Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Serious Organised Crime Agency

Personal Information is under threat from “social engineering”

This week as uncovered two more breaches of the Data Protection Actafter action was taken by the Information commissioner and the Serious and Organised Crime Agency (SOCA) against individuals who used social engineering for profit.

The more criminal of the two cases involved “private detectives” blagging confidential information for their clients to use.

SOCA defines blagging as “Blagging is the art of bypassing security measures through skilled persuasion and impersonating someone else

SOCA said of the case

SOCA’s focus during the investigation was criminal conspiracy. However in recognition of the fact that the operation might also uncover information relevant to other authorities, SOCA worked in partnership with a number of bodies including the Information Commissioner’s Office. SOCA will now hand over any such information to its partners to determine whether further action is appropriate

The Information Commissioner said:

“The scourge of data theft continues to threaten the privacy rights of the UK population. Whilst we welcome today’s sentencing of the private investigator, Graham Freeman, and his three accomplices, the outcome of the case underlines the need for a comprehensive approach to deterring information theft.  If   SOCA had been restricted to pursuing this case solely using their powers under the Data Protection Act then these individuals would have been faced with a small fine and would have been able to continue their activities the very next day. This is not good enough.

“Unscrupulous individuals will continue to try and obtain peoples’ information through deception until there are strong punishments to fit the crime. We must not delay in getting a custodial sentence in place for section 55 offences under the Data Protection Act.”

In the second example a letting agent tried to obtain details about a tenant’s finances from the Department for Work and Pensions (DWP) was found guilty of an attempt to commit an offence under section 55 of the Data Protection Act and the Criminal Attempts Act.

Pinchas Braun, of Tottenham, was fined £200 and ordered to pay a £15 victim surcharge and £728.60 prosecution costs by Highbury Magistrates.

The ICO’s investigating officers identified the caller as Pinchas Braun. Further enquiries found that Braun worked for a property management and rental business called Manor West Estates and that he was responsible for rent collection. The DWP account that Mr Braun had targeted belonged to one of his employer’s tenants.

Information Commissioner, Christopher Graham, said:

“The Department for Work and Pensions hold important information about each and every one of us. We are very pleased that a DWP staff member was alert to this attempt to blag information and that the call was halted before it was too late.

“The motive behind Mr Braun’s action was financial. He knew that such an underhand method of obtaining the tenant’s personal information was illegal but carried on regardless.

“This case shows that unscrupulous individuals will continue to try and blag peoples’ details until a more appropriate range of deterrent punishments is available to the courts. There must be no further delay in introducing tougher powers to enforce the Data Protection Act beyond the current ‘fine only’ regime,” Mr Graham said.

“The contrast is striking in the penalties available for blagging under the Fraud Act on the one hand and under the Data Protection Act on the other. On the same day, prison sentences were handed down in one court with chicken feed fines being imposed in another – all for the same activity”

Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of a financial penalty of up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court. This also applies to attempts under the Criminal Attempts Act. The ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.

Both examples show how important it is for all organisation to be aware of the threat to their customers from “blagging” or “social engineering” for example in the Braun case above he was unsuccessful because he didn’t know the middle name of the victim.

.

Advertisements

Who fell foul of the Information Commissioner in October?

A week after Calls for tougher penalties for breaches of the Data Protection Act (read my post here) I thought it would be good time to have a look at who the Information Commissioner’s Office (ICO) has taken action against during the month of October 2011.

To add some consistency I have also included actions taken since the 7th September because a previous posting “Who has the Information Commissioner caught in the last 3 months?”, read it here.

28 October 2011
An undertaking to comply with the seventh data protection principle has been signed by Newcastle Youth Offending Team. This follows the theft of an unencrypted laptop containing sensitive personal data. Read my post on this incident here.

27 October 2011
An Undertaking to comply with the seventh data protection principle has been signed by University Hospitals Coventry & Warwickshire NHS Trust. This follows two separate incidents involving the loss of personal data by the Trust.

19 October 2011
An undertaking to comply with the seventh data protection principle has been signed by Spectrum Housing Group. This follows a non-secure e-mail with an excel attachment containing personal data relating to employees of the data controller, being sent in error to an unintended recipient outside of the organisation. It was also discovered that data within ‘hidden’ pivot cells forming part of the spreadsheet could be revealed.

17 October 2011
An undertaking to comply with the seventh data protection principle has been signed by Dumfries and Galloway Council. This follows the accidental online disclosure of current and former employee’s personal data in response to a Freedom of Information (Scotland) Act request.

5 October 2011
An undertaking to comply with the seventh data protection principle has been signed by the General Secretary of the Association of School and College Leaders (ASCL). This follows theft of a laptop containing sensitive personal data from the home of an employee.

An undertaking to comply with the seventh data protection principle has been signed by Holly Park School. This follows the theft of an unencrypted laptop containing personal data relating to nine pupils.

See my blog on these two incidents Education, education, when will people learn, encrypt your data as two more education establishments lose data here.

4 October 2011
An undertaking has been signed by Dartford and Gravesham NHS Trust following the accidental destruction of 10,000 archived records. The records – which should have been kept in a dedicated storage area –were put in a disposal room due to lack of space. See my post, Hospital Destroys 10,000 Archived Records here.

An undertaking has also been signed by Poole Hospital NHS Foundation Trust after two diaries – containing information relating to the care of 240 midwifery patients – were stolen from a nurse’s car. The diaries included patients’ names, addresses and details of previous visits and were used by the nurse during out of hours duty.

20 September 2011
An undertaking to comply with the third and seventh data protection principles has been signed by Eastleigh Borough Council. This follows the potential disclosure of a document containing sensitive personal data.

15 September 2011
An undertaking to comply with the seventh data protection principle has been signed by the Child Exploitation Online Protection Centre (CEOP) and its parent organisation the Serious Organised Crime Agency (SOCA). This follows the discovery that CEOP’s website reporting forms were being transmitted insecurely. See my post on this here ICO takes action against the Child Exploitation and Online Protection Centre and the Serious Organised Crime Agency here.

An undertaking to comply with the seventh data protection principle has been signed by Royal Liverpool & Broadgreen University Hospitals NHS Trust. This follows two separate incidents involving the loss of personal data by the Trust.

14 September 2011
An Undertaking to comply with the seventh data protection principle has been signed by Eastern and Coastal Kent Primary Care Trust. This follows the loss of a CD containing personal data during a move of office premises.

9 September 2011
An undertaking to comply with the seventh data protection principle has been signed by Walsall Council. This follows the accidental disposal of postal vote statements in a skip by the council’s data processor. The council did not have a written agreement with the data processor selected to store this personal data.

see other posts related to the Information Commissioner

.

ICO takes action against the Child Exploitation and Online Protection Centre and the Serious Organised Crime Agency

Child Exploitation and Online Protection Centre
Image via Wikipedia

The Information Commissioner’s Office (ICO) has taken action against The Child Exploitation and Online Protection Centre (CEOP) and the Serious Organised Crime Agency (SOCA) – its parent organisation after the discovery of a security flaw on CEOP’S website, the Information Commissioner’s Office (ICO) said today.

On 6 April, the ICO received a complaint from an individual who noticed that the information submitted using the online form on the CEOP website was not encrypted. The security problem meant that the details – some of which were sensitive – would have been vulnerable while they were being transmitted to CEOP’s servers.

The ICO’s investigation found that the form had been insecure for several months following the launch of the new CEOP website, although there was no evidence to suggest that any attempts had been made to access the information. Both organisations have now taken action to improve the security of the CEOP website in order to keep the personal information they handle secure.

Acting Head of Enforcement, Sally Anne Poole said:

Organisations must make sure that any personal data transmitted electronically is adequately protected. While there is no evidence to suggest that attempts have been made to access any of the information, it is highly likely that it would have been sensitive in nature and should not have been compromised by insufficient IT security measures.

We are pleased that CEOP and SOCA have taken action to make sure that all of the information sent in by members of the public remains secure.”

Peter Davies, Chief Executive Officer of CEOP, and Trevor Pearce QPM, Director General of SOCA, have jointly signed an undertaking to ensure that CEOP’s website is regularly tested so that the personal data they process remains secure and potential weaknesses are immediately identified. CEOP will also introduce recommendations included in a recent Information Security Review and continue to make sure that they are followed.

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: