Data Breaches Have Minimal Effect On Consumer Attitude Towards Fraud And Privacy

According to a May 2014 survey by idRADAR, the attitude of the general public towards privacy issues and the risks of fraud are still alarmingly poor.

A national survey of 313 consumers, taken from a broad range of ages and socio-economic groups, discovered that almost four-fifths had taken no action to protect their privacy or guard their financial accounts from fraud, despite the fact that over 260 million people have been victims of data breaches since the goings-on at Target entered the public domain.

Tom Feige, CEO of idRADAR, noted that:

“There is a national data breach epidemic, and consumers shockingly show very few signs of concern. Most are taking no measures to protect themselves.”

The poll, the first in what will be a quarterly affair set to measure consumer trends, showed that the majority of respondents do not even take the time to change their passwords following a breach. Less than 10% of the consumers interviewed make a point of changing passwords on a regular basis and a little under two-thirds admitted that they only change their login credentials when a compromised website forces them to.

Alarming stuff indeed.

The survey also found that around ninety-three percent of those surveyed would expect a breached company to offer them a free credit monitoring service after the fact (a figure that may possibly have been skewed due to the nature of idRADAR’s business). Additionally, 70% of those questioned said they intend to use debit cards in preference to credit cards, despite the additional protections offered by the latter, prompting Feige to say that:

“Clearly, consumers do not want to take responsibility for protecting themselves before or after a serious breach. They want someone else to worry about it.”

Feige also suggests that the malaise amongst consumers means that “they don’t seem to care if their personal privacy rights are threatened,” and that the majority “want to rely on the government to protect them.”

Unfortunately, as we now know, many governments arguably do not have citizen’s best interests at heart at all times. Even so, the subjects of this survey were more concerned (55%) about the threat of data breaches than the potential invasion of their privacy posed by the NSA and other government agencies snooping on their phone calls, browsing habits and email messages.

Which is all a bit ironic really when you consider that the majority of those interviewed are doing nothing about either issue.

As I am sure you are aware, data breaches are big news these days and the indications are that they will continue.

The most recent of those breaches – at auction site eBay – highlights not only the sort of information that gets taken -

  • customer names
  • encrypted passwords
  • email addresses
  • physical addresses
  • phone numbers
  • dates of birth

- but also the challenges faced by large corporations when the proverbial hits the fan. I still know a few people who are yet to receive an email from eBay advising of them the need to change their passwords and, as this survey suggests, such communication would appear to matter not a jot to some people anyway.

The idRADAR survey does offer some incite into why such a situation exists. It comes as no surprise to learn that only 41% of the respondents had heard of the recent Heartbleed bug which ties in with figures produced recently by the Pew Research Center which found awareness of the vulnerability to be equally lacking.

Feige concluded that:

“People are not paying enough attention to this critical problem, and their lack of knowledge on the entire subject is frankly very alarming. Obviously there is a great need for education on this issue.”

And he is absolutely right.

Those readers who work in or around information security will know the importance of security awareness within the business arena. Despite the expertise of top security professionals, such as Brian Honan himself, it is still an area with a lot of development potential in my opinion.

But should security awareness be limited to the corporate sector?

I would argue not, especially after reading surveys such as this one. It appears that many home computer users could benefit from some fairly basic advice on how to stay safe on the internet and how to react to certain scenarios.

Here in the UK we have initiatives such as Cyber Streetwise that offer some early promise, but we need more. And it is not just the individual who would benefit from universal security training either - employees who buy into security to protect their own digital assets would likely think more carefully about how to protect their employer’s data too.

UK Survey: 25 Percent of Breaches Go Undetected for More Than 24 Hours

A new survey from Tripwire, Inc., has discovered that 40% of retail and financial organisations need 2-3 days to detect a breach.

Last Tuesday I met up with detective novel-inspired Dwayne Melancon and other key Tripwire personnel as part of the Eskenzi press lunch that was being held in conjunction with InfoSecurity Europe 2014. The topic of discussion was data breaches, including within the retail sector, the area in which I work when I’m not at my keyboard. That, combined with the recent high profile breaches at the likes of Target and Nieman Marcus, made sure that my curiosity and interest were piqued in equal measure.

As I am sure many of you know, a recent report from the Ponemon Institute has revealed that the costs associated with a breach have risen significantly over the last year, rising 15% to $3.5 million in total. Furthermore, each individual record containing sensitive and confidential information that is lost or stolen is now costing business $145 a time, a year on year rise of 9%. Significantly, the Ponemon Institute also discovered that the probability of a company having a data breach involving 10,000 or more confidential records is 22 percent over a two-year period.

So, given the above, can we expect organisations to be considering the risk of suffering a data breach far more seriously than ever before?

Apparently not, according to Tripwire’s findings.

A survey conducted by Atomic Research, encompassing 102 financial organisations and 151 retail organisations in the U.K., all of which process card payments, indicate that recent data breaches have actually had little impact on the security controls employed by those businesses.

Additionally, 35% of those polled said it would take as long as two to three days to detect a breach on their systems whilst 44 percent admitted that their customer data could be better protected.

The Payment Card Industry Data Security Standard (PCI DSS) is a security standard that outlines minimum security requirements for organisations that handle cardholder information. When the surveyed organisations were asked how important PCI compliance is to their overall security program, 43 percent said it was the backbone of their security program, and 36 percent said it was half of their security program.

PCI compliance is not, of course, a silver bullet and, in my opinion, should only be seen as one part of a much broader security program. Even so, it is still interesting to learn that only 11.1% of businesses were fully compliant in 2013 and, as Neira Jones recently told me:

“It has been evidenced in the Verizon PCI Compliance Report 2014 that ‘organisations that are breached tend to be less compliant with PCI-DSS than the average of  organisations in our research’”.

In response to the survey findings, Tripwire’s Tim Erlin, director of IT security and risk strategy, said:

“It is shocking to see the high level of confidence exhibited by respondents in the wake of the recent series of high-profile cardholder data breaches. Sixty percent of respondents said they are confident that their security controls are able to prevent the loss of data files, but this confidence flies in the face of recent evidence to the contrary.”

Other notable findings from the Atomic Research survey include:

  • 24 percent of the organisations polled have already suffered a data breach in which Personally Identifiable Information (PII) was either stolen or accessed by intruders.
  • 36 percent of respondents do not have confidence in their incident response plan.
  • 51 percent of respondents are only somewhat confident that their security controls can detect malicious applications.
  • 40 percent of respondents said they do not believe that recent high profile cardholder breaches have changed the level of attention executives give to security.

Melancon, chief technology officer for Tripwire said:

“It is great that recent breaches have increased cybersecurity awareness and internal dialogue. However, the improved internal communication may be biased by a false sense of security. For example, 95 percent of respondents said they would be able to detect a breach on critical systems within a week. In reality, nearly all of the recent publicly disclosed breaches have gone on for months without detection.”

Melancon added that:

“Furthermore, only 60 percent of respondents believe their systems have been hardened enough to prevent the kind of data loss similar to that seen in recent high profile breaches. These attitudes seem to indicate a high degree of overconfidence or naivete among information security practitioners. I believe a number of these organisations may be in for a rude awakening if their systems are targeted by criminals.”

I’ve said in the past that UK business needs to pay attention to what happened at Target, Nieman Marcus, et al, but there still appears to be much more that could be done to mitigate the data breach risk in this country, including improved controls, better communication, improved security awareness training and, perhaps, more openness and better incident response from those companies that have been breached.

Trustmark Pulls out Of Class-Action Suit Against Target And Trustwave

Last week I wrote about how two banks - Trustmark National Bank of New York and Green Bank of Houston – had come together to file a class action lawsuit against Target, Inc. in the wake of a data breach at the US retailer which saw 40 million credit cards details, and 70 million other personal details, stolen.

Now, however, one of the two banks suing both Target and security vendor Trustwave has pulled out.

Trustmark National Bank filed a notice of dismissal of its claims on Friday. No detail is given as to why the bank has now ceased its action with the notice saying little more than:

“Pursuant to Federal Rule of Civil Procedure 41(a)(1)(A)(i), Trustmark hereby voluntarily dismiss its claims without prejudice to re-filing.”

However, based on a letter from Trustwave to its customers, the real reason why Trustmark ceased its legal action may be due to the former being misnamed in the suit.

After initially declining to identify its customers, or comment on outstanding litigation, Robert J. McCullen, Chairman, CEO and President of Trustwave Holdings, Inc., wrote:

“Dear Customers and Business Partners,

As some of you may know, Trustwave was recently named as a defendant in lawsuits relating to the data security breach that affected Target stores in late 2013.

In response to these legal filings, Trustwave would like to reassure our customers and business partners that these claims against Trustwave are without merit, and that we look forward to vigorously defending ourselves in court against these baseless allegations.

Contrary to the misstated allegations in the plaintiffs’ complaints, Target did not outsource its data security or IT obligations to Trustwave. Trustwave did not monitor Target’s network, nor did Trustwave process cardholder data for Target.”

Even if Green Bank of Houston should dismiss its claims, and there is no indication at this time that it will, the implications of the case still remain highly pertinent.

The banks’ original claim alleged that Trustwave had failed to ensure that Target’s systems were in line with industry standards, having informed the retailer that there were no vulnerabilities on its network shortly before the breach occurred.

Should such a claim be brought before a court in the future, and the judge and/or jury find in favour of the plaintiffs, then the consequences will be far-reaching, with breach victims and their security partners both being at risk of litigation and the subsequent costs associated with the losses incurred by affected financial institutions.

And of course lets not forget the other impacts of a data breach which are numerous, including loss of revenue through a variety of avenues as well as the potential damage to the trust in, and reputation of, the affected company/companies.

Perhaps the breach at Target, as well as other high profile breaches over the last year, will be sufficient to encourage businesses of all sizes to assess their security standing in order to ensure the risks are well managed and as small as possible?

We can but hope…

Banks Sue Target And Trustwave As Data Breach Fallout Continues

Banks impacted by the data breach of Target last year have come together to file a class-action lawsuit against the US retailer. A court filing also names security firm Trustwave as a co-defendant, saying that the firm “failed to live up to its promises or to meet industry standards.”

The breach, which resulted in the theft of at least 40 million customers’ credit card details, as well as 70 million other personal records, arose after an attack at HVAC contractor Fazio Mechanical Services Inc provided a bridge into Target’s own systems.

The plaintiffs in the case – Trustmark National Bank of New York and Green Bank of Houston – claim that the retailer and security company failed to prevent the theft of data.

The lawsuit, which is not the first filed against Target, shows the increasing pressures and potential costs that are increasingly being associated with breaches, which themselves are on the rise.

For their part, the banks are concerned with the costs that they have borne in this case – it is estimated that the cost of issuing new cards to customers that have potentially been affected stands at around $172 million. The plaintiffs also cite future costs, including absorption of fraudulent charges made on stolen cards, lost profits, missed business opportunities and damage to the business as a whole, the total of which could possibly rise to as much as $1 billion.

Trustmark and Green bank have included Trustwave in their lawsuit because they believe that vulnerabilities in Target’s systems remained “either undetected or ignored” in various audits up to September of last year.

Furthermore, the banks claim that the retailer stored “credit and debit card data on its servers for six full days before hackers transmitted the data to a separate webserver outside of Target’s network.” The lawsuit also claims that the breach remained undetected for a period of three weeks, even though Trustwave “provided round-the-clock monitoring services to Target.”

Additional claims levied against Target include the suggestion that the firm was not in compliance with PCI-DSS at the time of the breach, despite the fact that Trustwave claims to provide guidance to millions of businesses on reaching the standard. Also, the filing claims that POS terminals in-store were not protected by any form of antivirus software. Trustmark National Bank and Green Bank also say that the retailer should not have allowed a third party contractor to have access to its network.

Lawsuit aside, the effects on Target don’t make pretty reading either. The company recently announced a fourth quarter fall in profits of 46%. The direct costs of the breach to the company already stand at $61 million with only $44 million of that being covered by cyber insurance. Further significant losses are also to be expected as further costs from fraud become quantifiable and attributed to the business.

All in all then I think it is quite obvious that a data breach is bad news for any business on many different levels, ranging from the obvious financial aspects to potential legal action and, even more importantly, possible damage to reputation.

Whilst its obvious that not every business will be attacked in this way, UK businesses do still have cause for concern.

So have you done everything you can to minimise the chances of your business being breached? Have you trained your staff to look for evidence of attack and to respond accordingly? Is your company looking at its risk management framework and the various standards such as PCI-DSS and ISO 27001? Has your organisation been proactive in preparing an incident response plan should the worst happen?

Target Data Breach Could Have Been Averted If Alerts Had Been Acted Upon

The data breach at Target in November could have been averted, or at least mitigated, if the alerts produced by the retailer’s $1.6m security system hadn’t been initially dismissed.

The breach, the sixth largest in history, saw the loss of 40 million payment card details in addition to 70 million other personal records which has prompted many to question whether companies are doing enough to safeguard important data.

Speaking about the organisation’s security team yesterday, Target spokeswoman Molly Snyder, said that the company logs a huge number of events each week and that,

“a small amount of activity was logged and surfaced to our team. That activity was evaluated and acted upon. Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up. With the benefit of hindsight, we are investigating whether, if different judgments had been made the outcome may have been different.”

According to a report from Bloomberg BusinessWeek report, Target were using a newly installed network monitoring tool at the time of the attack. The $1.6m system, provided by FireEye, alerted staff that there was malware on the system on two separate occasions prior to the actual breach occurring. Those alerts were picked up by security personnel in Bangalore, India, who forwarded them to the retailer’s headquarters in Minneapolis but no further action was then taken.

It seems likely, had the alerts received the attention that we now know they merited, that Target would have had several options for dealing with the threat which would have likely prevented the breach altogether, or at least mitigated its impact.

Also, the monitoring system installed by FireEye could have been used to neuter the attack but this did not happen as the capability was not operational at the time due to the newness of the installation which had yet to be tested.

So it looks like Target probably had the technological capabilities to detect and prevent (or at least minimise) the data breach. The reasons why they didn’t aren’t technical in nature though and show why the human element remains key within any organisation.

The Target breach should, hopefully, serve as a wake up call to other retailers in the US to ensure that their defences are robust and, more importantly, that their staff are well trained and security aware enough to recognise signs of intrusion, deal with alerts and actually use the technology at their disposal to deal with any threat.

And, if anyone thinks this is a US-only problem, think again.

As Neira Jones said earlier this week (see her excellent post here):

“Will a retailer data breach happen in the UK/ Europe? Yes, absolutely: e-commerce sites are still a relatively easy target for criminals, but we probably won’t get to hear about it much as disclosure laws are somewhat different over here (that is until the EU data protection regulations come into force…).”

And, just to drive the point home, here is an excerpt from a Facebook posting made by UK retailer Morrisons this very morning:

“We are extremely sorry to inform you that there has been a theft of colleagues’ personal information, which was uploaded onto a website… The information included names, addresses and bank account details of colleagues. This affects colleagues from all levels of the organisation.”

Have you assessed your organisation’s security recently and do you have a pre-planned response should your business become the next victim of a data breach?

New Breach? 360 Million Credentials For Sale On The Black Market

Information security firm Hold Security says it has uncovered credentials from 360 million compromised accounts for sale on the web’s equivalent of the black market.

The US firm, whilst admitting that it does not know where the data originated from or what it can be used to access, said that the treasure trove of information could still pose serious risks to companies and users alike. This, it said, was because the pilfered credentials could include usernames and passwords which, as we all know, tend to get re-used again and again across a user’s whole portfolio of accounts, including their online banking setups.

Analysts at Hold Security uncovered the mass of credentials, believed to have been stolen recently, over the last few weeks whilst studying underground forums where stolen data was being traded. The firm, which was responsible for identifying last year’s massive Adobe breach, also uncovered a staggering 1.25 billion email addresses for sale, presumably to spammers desperate to tempt us with even more pills and potions.

Alex Holden, chief information security officer at Hold Security, told Reuters that 105 million of the records came from one source which could signify a new, massive breach, unless it is secondhand data from an already known attack, such as the one seen recently at Target Corp.

Holden’s own belief is that the cache does indeed come from breaches that are not already in the public domain which raises questions about whether the targets are either, (a) unaware that their systems have been compromised in the first place or, (b) deliberately keeping quiet about an attack.

The security firm, which gathered the data as part of its Deep Web Monitoring services, says that it will communicate with the companies involved, subject to being able to identify them.

What is known is the type of data available for sale with the compromised accounts offering up goodies such as usernames, email addresses and, it seems, unencrypted passwords too. Eeek!

The reason why so much account data is available across the darkest parts of the web seem obvious – data breaches are very much on the rise with Risk Based Security (RBS) reporting that 2013 was a record year with over 800 million records being stolen (more than double the previous record high).

Combining that trend with the average cost of a data breach, estimated to be £2.04m in 2013, according to a Symantec and Ponemon Institute report, and you begin to see why companies need to take the risk of being breached extremely seriously.

Fortunately, the Symantec report also highlighted how firms in the UK and US were able to realise the greatest reduction to the impact of a breach – costs were minimised by having a strong security posture, an effective CISO and an incident response plan.

Other factors that could help mitigate a breach, or reduce the chances of one occurring in the first place include segregating payment card data from other internal networks (it looks possible that one recent breach victim may not have done this, despite the PCI-DSS regulations), improving staff awareness (human error is often a key factor in many cases) and ensuring your systems are secure on an on-going basis.

Barclays Breached, Account Details Of 27,000 Customers Sold To Brokers

Barclays bank has launched an investigation following a data breach which saw 27,000 customers’ details stolen and sold.

The Mail on Sunday said it had been handed a memory stick by an anonymous ex-City worker. The USB drive contained files on 2,000 of the bank’s customers. The whistleblower indicated that records for a further 25,000 customers were also available and that they had, at one point, commanded a price of £50 per file.

The files in question run to about 20 pages in length for each customer and provide an immense amount of detail including, but certainly not limited to, the following:

  • names
  • dates of birth
  • national insurance numbers
  • addresses and phone numbers
  • health statuses
  • and a large array of financial information, including salary, investments and attitude to risk

The Mail’s source, a former commodity broker, said,

“This is the worst [leak] I’ve come across by far. But this illegal trade is going on all the time in the City. I want to go public to stop it getting bigger.”

The whistleblower, who claims he previously worked for a firm that tried to get people to invest in ‘dodgy schemes’, said that he became aware of the existence of the Barclays files in September of last year after the boss of one of the brokerage firms he was working for asked him to sell the leads to other brokerages for £8 per file. The price was so low, he said, because all of the data had already been used and so was considered ‘secondary data’.

The firm in question had made use of the data from at least as early as December 2012, and the BBC reports that some files date back as far as 2008 – this particular breach has obviously been going on for quite some time.

It is not known at this time just how the data was stolen but, to my mind, it sounds likely to be an inside job. In any event, a data breach of this magnitude will have done little to improve public sentiment at a time when British banks are coming under more and more scrutiny, not to mention rising displeasure, from a populace still greatly affected by the banking crisis and the resulting on-going recession.

The Information Commissioner’s Office is set to work with the bank, police and the Mail on Sunday in order to obtain more details. If a case is made against Barclays then it could face a fine of up £500,000 for losing personal data (which seems wholly inadequate to me). The Financial Conduct Authority, however, can levy unlimited fines.

A Barclays spokeswoman said,

“We are grateful to the Mail on Sunday for bringing this to our attention and we contacted the Information Commissioner and other regulators on Friday as soon as we were made aware.

Our initial investigations suggest this is isolated to customers linked to our Barclays Financial Planning business which we ceased operating as a service in 2011.

We will take all necessary steps to contact and advise those customers as soon as possible so that they can also ensure the safety of their personal data.

Protecting our customers’ data is a top priority and we take this issue extremely seriously. This appears to be criminal action and we will co-operate with the authorities on pursuing the perpetrator.

We would like to reassure all of our customers that we have taken every practical measure to ensure that personal and financial details remain as safe and secure as possible.”

Quis custodiet ipsos custodes? – Security Breach at Garda Ombudman Commission Offices

The Latin phrase “Quis custodiet ipsos custodes?” is often translated to “Who watches the watchmen?” and is used to challenge calls for blanket surveillance by governments. The idea behind it is that we need some level of accountability to those that we give the powers of arrest and surveillance to. This morning the Sunday Times broke the news that the offices of the complaints watchdog for An Garda Siochana, the Garda Siochana Ombudsman Commission, were under high tech surveillance. A security company was employed by the GSOC to conduct a regular security check of the offices of the GSOC whereupon it was discovered that;

  • In one of the conference rooms a phone had been bugged to enable eavesdropping of conversations in the room and also conversations using that phone.
  • The WiFi network within the GSOC was also compromised allowing the attackers to monitor and intercept any sensitive data sent over that network. The Irish Independent says the attackers were able to monitor any emails sent over that wireless network.
  • A second WiFi network was also discovered which allowed the attackers access material sent and accessed by staff in the GSOC.
  • A device used to store material by the GSOC was also compromised.

This news raises grave concerns over who could be behind such an attack and more importantly what their motives were. In particular, as the Irish Independent reports the technology used is “commercially available or sold to non-government agencies”. Of course this does not necessarily mean the same technology is not available to “non-government agencies” through other means. According to the same article, the Minister for Justice and Defence Mr. Alan Shatter, has demanded a full report on the issue.

Regardless of who is behind the attack, or how it was conducted, we should all take lessons from these reports. In particular with regards to the security of wireless networks. Wireless networks provide great convenience for staff who use portable devices and need to access company resources. However, if not secured properly they can lead to major compromises. For example, the TJX hack in 2008 which resulted in over 47 million credit cards being compromised was the result of poor wireless security.

We do not have the details of the breach at the GSOC so we do not know how sophisticated the security of the wireless network was. However, if you are using a wireless network it may be an opportune time to review the security surrounding it. We always recommend to clients to;

  • Use the strongest security available. This means do not use WEP as it is the weakest of all the wireless security protocols.
  • Do not trust your wireless network. You should look to terminate its connection outside of your local area network and connect it via a Firewall.
  • Allow connection to your LAN via the Firewall using a VPN (Virtual Private Network). In effect treat your wireless users the same way you would treat users accessing your LAN remotely over the Internet.
  • Limit access to the Wireless network based on known TCP/IP, or better yet MAC, addresses.
  • Implement some form of two factor authentication. This could be using client side digital certificates installed on the users’ devices, or other two factor solutions such as tokens etc.
  • Regularly review the logs on your wireless device and network Firewall to see if there is any suspicious or unusual traffic.

It is also interesting to note that a second wireless device was found on the GSOC network which allowed the attackers have remote access to the GSOC systems. How confident are you that there are no authorised WiFI routers on your network allowing access to your systems? You should regularly review your network ports to determine what devices are active on your network and which of those are not authorised devices. This can be a physical review or using network scanning tools to inventory what systems are on your network. You could also use a tool like Kismet to identify what wireless networidentify in range of your physical locations and ensure they are all legitimate.

Hopefully a lot more details about this issue will emerge over the coming days, not just technical details from which we can learn lessons from, but more importantly who is behind this attack and why? Remember the GSOC is an independent body to “provide and promote an efficient, fair and independent oversight of policing in Ireland.” If the GSOC’s independence and ability to conduct this vital role is being undermined by others then there are serious implications for our democracy.

Another Day, Another Breach – Bell Canada Data Leaked

I’ve wondered for a while now whether the number of data breaches are growing at an exponential rate or whether it is just that they get reported far more often, and by mediums that allow the news to travel much farther and quicker?

In either case, the fact is that any business of note has to believe that it could happen to them, just as it happened to Bell Canada over the weekend.

Over 20,000 customers of the telecommunications giant, many of whom are small business owners themselves, fell victim to the latest attack which saw their usernames and passwords displayed for all to see on the internet.

Bell, claiming the breached servers were not theirs, released a statement saying,

“Bell today announced that 22,421 user names and passwords and 5 valid credit card numbers of Bell small-business customers were posted on the Internet this weekend. The posting results from illegal hacking of an Ottawa-based third-party supplier’s information technology system.

In line with our strict privacy and security policies, Bell is contacting affected small business customers, has disabled all affected passwords, and has informed appropriate credit card companies. We continue to work with the supplier as well as law enforcement and government security officials to investigate the matter.

Bell’s own network and IT systems were not impacted. The issue does not affect Bell residential, mobility or enterprise business customers.”

This latest breach was carried out by a group identifying itself as NullCrew, which is yet to disclose any kind of motive for the attack, but it did subsequently release a public dump of the data on Saturday.

The site hosting that data has now been taken offline but you can bet your bottom dollar that several interested parties of both the white and black hatted variety would have nabbed a copy for themselves whilst it was still available.

In the meantime there is still some debate about whose servers were hacked with Bell adamant that it wasn’t theirs. NullCrew, on the other hand, still claim that it was indeed Bell servers that they got into.

Whatever the case may be, the breach, described by Bell as an “illegal hacking” incident, comes hot on the heels of a breach at Yahoo last week and other high-profile attacks such as the one on US retailer Target which may have seen data for as many as 110 million customers stolen.

So what can you do to minimise the risks of being the next victim of a data breach?

A few ideas would be:

  • always storing your customer data in an encrypted database
  • ensuring you employ a strong information security management system
  • running security software on all of your servers and workstations
  • periodically running security assessments on your information systems
  • preparing a co-ordinated response ahead of time to be delivered should a breach actually occur – bad PR is something I see too often after an attack, something that often exacerbates the situation and leaves a poor taste in the mouths of customers
  • ensuring all staff have at least some security awareness, irrespective of their role within the organisation, in order to minimise the risks posed by silly mistakes or the threat of social engineering being used to gain access to the system in the first place.

Do you have any other ideas for minimising the risks of a data breach or dealing with one that has already occurred?

ICO Proposes New Approach To Dealing With Data Protection Complaints

A new draft complaint handling procedure from the Information Commissioner’s Office (ICO) says that the watchdog plans to change the way in which it deals with complaints.

Citing an increase in awareness of information rights amongst the populace of the UK, the organisation said it needs to review its approach as demand for its services looks set to rise. The ICO said it is committed to dealing with complaints under the Data Protection Act (DPA) in an effective and efficient manner as possible. Limited resources means that the body has a need to discharge its duties in a manner that offers value for money.

In setting out its proposals the watchdog said that it had dealt with 40,000 enquiries last year in addition to some 214,000 phone calls, though it felt it likely that the legislation had been contravened in only 35% of those cases.

The ICO said that many complaints it receives are from parties who have not raised their concerns with the organisation in the first place or who are merely looking to access information. It said that it is currently becoming involved in disputes between organisations and individuals in which data protection issues are peripheral to the actual complaint.

“We want to become more effective and efficient at using concerns raised with us to improve the wider information rights practice of organisations and to tackle systemic problems. Too often we are drawn into adjudicating on individual disputes between organisations and their customers or clients, particularly where the legislation we oversee may only be a peripheral part of the matter being disputed.”

The new approach does not, of course, mean that the ICO will stand back completely. It said,

“We want to focus on those who get things wrong repeatedly, and take action against those who commit serious contraventions of the legislation,” adding that, “This will avoid unnecessary concerns being raised with us and make it much easier for us to identify opportunities to improve information rights practice.”

The ICO now proposes that it should only become involved after customers have first engaged with the company and attempted to resolve the issue themselves:

“When we receive a concern from a member of the public, complete with the organisation’s response to it, we will retain a record of the concern and decide if we think there is an opportunity for information rights practice to be improved. That may be in the individual case or it may be to address a more systemic concern.”

The ICO’s response will then be tailored to each individual case, depending upon whether it sees “an opportunity to improve information rights practice.”

“If we think an organisation needs to improve its practices we will contact them to explain why we think that is the case. Where appropriate we may ask an organisation to commit to an action plan or undertaking, to be published on our website, explaining the work they are doing to improve their practices.”

The watchdog said it will continue to to pursue enforcement action where it is appropriate to do so and will report regularly on the type of action it has taken and any improvements to information rights practice that have been highlighted. It said that its new targeted approach to complaints will, “give us more capacity to take this kind of regulatory action when it is warranted.”

The Information Commissioner’s Office welcomes responses to its proposals which must be submitted by 31 January 2014. If the changes go ahead as planned then this new approach to complaint handling will be effective from 1 April 2014.