 Wokingham Borough Council. A follow up has been completed to provide an assurance that Wokingham Borough Council has appropriately addressed the actions agreed in its undertaking signed April 2014.
  • 11 August 2014 Thamesview Estate Agents Ltd. An undertaking to comply with the seventh data protection principle has been signed by Thamesview Estate Agents Ltd after the company continued to leave papers containing personal information on the street despite a previous warning. The papers were stored in transparent bags and the information was clearly visible to anyone who walked past.
  • 18 July 2014 The Moray Council. A follow up has been completed to provide an assurance that The Moray Council has appropriately addressed the actions agreed in its undertaking signed May 2014.
  • 09 July 2014 Betsi Cadwaladr University Health Board. An undertaking to comply with the seventh data protection principle has been signed by Betsi Cadwaladr University Health Board after sensitive information was sent to the wrong address.
  • 27 June 2014 Oxfordshire County Council. An undertaking to comply with the seventh data protection principle has been signed by Oxfordshire County Council. This follows an investigation whereby a solicitor had removed a number of documents from the office but had dropped these in a street near their home. The sensitive personal data related to three child protection cases concerning 22 data subjects.
  • 23 June 2014 Aspers (Milton Keynes) Limited. An undertaking to comply with the seventh data protection principle has been signed by Aspers (Milton Keynes) Limited, following an email which was sent in error to an recipient outside of the organisation.
  • 19 June 2014 Department of Justice Northern Ireland. An undertaking to comply with the seventh data protection principle has been signed by Department of Justice Northern Ireland. This follows the sale of a filing cabinet that contained documents originating from within the Northern Ireland Prison service. The documents contained personal data, as defined by section 1 of the Data Protection Act 1998 (the Act), which was sensitive in nature.
  • 17 June 2014 Aberdeenshire Council. An undertaking to comply with the seventh data protection principle has been signed by Aberdeenshire Council after a paper file was lost by an employee of the Adult Mental Health section of the council’s Social Work service. The employee had placed the file on the roof of his car before driving off.
  • 16 June 2014 Cardiff and Vale University Health Board. A follow up has been completed to provide an assurance that Cardiff and Vale University Health Board has appropriately addressed the actions agreed in its undertaking signed October 2013.
  • 09 June 2014 Worcestershire Health and Care NHS Trust. An undertaking to comply with the seventh data protection principle has been signed by Worcestershire Health and Care NHS Trust. This follows an investigation whereby the local press were handed a patient handover sheet containing details of 18 patients.
  • 02 June 2014 Jephson Homes Housing Association Ltd. An undertaking to comply with the seventh data protection principle has been signed by Jephson Homes Housing Association Ltd. This follows an investigation into the disclosure in error of several documents containing third party personal data when providing documents to an individual as part of a litigation process.
  • 30 May 2014 Panasonic UK. A follow up has been completed to provide an assurance that Panasonic UK has appropriately addressed the actions agreed in its undertaking signed October 2013.
  • 30 May 2014 St Helens Metropolitan Borough Council. An undertaking to comply with the seventh data protection principle has been signed by St Helens Metropolitan Borough Council after child’s foster placement address was disclosed in error.  Investigations identified that Council had selected the correct recipient and had redacted the majority of documents disclosed however the address was missed on one document.
  • 30 May 2014 London Borough of Barking & Dagenham. An undertaking to respond in a quicker and more effective manner to losses of personal data has been signed by London Borough of Barking & Dagenham. This follows an investigation into the loss of a file containing medical data relating to eleven children, which discovered that although the council knew where the file was, it had still not been retrieved five months later.
  • 27 May 2014 Student Loans Company. An undertaking to comply with the seventh data protection principle has been signed by the Student Loans Company Limited following an investigation by the ICO into three separate incidents involving the disclosure of documents to the incorrect recipients.  The investigation identified that whilst checking procedures were in place documents containing sensitive personal data were subject to fewer checks than those containing less sensitive data.
  • 16 May 2014 Great Ormond Street Hospital for Children NHS Foundation Trust. A follow up has been completed to provide an assurance that Great Ormond Street Hospital for Children NHS Foundation Trust has appropriately addressed the actions agreed in its undertaking signed November 2013.
  • 12 May 2014 The Moray Council. An undertaking to comply with the seventh data protection principle has been signed by The Moray Council. This follows an investigation into the loss of a file containing adoption meeting papers at a café in the local area.
  • 25 April 2014 Dudley Metropolitan Borough Council. An undertaking to comply with the seventh data protection principle has been signed by Dudley Metropolitan Borough Council. This follows an investigation whereby a social worker had left a case file containing sensitive personal data at a client’s home. The case file outlined child welfare concerns and disclosed the identity of the source.
  • 15 April 2014 Wirral Borough Council. An undertaking to comply with the seventh data protection principle has been signed by Wirral Borough Council after social services records containing sensitive personal information were sent to the wrong addresses on two occasions. The information, which was disclosed in February and April 2013, included sensitive personal details relating to two families living in the borough and in one case included details of a criminal offence committed by one of the family members.
  • 15 April 2014 Wokingham Borough Council. An undertaking to comply with the seventh data protection principle has been signed by Wokingham Borough Council, after sensitive social services records relating to the care of a young child were lost. The information, which had been requested by a family member, was lost after the delivery driver left the documents outside the requester’s home in August 2013.
  • 11 April 2014 Royal Borough of Windsor and Maidenhead. A follow up has been completed to provide an assurance that the Royal Borough of Windsor and Maidenhead has appropriately addressed the actions agreed in its undertaking signed September 2013.
  • 28 March 2014 Barking, Havering & Redbridge University Hospitals NHS Trust. An undertaking to comply with the seventh data protection principle has been signed by Barking, Havering & Redbridge University Hospitals NHS Trust. This follows an investigation by the ICO into a series of fax related incidents which revealed that the Trust had a very low attendance rate for Information Governance training.
  • 20 March 2014 Disclosure and Barring Service. An undertaking to comply with the first data protection principle has been signed by the Disclosure and Barring Service.
  • 14 March 2014 Cardiff City Council. A follow up has been completed to provide an assurance that Cardiff City Council has appropriately addressed the actions agreed in its undertaking signed August 2013.
  • 13 March 2014 Neath Care. An undertaking to comply with the seventh data protection principle has been signed by Neath Care. This follows the disclosure of ten client care service delivery plans which were found by a member of the public in the street. The care service delivery plans related to elderly people and contained confidential client information on matters such as personal care, medication and key safe numbers.
  • 26 February 2014 Treasury Solicitor’s Department. An undertaking to comply with the seventh data protection principle has been signed by the Treasury Solicitor’s Department. The data controller agreed to put measures in place to ensure the security of the personal data it handles.
  • 24 January 2014 Hillingdon Hospitals NHS Foundation Trust. A follow up has been completed to provide an assurance that Hillingdon Hospitals NHS Foundation Trust has appropriately addressed the actions agreed in its undertaking signed September 2013.
  • 10 January 2014 Northern Health and Social Care Trust. A follow up has been completed to provide an assurance that Northern Health and

Prosecution

  • 13 November 2014 Harkanwarjit Dhanju. A former pharmacist working for West Sussex Primary Care Trust has been prosecuted for unlawfully accessing the medical records of family members, work colleagues and local health professionals. Harkanwarjit Dhanju was fined £1000, ordered to pay a £100 victim surcharge and £608.30 prosecution costs.
  • 11 November 2014 Matthew Devlin. Company director Matthew Devlin has been fined after illegally accessing one of Everything Everywhere’s (EE) customer databases. Devlin used details of when customers were due a mobile phone upgrade to target them with services offered by his own telecoms companies.
  • 22 August 2014 Dalvinder Singh. A Birmingham banker has been fined after he admitted reading his colleagues bank accounts. He worked in Santander UK’s suspicious activity reporting unit at their Leicester office. His role investigating allegations of money laundering meant he was able to view customer accounts. But he used his access to look at eleven colleagues’ accounts, to learn how much their salaries and bonuses were.
  • 06 August 2014 A Plus Recruitment Limited. A recruitment company has been prosecuted today at Doncaster Magistrates Court for failing to notify with the ICO. A Plus Recruitment Limited pleaded guilty and was fined £300 and ordered to pay costs of £489.95 and a victim surcharge of £30.
  • 05 August 2014 1st Choice Properties (SRAL). A property lettings and management company has been prosecuted for failing to notify with the ICO at Uxbridge Magistrates Court today. 1st Choice Properties (SRAL) was convicted in the defendant’s absence and fined £500, ordered to pay costs of £815.08 and a victim surcharge of £50.
  • 15 July 2014 Jayesh Shah. The owner of a marketing company trading as Vintels has been prosecuted for failing to notify the ICO of changes to his notification at Willesden Magistrates Court today. Jayesh Shah was fined £4000, ordered to pay costs of £2703 and a £400 victim surcharge.
  • 14 July 2014 Hayden Nash Consultants. A recruitment company has been prosecuted for failing to notify with the ICO at Reading Magistrates Court today. Hayden Nash Consultants entered a guilty plea and was fined £200, ordered to pay costs of £489.85 and a £20 victim surcharge.
  • 10 July 2014 Stephen Siddell. A former branch manager for Enterprise Rent-A-Car has been prosecuted for unlawfully stealing the records of almost two thousand customers before selling them to a claims management company. Stephen Siddell was fined £500, ordered to pay a £50 victim surcharge and £264.08 in prosecution costs.
  • 09 July 2014 Global Immigration Consultants Limited. A legal advice company has been prosecuted for failing to notify with the ICO at Manchester Magistrates Court today. Global Immigration Consultants Limited entered a guilty plea and was fined £300, ordered to pay costs of £260.18 and a £30 victim surcharge.
  • 06 June 2014 Darren Anthony Bott. The director of a pensions review company has been prosecuted for failing to notify with the ICO. Darren Anthony Bott of Allied Union Ltd entered a guilty plea and was fined £400, ordered to pay costs of £218.82 and a £40 victim surcharge.
  • 05 June 2014 API Telecom. A telecoms company has been prosecuted by the ICO for failing to comply with an information notice in Westminster Magistrates’ Court yesterday. The company, API Telecom, entered a guilty plea and was fined £200, ordered to pay full costs of £489.85 and the victim surcharge was imposed.
  • 13 May 2014 QR Lettings. A property company has been prosecuted by the ICO for failing to notify under section 17 of the Data Protection Act. QR Lettings pleaded guilty at a hearing on 13 May 2014 at Birkenhead Magistrates Court. The company was fined £250, ordered to pay costs of £260 and a £30 victim surcharge.
  • 25 April 2014 Barry Spencer. A man who ran a company that tricked organisations into revealing personal details about customers has been ordered to pay a total of £20,000 in fines and prosecution costs, as well as a confiscation order of over £69,000 at a hearing at Isleworth Crown Court.
  • 25 April 2014 Allied Union Limited. A pension review company has been prosecuted by the ICO for failing to notify under section 17 of the Data Protection Act.  Allied Union Limited pleaded guilty at a hearing on 25 April 2014 at Swansea Magistrates Court. The company was fined £400, ordered to pay costs of £338.11 and a victim surcharge of £40.
  • 25 March 2014 Help Direct UK Limited. A financial advisors has been prosecuted by the ICO for failing to notify under section 17 of the Data Protection Act. Help Direct UK Limited pleaded guilty at a hearing on 25 March 2014 at Swansea Magistrates Court. The company was fined £250, ordered to pay costs of £248.83 and a victim surcharge of £25.
  • 12 March 2014 Boilershield Limited. A plumbing company and its director have been prosecuted by the ICO for failing to notify under section 17 of the Data Protection Act. Boilershield Limited and its director, Mohammod Ali, pleaded guilty at a hearing on 12 March 2014 at Bromley Magistrates. They were both fined £1,200, ordered to pay costs of £196.87 and a victim surcharge of £120.
  • 11 March 2014 Becoming Green (UK) Ltd. A Cardiff-based green energy deal company, Becoming Green (UK) Ltd, has been prosecuted by the Information Commissioner’s Office after failing to notify the ICO that it handled customers’ personal data. The offence was uncovered when the company was being monitored following concerns about compliance.
  • 24 January 2014 ICU Investigations Limited. Six men who were part of a company that tricked organisations into revealing personal

Enforcements

  • 19 November 2014 Grampian Health Board (NHS Grampian). The Information Commissioner’s Office has ordered NHS Grampian to take action to make sure patients’ information is better protected.
  • 12 November 2014 Hot House Roof Company. The ICO has issued an enforcement notice against Hot House Roof Company ordering them to stop making nuisance marketing calls. The company had failed to honour suppression requests and repeatedly made calls to a number of individuals despite their being TPS registered.
  • 21 October 2014 Abdul Tayub. The Information Commissioner’s Office has served Abdul Tayub with an enforcement notice after he was found to be sending unsolicited marketing mail by electronic means without providing information as to his identity and without prior consent.
  • 12 September 2014 All Claims Marketing Limited. The Information Commissioner’s Office has served All Claims Marketing Limited with an enforcement notice after the company was found to be sending unsolicited marketing mail by electronic means without providing information as to its identity.
  • 03 September 2014 Winchester and Deakin Limited. The Information Commissioner’s Office has served Carmarthen-based direct marketing company Winchester and Deakin Limited (also trading as Rapid Legal and Scarlet Reclaim) with an enforcement notice ordering them to stop making nuisance calls. The move comes after an investigation discovered they had made unsolicited marketing calls to people who had registered with the Telephone Preference Service (TPS) or who had asked not to be contacted.
  • 16 June 2014 DC Marketing Limited. The ICO has issued an enforcement notice against DC Marketing Limited after the company made hundreds of nuisance calls to try and get people to purchase solar panels partly financed by the Green Deal Home Improvement Fund. An ICO investigation found the company also frequently gave a false name to avoid detection.
  • 29 May 2014 Wolverhampton City Council. The ICO has issued an enforcement notice against Wolverhampton City Council, following an investigation into a data breach at the council that occurred in January 2012. The breach was caused when a social worker, who had not received data protection training, sent out a report to a former service user detailing their time in care. However, the social worker failed to remove highly sensitive information about the recipient’s sister that should not have been included.
  • 03 April 2014 Amber UPVC Fabrications Ltd (T/A Amber Windows). The ICO has issued an enforcement notice against Amber Windows ordering them not to call subscribers who have previously told them not to ring or subscribers who have not consented to them calling and have registered the number with the TPS for at least the required 28 days.
  • 10 March 2014 Isisbyte Limited. The ICO has served an enforcement notice on Isisbyte Limited after the company was found to be making unsolicited marketing calls without providing information as to their identity.
  • 10 March 2014 SLM Connect Limited. The ICO has served an enforcement notice on SLM Connect Limited after the company was found to be making unsolicited marketing calls without providing information as to their identity.

Who has breached the Data Protection Act in 2012? Find the complete list here.

Who breached the Data Protection Act in 2013? Find the complete list here.

Data Breaches for the first quarter of 2014

Safenet Infographic on Data Breaches in the first quarter of 2014

The European Cybercrime Centre – one year on

What are the main future cybercrime threats on the horizon? And how has the European Cybercrime Center (EC3) contributed to protect European citizens and businesses since its launch in January 2013? 

These questions are at the core of an EC3 report presented today, and discussed at a conference organised by the Commission, with participants from law enforcement authorities, national and EU institutions and the private sector.

Criminal behaviour is changing fast, exploiting technological developments and legal loopholes. Criminals will continue to be creative and deploy sophisticated attacks to make more money, and we must be able to keep up with them. The expertise of the EC3 is helping us to fight this battle and boost European cooperation. Through several successful, far-reaching operations in the past year, the European Cybercrime Centre has already earned well-deserved fame amongst law enforcement agencies”, said Commissioner for Home Affairs Cecilia Malmström.

Troels Örting, Head of the European Cybercrime Centre added: “In the 12 months since EC3 opened we have been extremely busy helping EU law enforcement authorities to prevent and investigate cross-border cybercrime. I am proud and satisfied with our results so far, however we cannot rest on our laurels. I am especially worried about the increasingly complex forms of malware that are surfacing, along with more technologically advanced cyber-scams, and the so-called ‘sextortion’ of minors. We have only seen the tip of the iceberg, but EC3, backed by our valued stakeholders and partners, is dedicated to supporting Member States’ future frontline cybercrime operations.

According to a recent Eurobarometer

  • 12% of European internet users have had their social media or email account hacked
  • 7% have been the victim of credit card or banking fraud online

EC3 achievement highlights

The main task of the European Cybercrime Centre is to disrupt the operations of organised crime networks that commit serious and organised cybercrime (for more details, see MEMO/13/6 and infographics).Concretely, the EC3 supports and coordinates operations and investigations conducted by Member States’ authorities in several areas. Recent examples include:

High-tech crimes (cyber-attacks, malware)

In its first year, the EC3 assisted in the coordination of 19 major cybercrime operations, for instance: 

  • Two major international investigations (Ransom and Ransom II) were concluded, related to so-called Police Ransomware – a type of malware that blocks the victim’s computer, accusing the victim of having visited illegal websites containing child abuse material or other illegal activity. Criminals request the payment of a “fine” to unblock the victim’s computer, making the Ransomware look as if it comes from a legitimate law enforcement agency. Cybercriminals convince the victim to pay the ‘fine’ of around €100 through two types of payment gateways – virtual and anonymous. The criminals investigated by EC3 infected tens of thousands of computers worldwide, bringing in profits in excess of one million euros per year. 13 arrests were made (mainly in Spain) and the networks were broken up.
  • EC3 has also supported several international initiatives in the areas of botnet takedowns, disruption and investigation of criminal forums and malware attacks against financial institutions, such as the recent takedown of the ZeroAccess botnet together with Microsoft and high-tech crime units from the German BKA, Netherlands, Latvia, Luxembourg and Switzerland.

Online child sexual exploitation

At present, EC3 supports 9 large child sexual exploitation police operations within the European Union. In the first year of EC3, significant efforts – jointly with many Member States and non-EU cooperation partners – were put into combating the illegal activities of paedophiles engaged in the online sexual exploitation of children using hidden services.

EC3 is involved in many operations and joint investigations targeting the production and distribution of child abuse material on various internet platforms. It is providing ongoing operational and analytical support to investigations on the dark net, where paedophiles trade in illicit child abuse material in hidden forums, as well as to investigations into ‘sextortion’. Sextortion is the term given to the phenomenon where child abusers gain access to inappropriate pictures of minors and use the images to coerce victims into further acts or the abuser will forward the images to family and friends of the victim.

Payment fraud

The EC3 is currently providing operational and analytical support to 16 investigations, regarding payment fraud. In 2013 it supported investigations resulting in three different international networks of credit card fraudsters being dismantled: 

  • One operation led to the arrest of 29 suspects who had made a 9 million Euro profit by compromising the payment credentials of 30,000 credit card holders. 
  • The second network that was tackled resulted in 44 arrests during the operation (which followed 15 previous arrests; 59 arrests in total) in several Member States, two illegal workshops for producing devices and software to manipulate Point-of-Sale terminals dismantled, illegal electronic equipment, financial data, cloned cards, and cash seized. The organised crime group had affected approximately 36.000 bank/credit card holders in 16 European countries. 
  • The third operation targeted an Asian criminal network responsible for illegal transactions and the purchasing of airline tickets. Two members of the criminal gang, travelling on false documents, were arrested at Helsinki airport. Around 15,000 compromised credit card numbers were found on seized computers. The network had been using card details stolen from cardholders worldwide. In Europe, over 70,000 euros in losses were suffered by card holders and banks. 
  • An operation against airline fraudsters using fraudulent credit cards to purchase airline tickets was coordinated by the EC3 in 38 airports from 16 European countries. During the operation, more than 200 suspicious transactions were reported by the industry and 43 individuals were arrested (followed by another 74 arrests after the action day; 117 arrests in total). These were all found to be linked to other criminal activities, such as the distribution of credit card data via the internet, intrusions into financial institutions’ databases, other suspicious transactions, drug trafficking, human smuggling, counterfeit documents including IDs, and other types of fraud. Some of those detained were already wanted by judicial authorities under European Arrest Warrants.

Future threats and trends in cybercrime

Currently, around 2, 5 billion people worldwide have access to the internet and estimates suggest that around another 1, 5 billion people will gain access in the next four years. As our online life, with all its immense advantages, will continue to grow, so will our exposure to online crime. In its first yearly report, the EC3 looks at future cybercrime threats and trends. Among others, it points to the following: 

Growing ranks of criminals. The threshold for stepping into the business of cybercrime is becoming very low. Already now, a complete underground economy has developed, where all sorts of criminal products and services are traded, including, drugs, weapons, hired killings, stolen payment credentials and child abuse. Any kind of cybercrime can be procured even without technical skills – password cracking, hacking, tailor-made malware or DDoS attacks.

More demand. It is expected that the demand for and use of cybercrime services will increase, resulting in an even stronger growth of the development, testing and distribution of malware; building and deployment of botnets; theft and trade in payment credentials as well as money laundering services.

Increased sophistication. The development of more aggressive and resistant types of malware is expected. This includes ransomware with more advanced encryption complexity; more resilient botnets; and banking malware and Trojans with advanced sophistication, in order to circumvent protection measures by financial institutions.

Even more global. Due to rapidly spreading internet connectivity, cybercrime originating in Southeast Asia, Africa and South America will grow.

Going mobile. A shift of malware development is expected towards the operation on, and distribution through, mobile devices.

Smarter distribution. New ways of distributing aggressive and resistant types of malware are expected in the coming years. There is also an increasing, worrying trend of offering child abuse through live streaming, which leaves police without evidence unless intercepted at the time of transmission.

Increased need for money-laundering. Criminals will seek easy ways of cashing and laundering profits. Targeting large numbers of citizens and small to mid-sized companies for relatively small amounts is a scenario likely to continue. But also the use of payment credentials for online purchases will grow. The demand for e-currencies and other anonymous payment systems will rise further.

Targeting of cloud services. The hacking of cloud services becomes more and more interesting for criminals. It is expected that criminals will increasingly aim at hacking such services for the purpose of spying, retrieval of credentials and extortion.

To address these developments and fight a crime that by its very nature knows no borders or jurisdictions, the EC3 will continue to provide operational support to law enforcement agencies from EU Member States and from non-EU cooperation partners. It will further develop its expertise in training and capacity building, strategic analysis and digital forensic support.

Reproduced from http://europa.eu/index_en.htm

Employees and Companies Not Taking BYOD Security Seriously

For the second year in a row, Coalfire examined the BYOD trend for interconnected employees and what it means for companies and the protection of their corporate data. Most organizations want the increase in productivity that mobile devices offer, but the majority do not provide company-owned tablets or mobile phones as a cost-saving measure. Employees who want to use these devices must buy their own and are all too often left to secure potentially private information themselves.

RSA’s September 2013 Online Fraud Report featuring a review of “education in the cybercriminal world”

RSA‘s September 2013 Online Fraud Report discusses the improvement in cybercriminal skills and how education offered online with support of tutors, course work and counselling is increasing the threat to businesses and people alike.

RSA have seen an increase in ads by established criminals advertising courses they commonly carry out via Skype videoconferencing. To add value, “teachers” are offering interesting fraud courses, following those up with individual tutorials (Q&A sessions) after students join their so-called schools.

Fraud-as-a-Service (FaaS) strives to resemble legitimate business models, fraudster trade schools further offer ‘job placement’ for graduates through their many underground connections with other experienced criminals. Interestingly, some of the “teachers” go the extra mile and vouch for students who show “talent” so that they can join the underground communities they would otherwise not be able to access.

Some cybercrime professors even enforce a rigid absentee policy:

  • Students must give a 2 hour advanced notice if they cannot attend.
  • Students who fail to notify ahead of time are fined 50% of the fee, and rescheduled for the next class.
  • Students who fail to pay absentee fees will forfeit the entire deposited fee.

The following section presents some examples of cybercrime schooling curriculums exposed by RSA fraud analysts.

Beginners’ cybercrime classes

The first level is designed for beginners, teaching the basics of online financial fraud. The Cybercrime Course Curriculum:

  • The Business of Fraud – Credit cards, debit cards, drop accounts, how all it works, who are the clients, prices, risks
  • Legal Aspects – How to avoid being caught by the authorities. What can be used against you in a court of law? Building Your Business Where to find clients? How to build a top-notch fraud service
  • Transaction Security – How to avoid getting scammed and shady escrow services
  • Price per lecture 2,500 Rubles (about $75 USD)

Courses in card fraud

Criminals further offer the much in demand payment card fraud classes – one course per payment card type. Card Fraud Course Curriculum:

  • The Business – Drops, advertising, accomplices, chat rules and conventions
  • Legal Security – Dealing with law enforcement: who is accountable for the crime in organized groups, what can be collected as evidence
  • Building Your Business – Invaluable tips that will help develop your service to top level, and help acquire customers
  • Security of Transactions – Common patterns of rippers/ripping, how to identify scams, how to use escrow services
  • Price per lecture 2,500 Rubles (about $75 USD)
  • Price per course 2,500 Rubles (about $75 USD) Both courses 4,000 Rubles (about $120 USD)

Anonymity and security course

Stressing the importance of avoiding detection and maintaining anonymity, this course teaches a fraudster the art of avoiding detection, and how to erase digital “fingerprints”. The tutoring vendor offers practical lessons in configuring a computer for complex security and anonymity features. This course includes a theoretical and a practical section, with a duration estimated at four hours. Anonymity Course Curriculum:

  • Configuring and using Anonymity tools – Antivirus and firewall, Windows security(ports and ‘holes’), virtual keyboards, shutting off browser logging, eliminating history/traces on the PC, applications for permanent data removal, data encryption on the hard drive, Anonymizer applications, VPN – installation/configuration, using SOCKS – where to buy them, hiding one’s DNS server, dedicated servers, TOR browsers, safe email mailboxes, using disposable email, using a cryptic self-destruct flash drive, creating cryptic self-destruct notes, extra advanced topic – tools for remotely liquidating a hard drive
  • Botnets – Independent study (online document/site link provided)
  • Using Chat Channels – Using ICQ, Skype, Jabber, registering Jabber on a safe server, OTR/GPG encryption in a Jabber chat, passing a key and chatting on a secure channel via Jabber
  • Legal – Electronic evidence one might be leaving behind, and that can be used against fraudsters by law enforcement
  • Price per course – 3,300 Rubles (about $99 USD) $35 – additional charge for installing VPN

Mule Herding Course Curriculum:

  • Theory section (2-3 hrs.) – Fundamentals – opening a mule-recruitment service, legal and practical security measures, finding accomplices and partners
  • Practical section (3-5 hrs.) – Receive a prepared transaction to handle, and earn 10% on this initial transaction (if one succeeds). If the student fails, a second transaction will be offered, at a cost of 1,500 Rubles ($45 USD) and no percentage earned.
  • Upon successful completion of the test, fraudsters receive official confirmation by public notice from the lecturer in the community. This part is only open to students who have completed the theory section, and have set up the anonymity and security tools and have the additional tools required for the transaction

One-on-one tutorials and consultations

With a money-back guarantee promised to students, one crime school offers personal one-on-one tutorials and problem solving sessions via Skype. Special tutorial topics:

  • Banking and Credit Cards – “Black and white” credit, fake documents, banking algorithms and security measures (Russian Federation only)
  • Debit Cards – The finer details of working with debit cards and setting up a service (Russian Federation only)
  • Registering and using Shell Corporations – Legal issues and practical problems in using Shell Corporations for fraud (Russian Federation only)
  • Legal Liability Issues – Your legal rights, practical advice on interaction with law enforcement agencies, counselling services even while under investigation (Russian Federation only)
  • Setting up Anonymity – Practical help in setting up anonymity, and answers to questions from the course (any country)
  • Price 2,000 Rubles (about $60) per hour

The school of carding

Approaching the subject that is highest in demand in the underground, vendors have opened schools for carding – teaching the different ways to use payment cards in fraud scenarios. One vendor offers classes on a daily basis, at two levels of expertise, and indicates that he gives his personal attention to each student. The vendor also assures his students that his resources (compromised data) are fresh, personally tested by him, and never before made available on any ‘public’ lists.

School of Carding – Basic Curriculum:

  • Current Working BINs – Credit card BIN numbers that have been verified as successful in carding scenarios.
  • Websites for Clothing, Electronics, etc. – Which merchants make the best targets for carding?
  • Tips and Tricks – Extra insights from personal experience.
  • Price $25 USD

School of Carding – Advanced Curriculum

  • BINs and Banks – Recommended BIN numbers that give best results in carding
  • Tested sites – A list of tested e-commerce sites recommended for carding clothing, electronic goods, and more.

Phishing Attacks per Month

RSA identified 33,861 phishing attacks launched worldwide in August, marking a 25% decrease in attack volume from July. Based on this figure, it is estimated phishing resulted in an estimated $266 million in losses to global organizations in August.

US Bank Types Attacked

U.S. nationwide banks remained the most targeted with two out of three phishing attacks targeted at that sector in August while U.S. regional banks saw an 8% increase in phishing attacks.

Top Countries by Attack Volume

The U.S. remained the most targeted country in August with 50% of the total phishing volume, followed by the UK, Germany and India which collectively accounted for approximately 30% of phishing volume.

Top Countries by Attacked Brands

In August, 26% of phishing attacks were targeted at brands in the U.S., followed by the UK, Australia and India.

Top Hosting Countries

Four out of every ten phishing attacks were hosted in the U.S. in August. Canada, the Netherlands and the UK collectively hosted 25% of phishing attacks.

Previous 3 RSA Online Fraud Report Summaries

.

3 simple tips to improve security in the cloud

In Sophos’s 2013 Security Threat Report they provided 3 tips on how to be more secure when using the cloud.

The tips are simple but straight to the point so I thought I would share them.

  1. Apply web-based policies using URL filtering, controlling access to public cloud storage websites and preventing users from browsing to sites you’ve declared off-limits. 
  2. Use application controls to block or allow particular applications, either for the entire company or for specific groups. 
  3. Automatically encrypt files before they are uploaded to the cloud from any managed endpoint. An encryption solution allows users to choose their preferred cloud storage services, because the files are always encrypted and the keys are always your own. And because encryption takes place on the client before any data is synchronized, you have full control of the safety of your data. You won’t have to worry if the security of your cloud storage provider is breached. Central keys give authorized users or groups access to files and keep these files encrypted for everyone else. Should your web key go missing for some reason, maybe the user simply forgot the password, the security officer inside the enterprise would have access to the keys in order to make sure the correct people have access to that file.

.

 

Who breached the Data Protection Act in the first half of 2013?

As we have passed the first half of 2013, I thought it would be a good time to publish the entire list of who fell foul of the UK Data Protection Act and were punished by the Information Commissioner (ICO).

There are three types of punishments administered by the ICO

  1. Monetary. The most serious of the actions and one normally reserved for organisational entities.
  2. Undertaking. Typically applied when an organisation has failed to adhere to good business practice and needs the helping guidance of the ICO
  3. Prosecutions. Normally reserved for individuals who have blatantly breached the Act.

Monetary penalty notices

A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are paid to HM Treasury and not to the ICO. Many argue that the ICO would be a stronger body if it had more money and penalties is a good way to generate more revenue – a self funding government department.

  • 12 July 2013 NHS Surrey. A monetary penalty notice has been served on NHS Surrey following the discovery of sensitive personal data belonging to thousands of patients on hard drives sold on an online auction site. Whilst NHS Surrey has now been dissolved outstanding issues are now being dealt with by the Department of Health.
  • 8 July 2013 Tameside Energy Services Ltd. A monetary penalty notice has been served to Tameside Energy Services Ltd after the Manchester based company blighted the public with unwanted marketing calls.
  • 18 June 2013 Nationwide Energy Services and We Claim You Gain. Monetary penalty notices have been served to Nationwide Energy Services and We Claim You Gain – both companies are part of Save Britain Money Ltd based in Swansea. The penalties were issued after the companies were found to be responsible for over 2,700 complaints to the Telephone Preference Service or reports to the ICO using its online survey, between 26 May 2011 and end of December 2012.
  • 13 June 2013 North Staffordshire Combined Healthcare NHS Trust. A monetary penalty notice has been served to North Staffordshire Combined Healthcare NHS Trust, after several faxes containing sensitive personal data were sent to a member of the public in error.
  • 7 June 2013 Glasgow City Council. A monetary penalty notice has been served to Glasgow City Council, following the loss of two unencrypted laptops, one of which contained the personal information of 20,143 people.
  • 5 June 2013 Halton Borough Council. A monetary penalty notice has been served to Halton Borough Council, in respect of an incident in which the home address of adoptive parents was wrongly disclosed to the birth family.
  • 3 June 2013 Stockport Primary Care Trust. A monetary penalty has been served to Stockport Primary Care Trust following the discovery of a large number of patient records at a site formerly owned by the Trust.
  • 20 March 2013 DM Design Bedroom Ltd. A monetary penalty has been served to DM Design Bedroom Ltd. The company has been the subject of nearly 2,000 complaints to the ICO and the Telephone Preference Service. The company consistently failed to check whether individuals had opted out of receiving marketing calls and responded to just a handful of the complaints received.
  • 15 February 2013 Nursing and Midwifery Council. A monetary penalty has been served to the Nursing and Midwifery Council. The council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. An ICO investigation found the information was not encrypted.
  • 24 January 2013 Sony Computer Entertainment Europe Limited. A monetary penalty has been served to the entertainment company Sony Computer Entertainment Europe Limited following a serious breach of the Data Protection Act. The penalty comes after the Sony PlayStation Network Platform was hacked in April 2011, compromising the personal information of millions of customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk. They failed in their bid to appeal.

Undertakings

Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.

  • 16 July 2013 Janet Thomas. An undertaking to comply with the seventh data protection principle has been signed by Janet Thomas. This follows a report made by a member of the public that approximately 7,435 CV files, containing personal data, were being stored unprotected on the website
  • 9 July 2013 Health & Care Professions Council (HCPC). An undertaking to comply with the seventh data protection principle has been signed by the Health & Care Professions Council (HCPC) after an incident in which papers containing personal data were stolen on a train in 2011.
  • 12 June 2013 (issued 10 September 2012) Bedford Borough Council. An undertaking to comply with the seventh data protection principle has been signed by Bedford Borough Council relating to the removal of legacy data from a social care database.
  • 2 June 2013 (issued 18 September 2012) Central Bedfordshire Council. An undertaking to comply with the seventh data protection principle has been signed by Central Bedfordshire Council relating to the removal of legacy data from a social care database and in relation to the preparation of planning application documentation for publication.
  • 31 May 2013 Leeds City Council. A follow up has been completed to provide an assurance that Leeds City Council has appropriately addressed the actions agreed in its undertaking signed November 2012.
  • May Prospect. A follow up has been completed to provide an assurance that Prospect has appropriately addressed the actions agreed in its undertaking signed January 2013.
  • 21 May 2013 (issued 9 November 2011) News Group Newspapers. An undertaking to comply with the seventh data protection principle has been signed by News Group Newspapers, following an attack on the website of The Sun newspaper in 2011.
  • 26 April 2013 The Burnett Practice. An undertaking to comply with the seventh data protection principle has been signed by The Burnett Practice. This follows an investigation whereby an email account used by the practice had been subject to a third party attack. The email account subject to the attack was used to provide test results to patients and included a list of names and email addresses.
  • 4 April 2013 East Riding of Yorkshire Council. An undertaking to comply with the seventh data protection principle has been signed by the East Riding of Yorkshire Council, following incidents last year in which personal data was inappropriately disclosed.
  • 25 January 2013 Mansfield District Council. An undertaking to comply with the seventh data protection principle has been signed by the Managing Director of Mansfield District Council. This follows a number of incidents where personal data of housing benefit claimants was disclosed to the wrong landlord.
  • 16 January 2013 Prospect. An undertaking to comply with the seventh data protection principle has been signed by the union Prospect. This follows an incident in which two files containing personal details of approximately 19,000 members of the union had been sent to an unknown third party email address in error.

Prosecutions

  • 23 May 2013 A former manager of a health service based at a council-run leisure centre in Southampton has been prosecuted under section 55 of the Data Protection Act for unlawfully obtaining sensitive medical information relating to over 2,000 people.
  • 8 April 2013 A Hertfordshire estate agent has been prosecuted under section 17 of the Data Protection Act after failing to notify with the ICO.
  • 12 March 2013 A former receptionist at a GP surgery in Southampton has been prosecuted under section 55 of the Data Protection Act for unlawfully obtaining sensitive medical information relating to her ex-husband’s new wife.

Also read

Most companines are vulnerable to BYOD risks

A UK survey from Acronis® and the Ponemon Institute reveals that the majority of companies are putting critical data at risk by not having policies in place to protect it once it leaves a company, whether that be through BYOD or public cloud-based file sharing. By ignoring simple security steps and employee BYOD education, companies are jeopardising its confidential data, exposing it to theft, corruption, hackers, malware and more.

Acronis’ 2013 Data Protection Trends Research, which evaluated responses from more than 570 UK IT professionals, discovered that:

  • Almost 60% have no personal device policy in place
  • 23% with policies make exceptions for executives, who may handle even more sensitive data
  • 23% actually forbid personal devices from accessing the network
  • 79% of organisations have not educated employees on BYOD privacy risks
  • 21% of companies mandate a device password or key lock on personal devices
  • 18% perform remote device wipes when employees leave the company, drastically increasing the risk for data leakage.
  • 69% of organisations do not have a policy in place around public clouds
  • 80% have not trained employees in the proper use of these platforms
  • 59% of organisations will support Macs® in the next year
  • 61% say compatibility and interoperability are still big obstacles to getting Macs compliant with IT, which puts data stored and shared across the corporate network and on Apple devices at risk.

Personal devices have permanently and positively changed the workplace, particularly in the way employees collaborate, work remotely and interact with company data,” said Rick Powles, managing director UK & Ireland, Acronis. “BYOD is a huge opportunity for companies, but our research shows troubling signs of negligence in the face of these dangers. However, with policies and solutions that manage the flow of data between multiple devices and environments, companies can practice safe BYOD with confidence

Acronis suggest matching BYOD Productivity with Policy

To optimise BYOD, protect the bottom line, and avoid data loss and serious compliance issues, organisations should take immediate steps to ensure employees are trained in safe BYOD practices, that personal device and public cloud use are monitored and managed, and that effective data protection solutions are in place to prevent data loss. These are the critical steps to achieving safe BYOD.

IT Security Still Not Protecting the Right Assets Despite Increased Spending

Most IT security resources in today’s enterprise are allocated to protecting network assets, even though the majority of enterprises believe a database security breach would be the greatest risk to their business, according to a report issued by CSO Custom Solutions Group and sponsored by Oracle.

In the survey with 110 companies from industries including Financial Services, Government, High Tech, more than two thirds of IT security resources remain allocated to protecting the network layer, while less than one third of the staff and budget resources were allocated to protecting core infrastructure such as databases and applications.

Key findings from the report

  • When comparing the potential damage caused by breaches, most enterprises believed that a database breach would be the most severe as they contain the most vital and valuable information intellectual property as well as sensitive customer, employee, and corporate financial data.
  • An un-balanced and fragmented approach to security has left many organizations’ applications and data vulnerable to attacks both internally and externally.
  • Today’s findings underscore the relevance of Oracle’s “security inside-out” approach which means focusing attention on the organizations most strategic assets which include databases, applications and users.
  • Nearly 66% of respondents said they apply a security inside out strategy, where as 35% base their strategy on end point protection.
  • Even with this fundamental belief in strategy, spending does not truly align as more than 67% of IT security resources including budget and staff time remain allocated to protecting the network layer and less than 23% of resources were allocated to protecting core systems like servers, applications and databases.
  • 44% believed that databases were safe because they were installed deep inside the perimeter.
  • 90% report the same or higher, level of spend compared to 12 months prior. The survey shows that 59% of participants plan to increase security spending in the next year.
  • In 35% of organizations, security spend was influenced by sensational informational sources rather than real organizational risks.
  • 40% of respondents believed that implementing fragmented point solutions created gaps in their security and 42% believe that they have more difficulty preventing new attacks than in the past.

IT Security has to focus attention on the most strategic assets. Organizations cannot continue to spend on the wrong risks and secure themselves out of business. When attackers do break through the perimeter, they can take advantage of weak security controls against the core systems by exploiting privileged user access, vulnerable applications, and accounts with excessive access,” said Mary Ann

Davidson, Chief Security Officer at Oracle. “Organizations have to get the fundamentals right which are database security, application security and identity management.”

“The results of the survey show that the gap between the threat of severe damage to a database attack versus the resources allocated to protecting the database layer is significant, highlighting the disconnect in how organizations are securing their IT infrastructures,” said Tom Schmidt, Managing Editor, CSO Custom Solutions Group.

The full report can be found here.

76% of companies have had a data breach or expect to have a breach

Experian Data Breach Resolution and the Ponemon Institute have released a study that finds that, despite the majority of companies experiencing or anticipating significant cost and business disruption due to a material data breach, they still struggle to take the proper measures to mitigate damage in the wake of an incident.

The report, “Is Your Company Ready for a Big Data Breach?” examines the consequences of data breach incidents and the steps taken to lessen future damage.

Respondents include senior privacy and compliance professionals of organisations that experienced at least one data breach. The top three industries represented are retail, health and pharmaceuticals, and financial services.

A majority of companies we surveyed indicate they have already or are very likely to lose customers and business partners, receive negative publicity and face serious financial consequences due to a data breach,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “Yet, despite understanding the consequences, many companies struggle to take the right steps to mitigate the fallout following an incident, demonstrating a need for better awareness and investment in the tools that can alleviate negative customer perceptions

The study’s key findings include:

Companies experience and anticipate harm due to breaches Companies that suffer data breaches experience significant costs and business disruption, including the loss of business and trust from customers, negative media attention and legal action.

  • 76% of privacy professionals say their organisation already had or expects to have a material data breach that results in the loss of customers and business partners.
  • 75% say they have had or expect to have such an incident that results in negative public opinion and media coverage.
  • 66% of companies have or believe they will suffer serious financial consequences as a result of an incident.

Despite consequences, incident response remains a challenge Companies struggle to properly handle potential damage due to a data breach and implement technologies to help prevent future incidents, even after suffering an incident.

  • Despite experiencing a breach, not all companies prepare for a future breach.
  • 39% of companies say they have not developed a formal incident breach preparedness plan even after experiencing a breach.
  • 10% of organizations have data breach or cyber insurance.
  • A majority of organisations surveyed do not provide clear communication and notification to victims following an incident.
  • 21% of respondents have communications teams trained to assist in responding to victims.
  • 30% of respondents say their organisations train customer service personnel on how to respond to questions about the data breach incident.
  • 65% also lack mechanisms to verify that contact with each victim was completed, and only 38% have mechanisms for working with victims with special circumstances.
  • The survey also finds that organizations are missing security technology safeguards and tools to prevent or understand the extent of an incident.
  • Encryption is not widely deployed: Less than one-third of respondents say sensitive or confidential personal and business information stored on computers, servers and other storage devices is generally encrypted.
  • Forensics is lacking. Many organizations lack the forensics capabilities to fully understand the nature and extent of the incident.
  • Only 36% have the tools or technologies to assess the size and impact of a data breach.
  • 19% have advanced forensics to determine the nature and root causes of cyberattacks.
  • 25% have the ability to ensure the root cause of the data breach was fully contained.

The study findings show that organizations need to prioritize preventing future breaches and better manage post-breach response,” said Dr. Larry Ponemon, Chairman and founder of the Ponemon Institute. “In addition to improving technical safeguards, it’s clear that companies also should focus more attention on meeting the needs of affected consumers that suffer a data breach

.

Mobile phone users are not concerned with security until there is a breach and then they blame their provider

Crossbeam Systems have released research into Mobile Phone user’s opinions on security. 

The most revealing finding was that compromised security, rather than high monthly fees, would be the biggest reason for UK smartphone users to change mobile network providers. 

The independent blind survey of 1,076 UK adult smartphone users and bill payers examined: –

  • usage habits
  • the importance of mobile security and data services
  • purchasing considerations
  • what would motivate them to switch providers

A summary of the survey results are below:-

  • 75.6% of those surveyed would change mobile providers if their current, operator-supplied smartphone was compromised by hackers, malware or other security failure
  • 79% of 648 women surveyed stating they would change networks if their smartphone fell victim to a security issue.
  • 70% of 428 men surveyed would also change networks following a security incident
  • 56% of global respondents don’t know if their mobile network provider has measures in place to secure their smartphone
  • 35.7% of respondents were aware that their smartphone contained applications that stored or had access to financial information such as PayPal, retail apps with saved card payment information and mobile banking apps, and that third parties accessing these would be a concern
  • 52.9% would be scare of other people having “Access to my personal information, such as passwords and credit card details”
  • 5.8% said a lack of security would drive them away from their current network provider

If your smartphone was hacked by a criminal whose fault would it be?

  • 37.5% My mobile network provider (Vodafone, O2 etc.)
  • 31.6% Mine
  • 17.9% My smartphone manufacturer (Apple, Samsung, HTC, etc.)
  • 12.9% Other please specify

Smartphone users, like most people, don’t think about the security of their devices until they’ve been hacked. This may be misleading mobile network operators to focus less of their attention on customer security and underestimate the risk it creates said Peter Doggart of Crossbeam

The good news is 53 percent of global respondents expressed a willingness to pay their network provider additional fees to help improve security.

Nursing and Midwifery Council fined for breaching the Data Protection Act

The Information Commissioner’s Office has issued a £150,000 fine to the Nursing and Midwifery Council was for breaching the Data Protection Act. 

The Nursing and Midwifery Council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. 

In October 2011 the DVDs, containing confidential information, was sent to a misconduct hearing via a courier and when the package arrived at the hearing the DVDs were missing and have never found 

After an investigation by the ICO it was found the information was not encrypted. 

David Smith, Deputy Commissioner and Director of Data Protection, said:

It would be nice to think that data breaches of this type are rare, but we’re seeing incidents of personal data being mishandled again and again. While many organisations are aware of the need to keep sensitive paper records secure, they forget that personal data comes in many forms, including audio and video images, all of which must be adequately protected. 

I would urge organisations to take the time today to check their policy on how personal information is handled. Is the policy robust? Does it cover audio and video files containing personal information? And is it being followed in every case? 

If the answer to any of those questions is no, then the organisation risks a data breach that damages public trust and a possible weighty monetary penalty.

The council had been couriering evidence relating to a ‘fitness to practise’ case to the hearing venue. When the packages were received the discs were not present, though the packages showed no signs of tampering. Following the security breach the council carried out extensive searches to find the DVDs, but they’ve never been recovered. 

The Nursing and Midwifery Council’s underlying failure to ensure these discs were encrypted placed sensitive personal information at unnecessary risk. No policy appeared to exist on how the discs should be handled, and so no thought was given as to whether they should be encrypted before being couriered. Had that simple step been taken, the information would have remained secure and we would not have had to issue this penalty.

.

Securing Patient data has improved massively but still has work to do

In it’s recent Winter 2013 Newsletter Experian released the details of the fifth annual Healthcare Information and Management Systems Society (HIMSS) which they sponsored.

The survey found many areas of improvement and highlighted them in the infographic below:

Infographic_-The-security-of-patient-data-in-a-virtual-universe3

Key highlights from the HIMSS study include:

  • Only 38% of the respondents encrypt mobile devices, such as smartphones and tablets, which is worrisome considering their rising use. In fact, there are currently 1.1 billion global smartphone subscribers, representing a 42% year over year growth rate. In addition, there’s been a 29% increase in tablet or e-reader users since 2009.
  • Only 43% of respondents test their data response plans, meaning they don’t know whether their plans work. Organisations should review their response plans regularly and conduct practice runs at least once per year. It’s also a good idea to update the contact list of your response team quarterly and redistribute it.
  • 64% of this year’s respondents encrypt emails, compared to 55% in 2008.
  • Two-thirds conduct a risk analysis at least once per year, compared to 54% in 2008
  • Nearly 25% of the respondents sustained a data breach in the past year alone
  • the high number of breaches has caused 21 million American patients to have their healthcare records exposed to date
  • 90% of the respondents (Hospitals) in a recent study indicating that they conduct formal risk analyses.

.

Who has breached the Data Protection Act in 2012? Find the complete list here.

So far 2012 has been a busy year for the Information Commissioners Office (ICO) and with almost three quarters of the year gone I thought I would look at who has fallen foul of the Data Protection Act.

There are normally three types of punishments administered by the ICO

  1. Monetary. The most serious of the actions and one normally reserved for organisational entities.
  2. Undertaking. Typically applied when an organisation has failed to adhere to good business practise and needs the helping guidance of the ICO
  3. Prosecutions. Normally reserved for individuals who have blatantly breached the Act.

In the near future I expect the proposed revised and consolidated European wide Data Protection Act to lead to more activity by the ICO, in the UK and across the other 27 member states. Read my summary of the propose European Data Protection Act here.

Below is a summary of the ICO’s activity in 2012 across all three “punishment” areas.

Monetary penalty notices

A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are to HM Treasury.

  • 6 August 2012 A monetary penalty of £175,000 was issued to Torbay Care Trust after sensitive personal information relating to 1,373 employees was published on the Trust’s website. Read the details here.
  • 12 July 2012 A monetary penalty of £60,000 was issued to St George’s Healthcare NHS Trust after a vulnerable individual’s sensitive medical details were sent to the wrong address.
  • 5 July 2012 A monetary penalty notice of £150,000 has been served to Welcome Financial Services Limited following a serious breach of the Data Protection Act. The breach led to the personal data of more than half a million customers being lost.
  • 19 June 2012 A monetary penalty notice of £225,000 has been served to Belfast Health and Social Care Trust following a serious breach of the Data Protection Act. The breach led to the sensitive personal data of thousands of patients and staff being compromised. The Trust also failed to report the incident to the ICO.
  • 6 June 2012 A monetary penalty for £90,000 has been served to Telford & Wrekin Council for two serious breaches of the seventh data protection principle. A Social Worker sent a core assessment report to the child’s sibling instead of the mother. The assessment contained confidential and highly sensitive personal data. Whilst investigating the first incident, a second incident was reported to the ICO involving the inappropriate disclosure of foster carer names and addresses to the children’s mother. Both children had to be re-homed.
  • 1 June 2012 A monetary penalty notice for £325,000 has been served on Brighton and Sussex University Hospitals NHS Trust following the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine patients – on hard drives sold on an Internet auction site in October and November 2010. Read the details here.
  • 21 May 2012 A monetary penalty notice for £90,000 has been served on Central London Community Healthcare NHS Trust for a serious contravention of the DPA, which occurred when sensitive personal data was faxed to an incorrect and unidentified number. The contravention was repeated on 45 occasions over a number of weeks and compromised 59 data subjects’ personal data. Read the details here.
  • 15 May 2012 A monetary penalty of £70,000 was issued to the London Borough of Barnet following the loss of sensitive information relating to 15 vulnerable children or young people, during a burglary at an employee’s home. Read the details here.
  • 30 April 2012 A monetary penalty of £70,000 has been issued to the Aneurin Bevan Health Board following an incident where a sensitive report containing explicit details relating to a patient’s health – was sent to the wrong person. Read the details here.
  • 14 March 2012 A monetary penalty of £70,000 was issued to Lancashire Constabulary following the discovery of a missing person’s report containing sensitive personal information about a missing 15 year old girl. Read the details here.
  • 15 February 2012 A monetary penalty of £80,000 has been issued to Cheshire East Council after an email containing sensitive personal information about an individual of concern to the police was distributed to 180 unintended recipients. Read the details here.
  • 13 February 2012 A monetary penalty of £100,000 has been issued to Croydon Council after a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub. View a PDF of the Croydon Council monetary penalty notice
  • 13 February 2012 A monetary penalty of £80,000 has been issued to Norfolk County Council for disclosing information about allegations against a parent and the welfare of their child to the wrong recipient.
  • 30 January 2012 A monetary penalty of £140,000 was issued to Midlothian Council for disclosing sensitive personal data relating to children and their carers to the wrong recipients on five separate occasions. The penalty is the first that the ICO has served against an organisation in Scotland. Read the details here.

Undertakings

Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.

  • 6 August 2012 An undertaking to comply with the seventh data protection principle has been signed by Marston Properties. This follows the loss of 37 staff members’ details when the filing cabinet the information was stored in was sent to a recycling centre and crushed.
  • 13 July 2012 An undertaking to comply with the seventh data protection principle has been signed by West Lancashire Borough Council. This follows the theft of a business continuity bag containing emergency response documents and personal data relating to 370 council employees.
  • 26 June 2012 An undertaking to comply with the seventh data protection principle has been signed by South Yorkshire Police. This follows the inclusion of personal data relating to drug offences, in response to a Freedom of Information request made by a journalist.
  • 23 May 2012 An undertaking to comply with the seventh data protection principle has been signed by Holroyd Howe Independent Ltd. This follows the release of a document containing details of employees’ pay to a former employee.
  • 30 April 2012 An undertaking to comply with the seventh data protection principle has been signed by the Aneurin Bevan Health Board. This follows an incident where a sensitive report – containing explicit details relating to a patient’s health – was sent to the wrong person. This breach was also the subject of a monetary penalty.
  • 25 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Safe and Secure Insurances Services Limited. This follows the purchase of a hard drive from the Internet which contained personal data relating to the company’s clients.
  • 18 April 2012 An Undertaking to comply with the seventh data protection principle has been signed by Brecon Beacons National Park Authority. This follows two data security incidents which relate to the unauthorised disclosure of personal data on the data controller’s website.
  • 17 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Leicestershire County Council, following the theft of a briefcase containing sensitive personal data from a social worker’s home.
  • 17 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Toshiba Information Systems UK Ltd. This follows a web design error that created the potential for unauthorised access to individual’s personal data.
  • 11 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Hertfordshire County Council. This follows the loss of an Attendance and Pupil Support consultation folder in January 2011.
  • 11 April 2012 An undertaking to comply with the seventh data protection principle has been signed by South London Healthcare NHS Trust. This follows the loss of two unencrypted memory sticks, the leaving of a clipboard with ward lists attached in a grocery store and a failure to adequately secure some patient paper files when not in use. All of the information was recovered.
  • 27 March 2012 An Undertaking has been signed by Pharmacyrepublic Ltd following the theft of a patient medication system containing the medication details of 2000 patients. The system, which was supplied by another firm, should have been securely returned to them by Pharmacyrepublic Ltd before the premises were vacated. Read the details here.
  • 14 March 2012 An undertaking to comply with the seventh data protection principle has been signed by the Lancashire Constabulary. This follows the discovery of a missing person’s report on a street in Blackpool. A monetary penalty has also been issued to the authority in connection with this incident.
  • 9 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Enable Scotland (Leading the Way), after two unencrypted memory sticks and papers containing the personal details of up to 101 individuals were stolen from an employee’s home.
  • 1 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Community Integrated Care, a national social care charity. This follows the theft of an unencrypted laptop containing personal and sensitive personal data.
  • 1 March 2012 An Undertaking to comply with the seventh data protection principle has been signed by Durham University. This follows the disclosure of personal information in training materials published on its website.
  • 1 March 2012 An Undertaking to comply with the seventh data protection principle has been signed by London Borough of Croydon. This follows the theft of a bag belonging to a social worker from a public house in London. The bag contained a hard copy file of papers concerning a child who is in the care of the Council. This incident was also subject to a monetary penalty which was announced earlier this month.
  • 1 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Dr Pervinder Sanghera of Arthur House Dental Care. This follows the discovery of an unencrypted memory stick containing personal and limited sensitive personal data relating to patients and employees of the practice.
  • 10 February 2012 Youth charity Fairbridge has signed an undertaking committing the organisation to taking action after the loss of two unencrypted laptops containing employee information.
  • 10 February 2012 Healthcare provider Turning Point has signed an undertaking committing the organisation to take action after the loss of three service users’ files during an office relation.
  • 10 February 2012 Five local authorities have signed undertakings to comply with the seventh data protection principle, following incidents where the councils failed to take appropriate steps to ensure that personal information was kept secure.
  • 10 February 2012 Basingstoke and Deane Borough Council breached the Data Protection Act on four separate occasions during a two month period last year. The breaches included an incident in May when an individual was mistakenly sent information relating to 29 people who were living in supported housing.
  • 10 February 2012 Brighton and Hove Council emailed the details of another member of staff’s annual salary – and the deductions made from this – to 2,821 council workers. A third party also informed the ICO of a historic breach which occurred in May 2009 when an unencrypted laptop was stolen from the home of a temporary employee.
  • 10 February 2012 Undertakings have been signed by • Dacorum Borough Council • Bolton Council • Craven District Council
  • 3 February 2012 An undertaking to comply with the seventh data protection principle has been signed by E*Trade Securities Ltd. This follows a report to the Commissioner concerning missing client files. The files contained limited sensitive personal data including identification documents.
  • 20 January 2012 An undertaking has been signed by Manpower UK Ltd following a breach of the Data Protection Act where a spreadsheet containing 400 people’s personal details was accidentally emailed to 60 employees.
  • 18 January 2012 An undertaking has been signed by the Chartered Institute of Public Relations, following the loss of up to 30 membership forms on a train. The organisation didn’t have a policy in place for handling personal data outside of the office at the time of the incident.
  • 18 January 2012 Praxis Care Limited breached both the UK Data Protection Act and the Isle of Man Data Protection Act by failing to keep peoples’ data secure. An unencrypted memory stick, containing personal information relating to 107 Isle of Man residents and 53 individuals from Northern Ireland, was lost on the Isle of Man.

Prosecutions:

  • 2 August 2012. Mohammed Ali Enayet, owner of The Lime Lounge in Cleveleys has been prosecuted by the ICO for failing to register his premises’ use of CCTV equipment.
  • 30 March 2012. SAI Property Investments Limited, trading as IPS Property Services and one of its directors Mr Punjab Sandhu unlawfully obtained details about their tenants from a rogue employee at Slough Borough Council have been found guilty of committing offences under Section 55 of the Data Protection Act 1998 (DPA).
  • 27 February 2012. Pinchas Braun, a letting agent who unlawfully tried to obtain details about a tenant’s finances from the DWP has been found guilty of an attempt to commit an offence under section 55 of the Data Protection Act and the Criminal Attempts Act.
  • 12 January 2012. Juliah Kechil, formerly known as Merritt, a former health worker has pleaded guilty to unlawfully obtaining patient information by accessing the medical records of five members of her ex-husband’s family in order to obtain their new telephone numbers.

The ICO is not just an enforcer, he offers advice too The Information Commissioner’s 5 Tips on how to better protect personal information .

The list was compiled on the 16th August 2012, updates will be added later so why not subscribe to the blog and automatically get the updates.

 

See Who breached the Data Protection Act in 2013? Find the complete list here.

Who is responsible for data protection in the cloud?

Encryption in the Cloud is a Ponemon Institute report sponsored by Thales.

The study considers how encryption is used to ensure sensitive or confidential data is kept safe and secure when transferred to external-based cloud service providers. 4,140 business and IT managers in the United States, United Kingdom, Germany, France, Australia, Japan and Brazil were surveyed.

Following is a summary of key findings relating to data protection, encryption and key management activities in the cloud.

  1. Currently, about half of all respondents say their organizations transfer sensitive or confidential data to the cloud environment. Within the next two years, another one-third of respondents say their organizations are very likely to transfer sensitive or confidential to the cloud. At 56%, German companies appear to have the highest rate of sensitive or confidential data transferred to the cloud.
  2. 39% of respondents believe cloud adoption has decreased their companies’ security posture. However, 44% of respondents believe the adoption of cloud services has not increased or decreased their organization’s security posture. Only 10% of respondents believe the move to the cloud has increased their organization’s security posture. With respect to country differences, results suggest that French organizations are most likely to view cloud deployment as diminishing the effectiveness of data protection efforts.
  3. 44% of respondents believe the cloud provider has primary responsibility for protecting sensitive or confidential data in the cloud environment and 30% believe it is the cloud consumer. There are also differences among countries as to who is most responsible. 67% of French companies appear to be the most likely to hold the cloud provider responsible for data protection activities. In contrast, 48% of Japanese companies hold the cloud consumer primarily responsible for data protection.
  4. Companies that currently transfer sensitive or confidential data to the cloud are much more likely to hold the cloud provider primarily responsible for data protection. In contrast, companies that do not transfer sensitive or confidential information to the cloud are more likely to hold the cloud consumer with primary responsibility for data protection.
  5. 63% of respondents say they do not know what cloud providers are doing to protect the sensitive or confidential data entrusted to them. Once again, French respondents (76%) are least likely to say they know what their cloud providers do to safeguard their organization’s information assets.
  6. In general, respondents who select the cloud provider as the most responsible party for protecting data are more confident in their cloud provider’s actual ability to do so (51%) compared to only 32% of respondents who report confidence in their own abilities to protect data even though they consider their own organization to be primarily responsible for protecting data.
  7. Where is data encryption applied? According to 38% of respondents, their organizations rely on encryption of data as it is transferred over the network (typically the internet) between the organization and the cloud. Another 35% say the organization applies persistent encryption data before it is transferred to the cloud provider. Only 27% say they rely on encryption that is applied within the cloud environment.
  8. Among the companies that encrypt data inside the cloud, nearly 74% believe the cloud provider is most responsible for protecting that data. However, only 34% of organizations that encrypt data inside their organization prior to sending it to the cloud hold the cloud provider primarily responsible for data protection.
  9. Who manages the encryption keys when sensitive or confidential data is transferred to the cloud? 36% of respondents say their organization is most responsible for managing the keys. 22% say the cloud provider is most responsible for encryption key management. Another 22% says a third party (i.e. another independent service provider) is most responsible for managing the keys. Even in cases where encryption is performed outside the cloud, more than half of respondents hand over control of the keys. With respect to country differences, German organizations appear to be the least likely to relinquish control of encryption keys to the cloud provider. Companies in Australia and Brazil appear to be the most likely to transfer control of encryption keys to the cloud provider.
  10. Companies with the characteristics that indicate a strong overall security posture appear to be more likely to transfer sensitive or confidential information to the cloud environment than companies that appear to have a weaker overall security posture. In other words, companies that understand security appear to be willing and able to take advantage of the cloud. This finding appears to be at odds with the common suggestion that more security aware organizations are the more skeptical of cloud security and that it is the less security aware organizations are willing to overlook a perceived lack of security. Here, we use the Security Effectiveness Score (SES) as an objective measure of each organization’s security posture.

Larry Ponemon, chairman and founder, Ponemon Institute, says:

“It’s a rather sobering thought that nearly half of respondents say that their organization already transfers sensitive or confidential data to the cloud even though thirty-nine percent admit that their security posture has been reduced as a result. This clearly demonstrates that for many organizations the economic benefits of using the cloud outweigh the security concerns. However, it is particularly interesting to note that it is those organizations that have a strong overall security posture that appear to be more likely to transfer this class of information to the cloud environment – possibly because they most understand how and where to use tools such as encryption to protect their data and retain control . What is perhaps most surprising is that nearly two thirds of those that move sensitive data to the cloud regard their service providers as being primarily responsible for protecting that data, even though a similar number have little or no knowledge about what measures their providers have put in place to protect data. This represents an enormous opportunity for cloud providers to articulate what they are doing to secure data in the cloud and differentiate themselves from the competition.”

Richard Moulds, vice president, strategy, Thales e-Security, says:

“Staying in control of sensitive or confidential data is paramount for most companies today. For any organization that is still weighing the advantages of using cloud computing with the potential security risks of doing so, it is important to know that encryption is one of the most valuable tools for protecting data. However, just as with any type of encryption, it only delivers meaningful value if deployed correctly and with encryption keys that are managed appropriately. Effective key management is emblematic of control and the need for centralized and automated key management integrated with existing IT business processes is a necessity. Even if you allow your data to be encrypted in the cloud, it’s important to know you can still keep control of your keys. If you control the keys, you control the data.”

.

PCI Point-to-Point Encryption Solution Requirements and Testing Procedures v1.1

The Payments Security Standards Council (PCI SSC) have released their solutions Requirements and Testing Procedures version 1.1 for Point-to-Point Encryption (P2PE).

The press release can be found here.

The main document is 210 pages long but for those who have looked into this before there is a short four page summary of changes from version 1.0 to version 1.1 here.

The document covers many things but the five main scope assessments for P2PE Solutions are

  1. Network Segmentation
  2. Third Parties/Outsourcing
  3. Sampling of System Components
  4. Multiple Acquirers
  5. P2PE Program Guide

Scope of Assessment for P2PE Solutions

The first step of a P2PE solution assessment is to accurately determine the scope of the solution. At least annually and prior to each assessment, the solution provider should confirm the accuracy of their solution scope by identifying all devices, P2PE data flows and processes, key-management functions and account-data stores, and ensure they are included in the solution scope. To ensure the accuracy of the solution scope is maintained on an on going basis, the solution provider must have processes in place that ensure the following:

  • Any changes are implemented in a manner that ensures continued adherence to P2PE requirements for the entire solution.
  • Any new rollouts/additions adhere to all P2PE solution requirements.
  • Any new rollouts/additions are included in the next P2PE assessment.

Network Segmentation

The solution provider must ensure that network segmentation is in place between any systems owned or managed by the solution provider that are used in the P2PE solution, and any that are not included in their PCI DSS compliant environment. The QSA (P2PE) must validate that the network segmentation is adequate to isolate the P2PE environment from out-of-scope networks and systems.

Third Parties/Outsourcing

A given P2PE solution may be entirely performed and managed by a single solution provider, or the solution provider may outsource certain functions (for example, loading keys into POIs) to third parties who perform these functions on behalf of the solution provider. All third parties that perform P2PE functions on behalf of the assessed P2PE solution provider, including POI vendors, KIFs, CAs, etc., must be validated per P2PE solution requirements.

There are two options for third-party entities performing functions on behalf of solution providers to validate compliance:

  1. They can undergo a P2PE assessment of relevant P2PE requirements on their own and provide evidence to their customers to demonstrate their compliance; or
  2. If they do not undergo their own P2PE assessment, they will need to have their services reviewed during the course of each of their solution provider customers’ P2PE assessments.

Multiple Acquirers

The P2PE standard outlines the technology and processes needed to ensure the security of a solution that protects account data from the point of interaction to the solution provider. In some instances, multiple acquirers or multiple solution providers may manage one or more P2PE solutions on the same merchant POI device. P2PE does not preclude these scenarios, as the business processes which govern this shared environment are outside the responsibility of the PCI SSC.

P2PE Program Guide

Please refer to the P2PE Program Guide for information about the P2PE program, including the following topics:

  • P2PE Report on Validation submission and acceptance processes
  • Annual renewal process for solutions included on the list of Validated P2PE Solutions
  • Notification responsibilities in the event a listed P2PE solution is determined to be at fault in a compromise

Third Parties/Outsourcing

A given P2PE solution may be entirely performed and managed by a single solution provider, or the solution provider may outsource certain functions (for example, loading keys into POIs) to third parties who perform these functions on behalf of the solution provider. All third parties that perform P2PE functions on behalf of the assessed P2PE solution provider, including POI vendors, KIFs, CAs, etc., must be validated per P2PE solution requirements.

There are two options for third-party entities performing functions on behalf of solution providers to validate compliance:

  1. They can undergo a P2PE assessment of relevant P2PE requirements on their own and provide evidence to their customers to demonstrate their compliance; or
  2. If they do not undergo their own P2PE assessment, they will need to have their services reviewed during the course of each of their solution provider customers’ P2PE assessments.

At-a-Glance – Steps Required to Create and Validate a P2PE Solution

The process for developing and validating a P2PE solution that uses SCDs for encryption, decryption, and cryptographic key management is provided below. This flow chart and the following table illustrate the parties responsible for implementing requirements and validating compliance with each domain, the high-level purpose of controls for each domain, and how validation of each domain can ultimately lead to a P2PE solution validation.

Like a lot of people I shall be looking into the details to see where existing and planned solutions meet the standard. The full 210 page document can be found here.

.

Lose memory stick: go straight to court, do not pass go and do collect damage to reputation…

Praxis Care Limited breached the UK Data Protection Act and the Isle of Man Data Protection Acts by failing to secure Personally Identifiable Information (PII).

An unencrypted memory stick was lost on the Isle of Man in August 2011 and contained personal information relating to

  • 107 Isle of Man residents
  • 53 Northern Ireland residents

Some of the information was sensitive and related to individuals’ care and mental health

Praxis Care Limited has informed all affected individuals about the loss and no complaints have yet been received by the regulators.

Christopher Graham, UK Information Commissioner, said:

 “Carrying people’s personal information around on an unencrypted memory stick is clearly unacceptable. The fact that some of the personal details stored on the device were out of date and so surplus to requirements makes this breach all the more concerning.

“The ICO will continue to work closely with other data protection regulators where it is clear that a data breach extends across national boundaries.”

Iain McDonald, Isle of Man Data Protection Supervisor, said:

“Today’s joint action aims to send a clear message to organisations that a lax attitude to data security will not be tolerated by either the ODPS or the ICO. We will continue to work with regulators in other countries to ensure that our residents’ personal information is protected.”

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: