Hand over £1 million or all your sausage are belong to us

Well, ok, not your sausages, I mean data, but with this story being about Lincolnshire County Council, I just couldn’t resist.

Earlier this week, 300 of the council’s computers were infected with the same piece of malware, leaving the authority with no choice but to unplug its entire system.

According to The Lincolnite, a suspected breach exposed emails, medical records, addresses and bank details of local residents, though the BBC later reported the issue as ransomware.

Speaking for the council, chief information officer Judith Herrington-Smith said only a small number of files had been affected, though she added that “people can only use pens and paper, we’ve gone back a few years.”

Herrington-Smith went on to explain that the attack was quick but, as soon as it was identified, the network plug was pulled in a bid to save as much data as possible, adding how:

Some damage is always done before you get to that point – and some files have been locked by the software.

Fortunately, the council, which denies finding any evidence of a breach, had followed rule number one of data protection – keeping regular backups – and so it expects most of the infected files will be available for use again by the beginning of next week.

As for how the council systems became infected with the ransomware in the first place, I guess there is both good news and bad.

The good news, as far as the phrase can be stretched, is the fact that the ransomware appears to be a new strain, never before seen by security experts, or at least not the ones on the authority’s payroll at any rate.

The bad news, however, is the means by which the council became “the first victim” of this “zero-day malware” – it appears as though a staff member forgot their security awareness training and opened a dodgy email attachment.

Even so, Lincolnshire County Council says it has every faith in its security procedures and, with the ICO aware and the police investigating, we’ll find out how true that is, soon enough.

TalkTalk customers WalkWalk after data breach

Data breaches, though unfortunate, don’t have to signal the death knell for your business.

As many companies have discovered, the fallout can be severe but, in time, recovery can be possible, as long as lessons are learned and, far more importantly, the initial incident response is sound.

As any business owner or senior executive will tell you, having a well-drilled incident response plan in place, which has been practiced and ingrained into the minds of the incident response team, is a key part of any company’s long-term planning.

But what happens when an organisation has no plan in place, or fails to execute with any kind of, erm, professionalism?


TalkTalk, as I’m sure you all know, was hacked back in October 2015.

All in, around 150,000 of its customers saw their personal details accessed by hackers, resulting in losses of between £30m and £35m for the company.

Save for a small amount of residual resentment, that should have been that for TalkTalk but, alas, Dido Harding, the firm’s chief executive, began putting in the sort of media performances that left the security community wincing.. multiple times.

And so the upshot was…

… around a quarter of a million people left TalkTalk in the wake of the hack.

Despite some gains over the same period, the operator lost more customers than all the other UK broadband customers combined.

And I suspect not all of them left for pastures new due to the allure of faster broadband or Premier League footie!

Much more likely, according to Imran Choudhary, consumer insight director at Kantar Worldpanel ComTech, is the spectre of brand damage:

Customers have lost faith in TalkTalk as a trustworthy brand.

TalkTalk continues to offer some of the most attractive promotions across the home services market and almost a third of its new customers did choose it for this reason, but there can be no doubt that it lost potential customers following the major data hack. If it’s to recover from recent events TalkTalk will need to offer more than just good value.

I personally don’t disagree with Choudhary who rightly makes the point that TalkTalk is pulling in new customers with aggressive promotions but, whichever way you want to look at the post-hack telecoms company, the truth is that it has lost a whole heap of money.

How different things would have been with a different approach in the immediate aftermath of the breach we’ll never know but if I was a betting man I’d say the company would be in a much better position financially and its reputation would be somewhat less tattered than I believe it currently is.

So, the questions today are, how is your incident response plan? Who are your incident responders? Have they been trained? Have you tested the plan?

If not, what are you waiting for?

A data breach?

Data thieves – ignore, slap on the wrist or jail?

I wrote yesterday about Onur Kopcak and the arguably draconian prison sentence he received for engaging in a spot of identity theft, concluding (in my own mind, if not on the screen, that he may have been treated a tad harshly). I also made reference to the fact that British data thieves seem to get off rather lightly, an impression only enhanced when I read how Sindy Nagra was fined a mere £1,000 for selling 28,000 car rental customer records (she received £5,000 for her trouble).

And it appears I’m not the only one bemused by the gulf between cyber crime and cyber punishment.

Esther George, Director of Cyber Crime and Prevention at 8MAN, feels strongly about it too, saying:

The comments from Information Commissioner Christopher Graham on the need for greater sentencing powers reveals the continued disconnect between the actions of cyber thieves and the punishment that they receive. There needs to be a move to ensure that the penalties given take into account the gravity of the situation.

Explaining how many such cases could be handled under the Computer Misuse Act 1990 – which gives judges the option of imposing not only fines but also jail time – George explained how the Crown Prosecution Service tended to favour the Data Protection Act instead (I’m not sure but I’m guessing it’s easier to convict under?), which only affords judges the ability to hand out fines, adding that:

We should be looking to prosecute offenders under Section 55 of the Data Protection Act. Currently this means that only fines can be imposed but the Secretary of State has the power to alter the penalty for an offence of unlawful obtaining data which will give judges greater sentencing powers, including longer imprisonment. This hasn’t happened yet and therefore lighter penalties are given. It is no surprise that cyber crime continues to rise with low fines acting as the only deterrent.

At this point, much could also be said about the maximum fines the ICO can impose after a data breach, along with how actual fines compare to that maximum, but I digress.

George continued by highlighting the need for education within organisations so that they are better prepared to deal with such situations and know who to inform when their data is stolen, not to mention how to prevent such actions in the first place (I’d like to think large organisations already know about ISMS and reporting requirements but, equally, I’m also a strong advocate for training and awareness so I’m not going to disagree with her comments).

Anyway, George finished by saying:

For many organisations they presume that if data is lost that they should go to the ICO, who then run their own investigation and prosecute. This means that the police and CPS aren’t even aware or are able to impose tougher sanctions. Education must take place into what policies and procedures are needed to prevent these incidents, when they should go to the police versus the ICO and what information needs to be provided to build a solid case for prosecution under the Data Protection Act. Only with tougher penalties will we deter cyber criminals.

All fair comment in my 0pinion and she does a good job of highlighting the lack of deterrent in the UK, but there is another issue of course – the fact that many, many companies are guilty of not protecting their data adequately in the first place.

Given the financial, legal and regulatory implications of a breach, businesses need to be proactive about information security, have policies and procedures in place, be aware of the insider threat (Nagra, mentioned at the beginning, was just that) and aware of their obligations in terms of reporting incidents to the correct authorities or law enforcement units.

Oh, and did I mention security training and awareness for all employees and a good strong ISO 27001 framework? If you need any of those, our CEO Mr Honan is the man you need to speak to 😉

Potential Livestream breach – payment details safe but PII may have been swiped

Live video streaming platform Livestream – which has partners including the BBC, Spotify, Nike, Nasdaq and Tesla – has alerted its customers to a potential data breach which may have exposed personal information including names, email addresses, phone numbers, dates of birth and encrypted passwords.

In an email sent out to its customers the company, which boasts up to 40,000,000 viewers per month, said:

We recently discovered that an unauthorized person may have accessed our customer accounts database. While we are still investigating the full scope of the incident, it is possible that some of your account information may have been accessed. This may include name, email address, an encrypted version of your password, and if you provided it to us, date of birth and/or phone number. We do not store credit card or other payment information. We have no indication that the encrypted passwords have been decoded, but in an abundance of caution, we are requiring all users to reset their passwords.

There’s no word on just how those passwords were encrypted, or whether they were salted, so Livestream’s following advice –

If you used the same passwords for other accounts, we recommend changing your passwords for those accounts as well.

– is especially pertinent, given the fact that we don’t know just how easily the potentially stolen login credentials may or may not be to crack (though you guys are sufficiently security conscious to have not reused passwords in the first place, right?)

Fortunately, the New York-based company said that other concern to customers – their credit card information (as well as other payment details) – is not stored in the potentially compromised database.

Unlike other companies that have been, or may have been, breached recently, Livestream spared the “we take your security seriously” spiel, opting instead to say that:

We have already implemented additional security measures and will continue to improve our systems to help prevent these incidents in the future.

While that’s all well and good, I would still urge any of the company’s customers to be on their guard. Even though passwords might be secure, and payment cards definitely are, the amount of PII that may have been swiped could still be of use and interest to a malicious individual who could use it to craft a convincing phishing email, or send a mass of spam.

And, if you have used your password all over the web, your new year resolution (actually, scrub that, do it today) should be to start using a password manager (1Password, KeePass and LastPass are all good examples) to help you create longer, stronger and more complex passwords that are, crucially, unique to every account you have under your control.

Beyond that, have a great Christmas and a happy new year or, as Brian would say, “Nollaig Shona agus Athbhliain faoi Mhaise daoibh.”

Credit card details safe but personal info swiped in JD Wetherspoon breach

Another day… another… yeah, you guessed it… breach.

This time around its UK pub chain JD Wetherspoon (note to self: alcohol is evil).

According to the Guardian, over half a million customers of the drinking establishment have had their personal information swiped after an old website it ran was hacked.

Though Wetherspoon says “extremely limited” credit and debit card details (unencrypted, but only the last 4 digits of the card number were stored, and nothing else) were stolen from as few as 100 pre-August 2014 customers who had ventured online to buy vouchers, some 656,723 customers’ names, dates of birth, email addresses and mobile phone numbers fell into the hands of whoever was behind the attack.

According to reports, no passwords were taken when the website was breached in mid-June.

As for why it took Wetherspoon so long to notice the hack, the answer appears to be the fact that all of the compromised information was stored on a database held by a third party. Thus the breach was not noticed until 1 December.

Fortunately the company acted quickly once it was aware of what had happened, confirming the attack on the 2nd of this month and notifying affected customers the day after that.

Speaking to the BBC, chief executive John Hutson said ‘there was no evidence that fraudulent activity had taken place using the hacked data and the database did not hold passwords,’ though he did advise all affected customers to be on their guard for phishing emails – which are often a very real threat when an attacker has secured personal information which can be used to add a certain level of authenticity to their fraudulent communications.

Hutson, who issued the obligatory apology for the breach, also advised customers to be on their guard for crafted emails asking them to open attachments (which may contain malware) too, before going on to say:

We have taken all necessary measures to make our website secure again following this attack. A forensic investigation into the breach is continuing.

Unfortunately, hacking is becoming more and more sophisticated and widespread. We are determined to respond to this by increasing our efforts and investment in security and will be doing everything possible to prevent a recurrence.

Given the nature of the data that was taken, Wetherspoon rightly confirmed that it had notified the Information Commissioners Office.

Whether this latest breach, which comes soon after the high profile TalkTalk hack and the Vtech debacle, signifies the beginning of a significant uptick in website hacks – and the subsequent theft of customer data – remains to be seen, but what is certain is that the currency of personal information has never been more valuable than it is now.

So, the question I have for you, is how do you value your personal information and what, if anything, are you doing to keep it as safe as possible?

Bluebox Broadband Breached – 3,000 customers see details published online

The dust hasn’t even settled on the TalkTalk breach and we are already seeing another TelCo compromised, this time in the form of Bluebox Broadband.

According to the BBC, the Northern Irish company was hacked into sometime before Thursday of last week and names, email addresses and phone numbers – but no financial details – were published on an unknown forum from which they have now apparently been removed.

The Police Service of Northern Ireland’s cyber-crime unit was promptly informed.

Scott McClelland, the firm’s managing director, said the personal data had been swiped from a server used to record online interest in Bluebox’s services, despite the fact that the company reportedly has strict data protection policies in place.

Whether that is correct or not will soon become apparent as the Information Commissioner’s Office has been made aware of the incident and is currently ‘making inquiries’.

Talking to the Beeb, McClelland, who said the firm became aware of the breach on Friday, added that:

At Bluebox we have always taken security very seriously and this incident is the first time anything like this has ever occurred in the 10 years since we began providing internet services.

While no significant customer information has been exposed, we will be working with independent experts to learn lessons and take all steps necessary to prevent anything like this happening in the future.

Bluebox says it has contacted all affected customers and apologised.

Hopefully it has also offered them some helpful advice, such as changing their passwords and ensuring they are not using the same login details for any other online accounts they may have (sadly, that does happen, and all too often).

And, while the limited amount of data that has been leaked is unlikely to pose any direct risks to Bluebox customers – it isn’t enough to commit identity theft, for instance – it may be sufficient to create targeted phishing emails, so I would advise anyone affected to be on their guard in the near future, and to think very carefully before clicking on any links that appear to be from the company.

Equally, I would also advise you to be on your guard against phone calls purporting to come from Bluebox – if you have any doubts as to the identity of the caller do not be afraid to hang up and then call the company back on an official phone number taken from a statement (preferably using a different phone as their are some scams in which a caller can stay on the line, long after you hang up).

It is currently unknown who perpetrated this attack but, given the events surrounding TalkTalk, I would not be surprised if it was carried out by one or more younger people.


As for Bluebox, let’s hope its incident response plan is a little more… effective… than that demonstrated by TalkTalk – I don’t think Twitter could handle another Dido Harding episode!

Kids play as toy maker Vtech gets hacked

Just a few short weeks after mere children hacked TalkTalk – allegedly – and its the kids turn to be hacked.

Or a firm that caters to youngsters at any rate.

In a statement released late yesterday, Chinese toy and gadget company Vtech revealed how an unauthorised visitor accessed data stored in its Learning Lodge app store database on 14 November.

The Learning Lodge is a resource centre from which customers can download apps, ebooks, learning games and other educational content to be used with their Vtech products.

Oh, and it also stores names, physical addresses, email addresses, encrypted (no mention of whether that means hashed and salted) passwords, secret questions and answers (guess the previous observation is moot then) used to reset forgotten passwords, IP addresses and download histories.

Nice segregation of data there, eh?

There’s no word on how many customers have been affected but Motherboard suggests it could be north of 5 million parents and 200,000 children.


The only silver lining I can see right now is the fact that, according to Vtech, no credit card data has been compromised.


Motherboard says exposed child data is not that extensive – first name, gender and birthdays only – but by combining the parental data, it was quite possible to match each up with their parents, thus allowing full identification.

Even though the breach took place almost 2 weeks ago, the company was not aware of it until Motherboard approached it for comment, saying:

On November 14 [Hong Kong Time] an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database. We were not aware of this unauthorized access until you alerted us.

And that, in my opinion, is pretty damning, given the fact that Troy Hunt’s HaveIBeenPwned lists this breach as the 4th largest ever consumer data breach.

Vtech breached

Vtech, which strangely says it is “committed to protecting our customer information and their privacy” had this to say about the attack:

Upon discovering the unauthorized access we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks.

Meanwhile, the alleged attacker behind the breach told Motherboard that he had no plans to release the data which he says was acquired through… SQL injection.

One of those two statements is shocking – I’ll let you decide which one is the bigger surprise!

Hopefully, the fact that two major firms have apparently been breached via an ancient attack vector will be a wake-up call to, well, everyone else – if someone can gain access to your customers’ personal information via SQL injection, something is very, very wrong with your security setup!

TalkTalk hack ‘only’ affected 157,000 customers

Things at TalkTalk are bad. Real bad. But not quite as bad as first thought.

I am of course referring to the news that ‘only’ 157,000 customer records were accessed during the recent breach, not the incident management/response which was just… bad.

According to figures published by the BBC earlier today, some 156,959 customers had their personal information accessed – which is a somewhat lower figure than the 4 million or so that was suggested when news of the hack first came to light.

Not all of those customers saw their financial details exposed though – the number of bank account numbers and sort codes swiped came in at a ‘mere’ 15,656.

TalkTalk said 28,000 credit and debit card numbers stolen during the attack were essentially useless to those behind the breach as they had been “obscured” and were therefore unable to be used to initiate any type of financial transaction.

The company said anyone whose financial info had been exposed had already been contacted, and other affected customers would hear from TalkTalk in short order.

Having previously confirmed that usernames, addresses, dates of birth, email addresses and telephone numbers had been swiped, the company confirmed that around 4% of its userbase had at least some sensitive data at risk.

In addition to all the bad publicity garnered since the attack, the BBC also revealed another blow for the company, stating that TalkTalk shares had lost around a third of their value since the initial attack on 21 October.

Whether that will be a long-term concern for the leadership of the telecoms firm is debatable – I cannot find the relevant tweet right now, but Neira Jones has previously said that stock prices often bounce back quite strongly once the news of a breach starts to recede from peoples’ memories.

Whether that will be the case with TalkTalk or not remains to be seen and, in my opinion, will largely be affected by CEO Dino Harding’s performances in the coming weeks.

Meanwhile four people aged between 15 and 20 remain on police bail, having been arrested under the Computer Misuse Act.

The alleged motives of the youngsters, who of course remain innocent unless proven otherwise, are still unclear, though the Daily Mail has today had a stab at adding some flesh to one hypothesis, saying that up to 25 fun-seeking hackers had their mitts on customer data in the wake of the attack.

Citing Channel 4 News, the online paper quoted one hacker who apparently said:

It was in a Skype group call…with a lot of laughing and making fun of TalkTalk.
There was no group, it was just a few friends laughing about a company with bad security. It’s fun for us.

Responding to the program, in which one hacker claimed to have been rebuffed by an uninterested TalkTalk when explaining its security issues, a spokesman for the company gave the stock post-breach response that the company was taking the issues very seriously before adding that it was co-operating fully with police.

The spokesman then sprinkled what I would describe as a pinch of scorn on the Channel 4 report by saying “the information included in this report has not been verified and is in some respects materially inaccurate.”

Has the Government Gateway been hacked?

Earlier this morning I read an interesting Financial Times article which detailed how stolen IDs were changing hands for around $30 (£20 / 27 Euros) on the dark web.

The main direction taken by the piece was to highlight how British companies, including TalkTalk of course, were struggling to protect their digital assets and, more importantly in my opinion, the personal details of their customers.

Highlighting how 600,000 British customers had their data swiped from UK companies in 2014, Defence and Security Editor Sam Jones cited Symantec research which suggests that 358 million identities were compromised worldwide last year.

Such figures truly are scary and definitely worthy of reporting, especially in conjunction with other news today which suggests the majority of scam victims in this country never recover a penny of their losses –

One of the UK’s biggest banks has said 70% of its customers who fall victim to a scam do not get a single penny back… From January to September this year almost 5,000 of the bank’s customers fell victim to various scams – at a total cost of more than £25m… The bank says the average cost of falling for a scam has gone up by 40% since 2014, to more than £13,000.

– but within the FT article is a startling claim that I, for one, was not previously aware of: the possibility that a key government database, used by HMRC and the Department for Work and Pensions, may have been hacked.

Government Gateway

Quoting “senior government officials,” Jones said “tens of thousands” of Brits’ identities were trading on the dark web. Nothing new there of course, but he went on to say that included within that figure were “thousands of detailed profiles stolen from the government’s own computer systems, with all the information necessary to completely seize control of an individual’s digital identity.”


The Government Gateway site has been breached?

When did that happen? When was it disclosed? Was I sleeping?

I don’t recall seeing anything about this at all, and a quick bit of Googling hasn’t revealed any further information either.

Hmmm… seems like a massive scoop and breaking news story in the making, especially given the fact that Jones says the profiles hacked from the site are the “crown jewels” of ID theft (no wonder they’re apparently available for the much higher price of $75 (£59 / 81 Euros) – which is probably not an understatement given the type of information likely to be included in such records.

So that again begs the question: why is this not the news story of today?

Has this breach even occurred, has it slipped under the radar as the security community and media at large go to town on TalkTalk’s incident response plan, or is there an error in the original FT reporting?

I’d be very interested in hearing your thoughts on this – has anyone got any information they’d care to share?

Experian, Patreon, Kmart and David Jones breached

Another week, another breach.

Or two.


Or perhaps four?

In what must surely be a busy week for information security professionals hampered by a lack of suitable candidates entering the field, we have already seen four high profile breaches.

The biggest involved the hacking of Experian’s servers and the theft of information concerning 15 million people who applied for T-Mobile contracts in the US which saw usernames, dates of birth, home addresses, encrypted social security numbers and more information fall into the wrong hands. (Observation: only T-Mobile customers were affected which suggests Experian are segregating customer data which is good to see).

Then there was the Patreon hack which led to a whopping 13.7GB of personal data being dumped online. While benefactors of the site that helps online creators and charities can probably breathe easy knowing that social security numbers and tax information were well encrypted, the fact that other personal details such as names and email addresses were leaked is probably not so welcome. Even more concerning may be the news that some messages were leaked in their entirety – something that may well be a cause of concern for some members.

Likewise, customers of Kmart Australia may also be feeling concerned right now after the company told its online customers that their accounts had been compromised by an “external privacy breach” which saw names, email addresses, delivery addresses, telephone numbers and purchase info disappear into the criminal underground.

And, finally, posh Aussie retailer David Jones has also been hacked via a vulnerability in its website. The company, which has declined to put a number on how many of its customers have been affected by the breach, says the usual data has been swiped – names, addresses, email addresses, etc. – but not credit card details.


That’s a whole lot of breaches for one week.


No-one saw unencrypted payment card data swiped… as far as we know.

So all’s well that ends well then?

No, not exactly.

Even though the most sensitive of data appears to be safe, customers affected by these four breaches still need to be very much on their guard as the information that has been taken could be used against them in phishing attacks, for identity theft, or for other malicious purposes.

While most people have a sufficient level of security awareness (if you don’t, October’s National Cyber Security Awareness Month is as good a time as any to check out the free resources offered by Securing The Human) to avoid falling for the most obvious of random scams that arrive in their inboxes, targeted emails (or phone calls) that include their real names and other private data can prove infinitely more successful when it comes to duping them.

So what can someone affected by these, or other, breaches do to lessen the risks posed by having their information in the wild?

Beyond being aware of what has happened and how that information could be used against them – which is a vital first step – other good practices should include the changing of passwords if any that have been compromised have been reused elsewhere, frequent checking of bank and credit card statements and, perhaps, the signing up to a credit checking agency, though perhaps not Experian, despite its offer of two years of free credit and identity monitoring?