Tag Archives: Data Protection

5th Annual Data Protection Conference

Posted on by

The 5th Annual Data Protection conference will be held on the 21st February 2013 in Dublin’s Ballsbridge Hotel. I will be one of the speakers at the conference.

This is the largest Data Protection Conference in Ireland and is the top go-to event for the DP community. The conference will have a number of informative presentations delivered by leading industry experts such as the Irish Data Protection Commissioner Billy Hawkes and Simon Milner, Director of Policy (UK & Ireland) FaceBook.

Having spoken at a number of the previous Data Protection Conferences I can attest that it is an excellent opportunity for those responsible for Data Protection to hear some excellent speakers and to network with their peers.

I hope to see some of you there.

Databreach at O2 Ireland

Posted on by

Today the mobile network operator O2 announced that it suffered a security breach. The breach occurred in the summer of 2011 when O2′s IT provider IBM lost a backup tape. O2 was made aware of the loss this summer an in their press release say they have been working with the Data Protection Commissioner’s office since. The press release from O2 states that the tape “had been misplaced” and that “While the tape remains unaccounted for it is possible that the tape has simply been misplaced within an otherwise secure location in O2.”

The release goes onto highlight that the tape itself was used mostly for backing up internal data belonging to O2 and that “it is possible that it could contain some personal data, it is more likely that it simply contained information about O2′s normal business affairs and company information”

After reading the release there are a number of issues that it raises in my mind, in no particular order they are;

  • Why does O2 not know what was on the tape? Most backup systems have a logfile or record of what data was backed up.  It seems strange to me that there is no record as to what data was, and was not, backed up onto the tape.
  • Why was the tape not encrypted? Copying data onto a tape means at some stage that data can be read back from the tape. This means anyone with the same type of tape drive and software can restore the data.  If that data is not encrypted then anyone with that equipment can restore and read the data. If the data is encrypted then even restoring it from tape makes it unaccessible to those without the proper access.
  • Why did it take IBM so long, nearly a year, to notify O2 about the loss of the tape?
  • Why did O2 take so long to notify customers of the potential data loss? Their press release states they were aware of the loss in July of this year, however it took 5 months to notify customers.  Under the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (SI 336 of 2011) specific obligations are placed on on providers of publicly available electronic communications networks or services to safeguard the security of their services. O2 as a telecommunications provider would come under these regulations.  In particular under the above regulations O2 is obliged in the “case of a personal data security breach affecting even one individual, providers of publicly available electronic communications networks or services must without undue delay:
    • notify the Office of the Data Protection Commissioner of the breach (even in circumstances where it considers the data would be unintelligible to third parties) including a description of the measures to be taken to address the breach; and
    • notify any individual that may be adversely affected by the breach. services

Within the press release O2 highlight minimises the breach by saying “it is possible that it could contain some personal data, it is more likely that it simply contained information about O2′s normal business affairs and company information.” So while the risk to customer data may be low it should be noted that information about its “normal business affairs” could also be highly sensitive.

As I have said before one of the important things in incident response is to learn from the incident. This applies not just to incidents in your own environment but also incidents in other organisations. The key lessons from this incident I see are;

  • Make sure you catalogue what data you back up.
  • Store those catalogue that data securely so you can reference it at a later date.
  • Have an inventory of your backup media and regular check that inventory to make sure items are not missing or “misplaced” Encrypt your backups. This should apply to all data you backup and not just data that falls under the Data Protection Act.
  • Regularly restore your data to ensure your backups are working as designed and that you can access the data.
  • Securely dispose of old backup media when no longer required.

LinkedIn LeaksOut

Posted on by

Earlier today it emerged that a large database of 6.5 million passwords belonging to users of the popular professional network, LinkedIn, was leaked onto the Internet.  I was first made aware of the issue early this morning by Per Thorsheim (@thorsheim), a Norwegian security professional who specialises in password security. Once the news broke on Twitter a number of people I know checked the database and confirmed that their passwords were in the file indicating that this indeed was a genuine leak.

For most of the day there was little or no communication from LinkedIn regarding the suspected breach. Many people were left to speculate was the database real or was it simply a hoax? Another question being asked was how old is the database?  Was it leaked recently or a few months ago?

Late this evening LinkedIn issued a statement confirming the breach and they are still investigating the issue.  They also outlined the following steps for those users with compromised account;

  1. Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
  2. These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in these emails. For security reasons, you should never change your password on any website by following a link in an email.
  3. These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.

For those of you responsible for the security of your organisation’s systems I would encourage you to communicate the above messages to your users but to also reinforce them with;

  • Alert all your users to the breach and if tell them if they use LinkedIn to change their passwords. As we have not yet been informed by LinkedIn of the root cause for the breach it is possible any new passwords could be compromised again. However, it is a good proactive step for users to take.  Instructions on how to change your LinkedIn password are available here http://help.linkedin.com/app/answers/detail/a_id/2873
  • If they use the same password for LinkedIn on other websites, networks or indeed your own corporate systems tell them to change the password on those systems too.
  • Some websites will promise tools to allow people to check if their password is in the compromised database. Tell users not to use these services as they have no way of validating if the authors of such tools are legitimate or are simply using it to gather passwords.
  • Remind them that if they receive emails that look like they come from LinkedIn they should not click on any links within that email.  LinkedIn have stated “There will not be any links” in any of their official emails.  It is good security practise anyway to remind users not to blindly click on links.  Below is an example of such an email sent to me earlier today, note the fake sender email address and also how a lower case “L” is used in the url to replace the I for “LinkedIn”

 As with all security breaches, even when the breach is not in your own organisation, there are lessons that can we can learn. Here are some key points I have taken from this breach;

    • Communicate regularly and clearly with the key stakeholders during a breach. Lack of communication means people are left wondering if you are aware of the issue, understand what is going on and are dealing with it.  It also allows those affected to make informed decisions on the impact the breach may have on them.
    • Let people know what actions you have taken and what you plan to do. For example, have you contacted law enforcement? Have you contacted any relevant regulatory bodies? (see my note below regarding the Irish Data Protection Commissioner)
    • What measures are you putting in place to contain the breach? What steps, if any, do users need to take?
    • Make people aware how they can contact you for more information or to alert you of a potential security breach. One of the issues many had today was not knowing who in LinkedIn to contact to make them aware of the issue.
    • Regularly monitor the Internet as an early warning mechanism to alert you to a potential breach. If you see conversations on social media sites about your organisation, or keywords related to your organisation, then this could be an early indication you suffered, or will suffer, a breach.
    • You should also monitor text and file sharing sites for items relating to your organisation, again as possible early indicators of a breach.  Xavier Mertens has a great tool called Pastemon.pl on his blog for monitoring Pastebin for such a purpose.
    • Ensure your developers understand how to securely manage passwords in their applications. Refer them to the Owasp projects guide,  the SANS Institute’s Top 25 Most Dangerous Software Errors and to the SafeCode initiative.
    • Make sure your developers know how to keep a password database secure, here is a good overview from Javvad Malik on why you need to hash your password database.

There will no doubt be further ramifications from this breach over the coming days.  The Sophos NakedSecuirty Blog says that 60% of the passwords leaked have already been revealed, over the coming hours and days the remaining passwords will no doubt suffer the same fate.

Another issue that LinkedIn will need to consider is what will their interaction be with the Irish Data Protection Commissioner’s office?  The Data Protection Commissioner has published its Data Breach Code of Practise and as LinkedIn has its European Headquarters based here in Dublin the code can apply to them.  However, note the code is not mandatory for organisations to follow.  It will be interesting to see what happens in that regard and whether or not the Data Protection Commissioner will investigate the breach.

Hopefully, LinkedIn will update us soon on this issue (at time of writing there was no further update from them) and answer some key questions;

  • How old is the database that was leaked onto the Internet?
  • Was that the complete list of compromised passwords or were more compromised? If so how big is the compromise?
  • How did the password database get leaked and what has been done to prevent it from happening again?
  • Have only the passwords been compromised or is there a corresponding list of accounts that has also been compromised? If so will those users be alerted?
  • Were the attackers targeting any specific users within LinkedIn and if so what type of users were targeted?

Finally, the old saying it never rains but it pours rings true today for LinkedIn as earlier today news broke of a privacy breach relating to the LinkedIn App for the iPad and iPhone platforms.

More resources

    • For those of you looking for more technical details into the passwords themselves, there is an excellent blog on the issue here
    • BH Consulting’s free whitepaper on developing your incident response capabilities is available here.
    • A white paper “Ten Steps for Early Incident Detection“ I developed in conjunction with Tripwire Inc is available to download here.  There are also links to a webinar I gave on the same topic.
    • Neira Jones, Head of Payment Security at Barclaycard, has an excellent post on “The Social Media Side of Incident Response
    • Finally, I talk to Javvad Malik at Infosecurity on how to deal with a security incident.

 

Security Breach at NUI Galway

Posted on by

While on twitter last night I was alerted by @_Aella to a breach at NUI Galway.  According to the information posted on the college’s website they appear to have recently been advised that a file containing the contact details of students who registered or were pre-registered to the college in September 2008.  The statement goes on to say that the breach was dues to “ a security issue with the NUI Galway Clubs and Societies computer system.”

The information accessed, while it may be annoying to those impacted, is of relatively low threat to them.  It is their personal details such as their name, student ID, phone number and NUI Galway email address.  The college assures people that “no other personally identifiable information that you have supplied to the University was at risk.” and that “we encourage you to be aware of common text/ email scams that ask for personal or sensitive information.”

The issue has been reported to the Data Protection Commissioner under the Data Security Breach Code of Practise.  It will be interesting to hear will their be any additional details released as to how the breach occured and whether this was due to an external attack or due to lax internal security controls.

Speaking at the Third Annual ICS Data Protection Conference

Posted on by

On Thursday I will be speaking at the Third Annual ICS Data Protection Conference which will be held in the Radison Blu hotel in Dublin’s Golden Lane.  This is one of the conferences I enjoy a lot as it brings in people from various different disciplines to discuss the issues of protecting the personal data of customers and employees.  There will be people from data protection roles, legal, business, information security, IT and many others.  I find it can lead to many an interesting conversation as people get to learn, not only from the excellent speaker line up, but from networking with others as to how best to address data protection issues in their organisation.

With the introduction of the Data Protection Commissioner’s Data Security Breach Code of Practise ensuring the appropriate steps are taken to protect personal data entrusted to an organisation is even more important.  I will be presenting on “Taking a Practical Approach to Securing Your Organisation”.

There are still places available, so if you have not registered by now then you should go the ICS website and do so.  If you do attend the conference do drop over and say hello.

Today is Privacy and Data Protection Day

Posted on by

Today, the 28th of January 2011, marks the European Privacy and Data Protection Day.  In a time when our online privacy is being eroded by the use of social networks and companies and governments continue to store our personal details in ever increasing databases, today is a day to reflect on how your use of the Internet and social networks impacts on your privacy.

In today’s Irish Times Karlin Lillington has an excellent piece on privacy and the impact various government legislation has on it.  Indeed, earlier this week the Data Protection Commissioner’s office also issued a warning to politicians that they must respect people’s privacy when canvasing and not send unsolicited emails or texts unless they have gained the person’s permission. 

However, the worrying message from the above is that people seem to have little or no awareness of their right to privacy or the impact infringes to that right can have on their lives.  This can be seen by how much personal information people voluntarily give to social media networks such as Twitter and FaceBook.  It is also exemplified by the acceptance of greater and greater government monitoring of people’s activities all in the name of security.

I accept that governments need to be able to access certain information to investigate or prevent illegal activities it much be done in a balanced manner.  It is important the the rights of the individual are not impinged or trod and that appropriate controls and judicial oversight are in place.

Yesterday, saw the release of Privacy International’s European Privacy and Human Rights report for 2010 which highlighted a worrying trend in the increase in surveillance within countries within the EU.  In particular Ireland came under a lot of criticism.

HelpNet Security magazine has an excellent overview of the report together with some of my thoughts on the matter.

It is also worth noting the below privacy map published by the Forrester Group highlighting how different countries respect the privacy of their citizens.

 FaceBook announced this week that they will now provide secure web browsing using HTTPS for all activity within their social network which should protect individuals from having their information compromised by someone monitoring their network traffic.

So on today of all days perhaps you should go and check your privacy settings within your FaceBook user profile and with the upcoming elections you should take the opportunity to quiz your local candidates on their stance regarding our right to privacy.

Lessons Learnt From Fine Gael Website Security Issues

Posted on by

The new Fine Gael websitehas been generating a lot of press coverage and social media discussions lately.  From a Fine Gael point of view though, most of that coverage is not the type of coverage they wished for their shiny new website.  Last week Daragh O’Brien blogged about concerns over the hosting of the website in the US and the potential issues surrounding compliance with the Data Protection Act and using providers outside of Ireland and the EU.  That issue was then picked up by a number of media outlets such as The Journal.ie and The Irish Times.  The comments on the Journal.ie piece are worth reading as they go into more detail on the actual issue, while the Irish Times piece has a quote a Fine Gael spokesman from saying that the site was “absolutely secure”.

However, it turns out this was not the case and the site is not “absolutely secure”.   The security of the site was breached over the weekend by a someone, or some people, claiming to represent the anonymous group.  The attack replaced the home page for the Fine Gael website with the following image;

This attack has also gained a lot of coverage with sites such as Politics.ie and Boards.ie discussing the issue at length, while mainstream media has also covered the attack with so that The Examiner and SiliconRepublic.com.  Michele Neylon also has an excellent timeline of the events over the past few days on his blog, which are important to note when learning from this incident.

The first lesson to learn from the above issues is that before you go online ensure that your website is compliant with all the legal and industry regulations pertinent to your website.  If you are an Irish, or EU based, business and you are collecting personal information from visitors to your website then you have obligations under the EU Data Protection Directive.  The application of the directive varies from EU state to state, but if you are based in Ireland then the Irish Data Protection Commissioner’s website contains a lot of good information on transferring data abroad.  You also need to ensure that you have a privacy statement on your website.  If your site is processing credit cards then you are also obligated to comply with the PCI SSC Data Security Standard.

The second lesson to learn is that once your website is online then it is a potential target for hackers.  In general, the more high profile your website the more likely you will be subjected to an attack.  So make sure when engaging with people to build your site that they fully understand the security threats and how to counteract them.  Before going live with the site you should ensure that you seek a reputable security expert to test the site for any potential weaknesses and act upon their findings.  You should also ensure that the website is tested at regular intervals over its lifetime to ensure that it remains secure.

The third lesson is to have an incident response plan in place to ensure the most appropriate steps are taken in the event you are subjected to an attack.  Last week I provided some insight in a CSO Online article on “Incident Response Plan Badly Lacking, Says Experts“.  One of the areas I mentioned in that article is to ensure that you have such a plan in place so that concise, clear and reassuring communication is given to all stakeholders.  If you look at Michele Neylon’s blog post mentioned earlier, you will note that at various times during the incident the information coming from Fine Gael is disjointed.  On one of the updates Fine Gael state “We would first like to let you know that we have confirmed that the integrity of all the data collected is still intact and was not accessed at any point by this outside entity.”   However, it was revealed this morning by the Evening Herald journalist Kevin Doyle that in fact details of over 4,000 people who posted comments to that site were compromised including their names, email address, phone numbers and IP addresses. 

As with everything in life preparation and planning is key to success.  So make sure your incident response plan is appropriate for your needs.  Should you need any guidance on preparing an incident response plan feel free to download our “Incident Response Best Practise Guide“ white paper.

UPDATE 11/01/11

There have been some further developments since I originally posted this blog.

After reviewing the data it now appears that details of 2,000 people who submitted comments to the Fine Gael website had their details compromised and not 4,000 as originally thought.  The reduced numbers is due to multiple postings by the same people.

According to news reportsthe FBI is now involved in the investigation.  This is no surprise as the website is hosted in the United States so the crime would be investigated the FBI.  The association to the Anonymous Group by those who breached the website’s security will no doubt inject a little more interest from the FBI into this investigation.

Apparently in a blog post on Forbes the Anonymous Group disclaims involvement with the attack.  This is also backed up by an interesting thread relating to the attack on the group’s discussion forum.  So this may be the work of an individual, or individuals, who are associating themselves with the Anonymous Group simply to grab headlines.  This should also serve as a lesson to those investigating a breach that until all the evidence is reviewed there should be no speculation regarding the motives or the parties involved in the attack.

One question I have not seen anyone ask nor heard any information on is why was the database containing the personal details not encrypted?  Information relating to a person’s political beliefs is deemed as sensitive data under the Data Protection Act.  Any sensitive data that is accessible from the Internet should have the appropriate security controls to protect it implemented and properly tested to ensure that they are working as designed.

Annual Report from Data Protection Commissioner Released

Posted on by

The 21st annual report from the Data Protection Commissioner’s office has been released.  As usual it makes for some very interesting reading.  The report notes that the number of breaches reported to the office has doubled since the previous year.  Most of these reported breaches are from organisations within the public sector.  While the first reaction may be to say the public sector is not taking due care of the personal data entrusted to it, I would argue that the public sector is no better nor worse than the private sector. 

One of the main reasons for the increased number of reported incidents from the public sector is most likely due to the guidance issued by the Department of Finance in late 2008 “encouraging” government departments to report breaches to the Data Protection Commissioner.  See section 4 on page 23 of the guidance.

In my opinion the Data Protection Commissioner’s report reinforces the argument that Ireland should introduce mandatory data breach disclosure laws.  My own thoughts on that particular issue are in this presentation that I gave at the last NITeS seminar;

I strongly urge that you take the time to read the report and to ask yourself the question, “How effective are my security controls in protecting the personal data entrusted to my organisation?”  If you find it hard to determine how to answer the question there is a very good self assessment checklist available on the commissioner’s site.

Speaking at the 2nd Annual Data Protection Conference

Posted on by

The Second Annual Data Protection Conference which is run by the Irish Computer Societywill be held this year on Thursday the 25th of March in the Radison BLU Hotel, Golden Lane, Dublin 8.  I will be speaking at the conference as will

  • Billy Hawkes – Data Protection Commissioner
  • Bruce Scheier – BT
  • Linda Ni Chualladh – An Post
  • Las Kelly – Bank of Ireland
  • Murieann O’Dea – BearingPoint

Registration for the event is now open and those who register before February 25th can avail of the early bird pricing which is €170 for members of the Irish Computer Society and €295 for non-members.  After February 25th the registration fee increases to the standard fee of €200 for members of the Irish Computer Society and €350 for non-members. 

For more information and to register please visit the ICS website.

Germany Introduces Mandatory Disclosure Laws

Posted on by

Thanks to the Privacy and Information Security Blog  I became aware of a very interesting development within the Germany with regards to amendments to German Data Protection legislation.  On July 3rd the German Federal Parliament passed a number of changes to the German Federal Data Protection Act and will come into force on the 1st of September 2009. 

Some of the key items are regarding data breaches and the requirements now facing German companies.  Any such companies suffering a security breach relating to the following;

  • Sensitive data as defined in the German Federal Data Protection Act
  • Personal data that is subjected to professional or official confidentiality requirements
  • Financial information such as credit card or bank details
  • Information relating to criminal offenses
  • Data held on cusotmers by Telcommunications companies

Should a breach on any of the above be deemed to “likely to have a serious impact” on the affected individuals and notification of the breach will not affect any criminal proceedings and the appropriate measures have been taken to secure the data then the affected organisation will be obliged to notify the affected people.  This notification should be made to both the Data Protection Authority and to the affected individuals.  Should the breach affect a large number of people then the notification should be made by placing a half page advertisement in daily national newspapers or other media that would provide similar coverage.

More information on the changes can be found here (PDF file).  Hopefully Ireland will soon follow suit.