Category Archives: Data Protection and Privacy

5th Annual Data Protection Conference

Posted on by

The 5th Annual Data Protection conference will be held on the 21st February 2013 in Dublin’s Ballsbridge Hotel. I will be one of the speakers at the conference.

This is the largest Data Protection Conference in Ireland and is the top go-to event for the DP community. The conference will have a number of informative presentations delivered by leading industry experts such as the Irish Data Protection Commissioner Billy Hawkes and Simon Milner, Director of Policy (UK & Ireland) FaceBook.

Having spoken at a number of the previous Data Protection Conferences I can attest that it is an excellent opportunity for those responsible for Data Protection to hear some excellent speakers and to network with their peers.

I hope to see some of you there.

Databreach at O2 Ireland

Posted on by

Today the mobile network operator O2 announced that it suffered a security breach. The breach occurred in the summer of 2011 when O2′s IT provider IBM lost a backup tape. O2 was made aware of the loss this summer an in their press release say they have been working with the Data Protection Commissioner’s office since. The press release from O2 states that the tape “had been misplaced” and that “While the tape remains unaccounted for it is possible that the tape has simply been misplaced within an otherwise secure location in O2.”

The release goes onto highlight that the tape itself was used mostly for backing up internal data belonging to O2 and that “it is possible that it could contain some personal data, it is more likely that it simply contained information about O2′s normal business affairs and company information”

After reading the release there are a number of issues that it raises in my mind, in no particular order they are;

  • Why does O2 not know what was on the tape? Most backup systems have a logfile or record of what data was backed up.  It seems strange to me that there is no record as to what data was, and was not, backed up onto the tape.
  • Why was the tape not encrypted? Copying data onto a tape means at some stage that data can be read back from the tape. This means anyone with the same type of tape drive and software can restore the data.  If that data is not encrypted then anyone with that equipment can restore and read the data. If the data is encrypted then even restoring it from tape makes it unaccessible to those without the proper access.
  • Why did it take IBM so long, nearly a year, to notify O2 about the loss of the tape?
  • Why did O2 take so long to notify customers of the potential data loss? Their press release states they were aware of the loss in July of this year, however it took 5 months to notify customers.  Under the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (SI 336 of 2011) specific obligations are placed on on providers of publicly available electronic communications networks or services to safeguard the security of their services. O2 as a telecommunications provider would come under these regulations.  In particular under the above regulations O2 is obliged in the “case of a personal data security breach affecting even one individual, providers of publicly available electronic communications networks or services must without undue delay:
    • notify the Office of the Data Protection Commissioner of the breach (even in circumstances where it considers the data would be unintelligible to third parties) including a description of the measures to be taken to address the breach; and
    • notify any individual that may be adversely affected by the breach. services

Within the press release O2 highlight minimises the breach by saying “it is possible that it could contain some personal data, it is more likely that it simply contained information about O2′s normal business affairs and company information.” So while the risk to customer data may be low it should be noted that information about its “normal business affairs” could also be highly sensitive.

As I have said before one of the important things in incident response is to learn from the incident. This applies not just to incidents in your own environment but also incidents in other organisations. The key lessons from this incident I see are;

  • Make sure you catalogue what data you back up.
  • Store those catalogue that data securely so you can reference it at a later date.
  • Have an inventory of your backup media and regular check that inventory to make sure items are not missing or “misplaced” Encrypt your backups. This should apply to all data you backup and not just data that falls under the Data Protection Act.
  • Regularly restore your data to ensure your backups are working as designed and that you can access the data.
  • Securely dispose of old backup media when no longer required.

First Impressions

Posted on by

There is an old saying that goess “first impressions last”.  Which means that very often when we meet someone or visit somewhere for the first time we subconciously assess and judge that person or place within the first few seconds.  This means that each relationship is built upon that initial first assessment. So if the assessment is a negative one the relationship will have a difficult time in growing.

Last night I was working late and happened to have the TV on at the same time.  During one of the advert breaks I noticed an advertisement for a new cloud based service run by an Irish company.  As someone with a keen interest in cloud services I decided to visit their website.  However, when I arrived at the site I was dissappointed to see that while the site looked slick and promoted the company well I also saw a number of issues that raised some concerns over the site regarding its security.

The first issue was the webpage to register for their service was in plain HTTP, in other words not secure.  Even though the page asked you to input a lot of personal details, including your password, the connection between the server and the client workstation was not encrypted using the SSL protocol.  This means that anyone with access to the traffic between the server and the client workstation could eavesdrop on that traffic and find out what those personal details are.

Another issue that was evident was the lack of a privacy statement on their website.  While the lack of a privacy statement will not lead to the site being compromised it is a requirement under the Irish Data Protection act.  Therefore the abscense of such a statement, coupled with the lack of SSL protection on certain web pages, would indicate that those running the site may not fully understand their obligations under the Data Protection Act.  This in turn, rightly or wrongly, may make the visitor wonder if there are other Data Protection issues not being fully addressed.

The website was hosted in the United States.  Under the Irish Data Protection Act it is illegal to export the personal details of Irish and European citizens outside of the EU unless under specific conditions.  One of those conditions is that if using a provider in the United States then that provider should be part of the US Safe Harbor Agreement.  Having checked which companies are registered under that agreement I discovered that the hosting company in question was not listed and therefore not part of that program. Of course the Irish company could have built their data privacy and security requirements into their contract with the supplier, but given the other issues I somehow doubt that is the case.

The website did not have its company particulars prominently displayed as is required by the European Communities (Companies) (Amendment) Regulations 2007, which exposes the company to fines under these regulations.   Again leading a visitor to the website to wonder if those managing their data fully understand their responsibilities when conducting business online.

After looking at this site I randomly visited a number of other Irish websites to see if the above website was unique. Unfortunately this was not the case.  Many of the other Irish websites I looked at had many of the same issues.  Some of them raised more concerns about their security, such as;

  • Collecting credit card data from insecure webpages similar to that described above. One website did not have an online payment solution but asked those wishing to purchase from the site to send an email with their credit card information enclosed. This flies in the face of the PCI Data Security Standard (DSS) which requires that credit card information is collected, transmitted and stored securely.
  • Two sites were hosting phishing pages aimed at clients of financial institutions in other countries.  It appears criminals hacked into these sites and used them to host their phishing pages.

The Internet provides businesses with opportunities to increase their market reach and customer base in a very cost effective manner.  A well built website that looks good can attract many new customers, but that is only half the battle. The other half is getting them to do business with you. One of the main concerns people have with buying goods and services online is security and the protection of their personal data. So while your site may look good, you need to ensure you can alleviate those security concerns. Remember all the above issues were identified simply by looking at the website. I did not do any security testing of the websites to see were there any technical or application security issues.  If a simple browse of your website can expose a number of problems like those outlined then you may find many customers will not have the confidence to deal with you.

Good security is a cornerstone in building trust and confidence in your business and making sure simple issues have been addressed goes a long way in building that trust. In 2010 I worked with ENISA on developing the “How to Shop Safely Online” whitepaper which while aimed at the consumer on how to shop safely onine also has some good recommendations in it for companies to ensure they take the proper security measures.

Remember in business, whether it is in the physical world or the virtual world, first impressions last!

Security Breach at MyJob.ie

Posted on by

Tonight I got an email from the online recruit arm of Bond Personnel, MyJob.ie, to inform me they recently suffered a security breach and were sending me a precautionary email to change my password. While there are no details as to what information the attackers accessed or how they manage to breach MyJob.ie’s security, there are two interesting points to note;

  • MyJob.ie say they were not the primary source of the breach. This leads to the question which of their providers were breached?
  • The attackers have already been arrested and a file sent to the DPP.  If this is the case, when did the breach originally occur and why did it take so long to notify those impacted?

The other question that is of interest is what is MyJob.ie’s data retention policy for holding client data? I have not used that website for well over 10 years,  so my data would be well out of date and no longer useful.  Indeed in the Data Protection Commissioner’s report for 2008 he mentions a security breach at jobs.ie and highlights they had retained personal data of clients for “an unnecessarily long period of time”. 

If you have been impacted by this breach I recommend that you

  • You change your password for MyJob.ie
  • Do not use the same password across different systems.  If you have used the same password on different systems then change them to an individual password on each system.
  • Do not respond to any emails that may be phishing emails looking for your personal details

The text of the email is below;

Dear Honan,

I am writing to bring your attention to a recent security breach on the server hosting Myjob.ie. The breach was quickly identified, and the Gardai have apprehended two individuals who are now the subject of a file being compiled for the Director of Public Prosecutions. Although Myjob.ie was not the primary source of the breach, as a precautionary measure we would ask all users to immediately change their password. Furthermore we would ask you to observe best practice in choosing all internet passwords and do not use the same password for more than one internet service. If you do use the same password for multiple services we would strongly urge you to rectify this immediately by logging into those systems and choosing a new password. Also, please note that reputable companies do not request personal details by email, if a company contacts you do not give any personal information until you have established they are legitimate.

  • Never give out personal banking information
  • Do not share your passwords with anyone
  • Do not open email attachments if you are suspicious, especially .exe files.

Please accept our apologies for any inconvenience or distress caused by this precautionary email. Should you wish to contact us please send an email to security@myjob.ie

Yours sincerely,

John Doupe

Speaking at the Third Annual ICS Data Protection Conference

Posted on by

On Thursday I will be speaking at the Third Annual ICS Data Protection Conference which will be held in the Radison Blu hotel in Dublin’s Golden Lane.  This is one of the conferences I enjoy a lot as it brings in people from various different disciplines to discuss the issues of protecting the personal data of customers and employees.  There will be people from data protection roles, legal, business, information security, IT and many others.  I find it can lead to many an interesting conversation as people get to learn, not only from the excellent speaker line up, but from networking with others as to how best to address data protection issues in their organisation.

With the introduction of the Data Protection Commissioner’s Data Security Breach Code of Practise ensuring the appropriate steps are taken to protect personal data entrusted to an organisation is even more important.  I will be presenting on “Taking a Practical Approach to Securing Your Organisation”.

There are still places available, so if you have not registered by now then you should go the ICS website and do so.  If you do attend the conference do drop over and say hello.

Upcoming Speaking Engagements

Posted on by

Last year I spoke at a number of great events and 2011 looks like it is shaping up to be a busy year on the speaking front too.  Over the next few weeks I will be speaking at a number of events.

So if you are attending any of the above please do say hello.

I will be attending a number of other events during the year and will keep you updated when I have more information.

Speaking at the 5th Annual Privacy & Data Protection Conference

Posted on by

I will be speaking at the 5th Annual Privacy & Data Protection Conference this year on the 27th of October.  The theme for the event is “Data Protection: Global Compliance Management” and I will be speaking on “Building an Information Security Culture and Policy”.  I will also be taking part in a panel discussion in information security.

The conference promises to be very informative and the organisers, Transatlantic Events, have brought together experts from the regulators, the lawmakers and the legal community from Ireland, the US, the EU, and the UK in order to debate the full range of issues that make up data protection compliance.  The conference will enable you to hear from experts as well as debate in open forum a range of issues from multi-jurisdictional compliance to niche areas such as outsourcing, monitoring, cloud computing, children’s privacy and data security breach management.

I am looking forward to hearing many of the other speakers at the event and hopefully meeting with some of you as well. 

You can register for the conference here.

Annual Report from Data Protection Commissioner Released

Posted on by

The 21st annual report from the Data Protection Commissioner’s office has been released.  As usual it makes for some very interesting reading.  The report notes that the number of breaches reported to the office has doubled since the previous year.  Most of these reported breaches are from organisations within the public sector.  While the first reaction may be to say the public sector is not taking due care of the personal data entrusted to it, I would argue that the public sector is no better nor worse than the private sector. 

One of the main reasons for the increased number of reported incidents from the public sector is most likely due to the guidance issued by the Department of Finance in late 2008 “encouraging” government departments to report breaches to the Data Protection Commissioner.  See section 4 on page 23 of the guidance.

In my opinion the Data Protection Commissioner’s report reinforces the argument that Ireland should introduce mandatory data breach disclosure laws.  My own thoughts on that particular issue are in this presentation that I gave at the last NITeS seminar;

I strongly urge that you take the time to read the report and to ask yourself the question, “How effective are my security controls in protecting the personal data entrusted to my organisation?”  If you find it hard to determine how to answer the question there is a very good self assessment checklist available on the commissioner’s site.

Information Security Assurance Checklist for SMEs

Posted on by

I am often approached by owners of small businesses who ask me how can they be assured that they have taken the basic steps to protect their information assets.  These companies often do not have any internal IT or information securty expertise and rely on external vendors or contractors to secure their systems.  What these owners want is a list of questions that they can ask themselves and their IT/Information Security experts to ensure they have taken the appropriate steps.  The following is what I recommend they check on and if they have any incomplete or negative responses then these areas need to be addressed;

People Check Item

Answer
Responsibility Does a director, or equivalent, have responsibility for information security?  
Employee Buy-in Have all members of staff given written acknowledgement that they have read, understood and accepted the information security policy?  
Employee awareness Do all users on your computer systems receive regular training on their security responsibilities and how to identify and deal with various security threats?  
Training Do staff members with specific security responsibilities receive proper and regular training to support their role?  
Computer security policy Have you a documented security policy, with associated operating procedures, signed off and fully supported by senior management?  
Non-disclosure agreements Does senior management authorise third party access to confidential and/or commercially sensitive information pending completion of appropriate confidentiality forms?   

 

Process Check Item Answer
Audits Are critical systems such as firewalls and routers regularly tested for vulnerabilities and are computers checked to ensure no copies of illegal software are present?  
Incident Planning and response Are documented and frequently tested plans in place, with clearly defined roles and responsibilities, to ensure the company can respond to any security breaches such as a virus attack, fraud or natural disasters such as fire?  
Passwords Are all default passwords on all systems reset from the default vendor installed passwords?  Are users forced to use complex and hard to guess passwords?  
Software patches Is there a mechanism to ensure that critical security patches are deployed to systems in a timely and audited fashion?  
Data Protection Are systems and databases that store personal data secured properly to ensure compliance with regulatory and legal requirements such as the Data Protection Act?  

 

Tech Check Item Answer
External Network Security Are external connections, such as to the Internet, authorised by senior management, properly documented and secured using Firewalls?  
Anti-Virus Are all computer systems protected with the most up to date anti-virus software?  Are users educated on how to identify and deal with suspect files that may contain computer viruses?  
Content Monitoring Do you properly monitor the content of emails and Internet browsing activity to protect your company from computer viruses, SPAM, or litigation due to the nature of the content?  
Monitoring Are the log files of important security devices actively monitored to detect potential security breaches?  
Physical security Are critical IT resources, such as file servers, located in a secured area that is protected from unauthorised access?  

If you have any ideas on how to improve the above list please let me know via the comments.

Technology Is Not The Silver Bullet

Posted on by

broken-link.JPGThe raft of data breaches involving lost laptops and mobile devices that occurred last year, both in the government and private sector, led to a rash of organisations running out to encrypt these mobile devices.  While an effective tool in helping to secure data on mobile devices, encryption by itself is not a silver bullet nor the answer to the problem.  You still need to ensure that people minimise the amount of sensitive data they store on mobile devices and most importantly that they are properly trained and educated in how to use the technology employed to protect that data. 

This story from the Lancashire Evening Post is a prime example of where security is the effective combination of People, Process and Technology.  The story reports on how a USB key containing medical details of over 6,300 prisoners was lost.  The good news is that the USB key was encrypted, however the bad news is that the pass-phrase to decrypt the information was attached to the USB key.  This in reality makes the encryption worthless and provides no security to that data.

So remember when deploying technology to enhance the security of your organisations remember to ensure that those who will be using that technology are properly trained in its use.