Tag Archives: Data Protection and Privacy

First Impressions

Posted on by

There is an old saying that goess “first impressions last”.  Which means that very often when we meet someone or visit somewhere for the first time we subconciously assess and judge that person or place within the first few seconds.  This means that each relationship is built upon that initial first assessment. So if the assessment is a negative one the relationship will have a difficult time in growing.

Last night I was working late and happened to have the TV on at the same time.  During one of the advert breaks I noticed an advertisement for a new cloud based service run by an Irish company.  As someone with a keen interest in cloud services I decided to visit their website.  However, when I arrived at the site I was dissappointed to see that while the site looked slick and promoted the company well I also saw a number of issues that raised some concerns over the site regarding its security.

The first issue was the webpage to register for their service was in plain HTTP, in other words not secure.  Even though the page asked you to input a lot of personal details, including your password, the connection between the server and the client workstation was not encrypted using the SSL protocol.  This means that anyone with access to the traffic between the server and the client workstation could eavesdrop on that traffic and find out what those personal details are.

Another issue that was evident was the lack of a privacy statement on their website.  While the lack of a privacy statement will not lead to the site being compromised it is a requirement under the Irish Data Protection act.  Therefore the abscense of such a statement, coupled with the lack of SSL protection on certain web pages, would indicate that those running the site may not fully understand their obligations under the Data Protection Act.  This in turn, rightly or wrongly, may make the visitor wonder if there are other Data Protection issues not being fully addressed.

The website was hosted in the United States.  Under the Irish Data Protection Act it is illegal to export the personal details of Irish and European citizens outside of the EU unless under specific conditions.  One of those conditions is that if using a provider in the United States then that provider should be part of the US Safe Harbor Agreement.  Having checked which companies are registered under that agreement I discovered that the hosting company in question was not listed and therefore not part of that program. Of course the Irish company could have built their data privacy and security requirements into their contract with the supplier, but given the other issues I somehow doubt that is the case.

The website did not have its company particulars prominently displayed as is required by the European Communities (Companies) (Amendment) Regulations 2007, which exposes the company to fines under these regulations.   Again leading a visitor to the website to wonder if those managing their data fully understand their responsibilities when conducting business online.

After looking at this site I randomly visited a number of other Irish websites to see if the above website was unique. Unfortunately this was not the case.  Many of the other Irish websites I looked at had many of the same issues.  Some of them raised more concerns about their security, such as;

  • Collecting credit card data from insecure webpages similar to that described above. One website did not have an online payment solution but asked those wishing to purchase from the site to send an email with their credit card information enclosed. This flies in the face of the PCI Data Security Standard (DSS) which requires that credit card information is collected, transmitted and stored securely.
  • Two sites were hosting phishing pages aimed at clients of financial institutions in other countries.  It appears criminals hacked into these sites and used them to host their phishing pages.

The Internet provides businesses with opportunities to increase their market reach and customer base in a very cost effective manner.  A well built website that looks good can attract many new customers, but that is only half the battle. The other half is getting them to do business with you. One of the main concerns people have with buying goods and services online is security and the protection of their personal data. So while your site may look good, you need to ensure you can alleviate those security concerns. Remember all the above issues were identified simply by looking at the website. I did not do any security testing of the websites to see were there any technical or application security issues.  If a simple browse of your website can expose a number of problems like those outlined then you may find many customers will not have the confidence to deal with you.

Good security is a cornerstone in building trust and confidence in your business and making sure simple issues have been addressed goes a long way in building that trust. In 2010 I worked with ENISA on developing the “How to Shop Safely Online” whitepaper which while aimed at the consumer on how to shop safely onine also has some good recommendations in it for companies to ensure they take the proper security measures.

Remember in business, whether it is in the physical world or the virtual world, first impressions last!

Security Breach at MyJob.ie

Posted on by

Tonight I got an email from the online recruit arm of Bond Personnel, MyJob.ie, to inform me they recently suffered a security breach and were sending me a precautionary email to change my password. While there are no details as to what information the attackers accessed or how they manage to breach MyJob.ie’s security, there are two interesting points to note;

  • MyJob.ie say they were not the primary source of the breach. This leads to the question which of their providers were breached?
  • The attackers have already been arrested and a file sent to the DPP.  If this is the case, when did the breach originally occur and why did it take so long to notify those impacted?

The other question that is of interest is what is MyJob.ie’s data retention policy for holding client data? I have not used that website for well over 10 years,  so my data would be well out of date and no longer useful.  Indeed in the Data Protection Commissioner’s report for 2008 he mentions a security breach at jobs.ie and highlights they had retained personal data of clients for “an unnecessarily long period of time”. 

If you have been impacted by this breach I recommend that you

  • You change your password for MyJob.ie
  • Do not use the same password across different systems.  If you have used the same password on different systems then change them to an individual password on each system.
  • Do not respond to any emails that may be phishing emails looking for your personal details

The text of the email is below;

Dear Honan,

I am writing to bring your attention to a recent security breach on the server hosting Myjob.ie. The breach was quickly identified, and the Gardai have apprehended two individuals who are now the subject of a file being compiled for the Director of Public Prosecutions. Although Myjob.ie was not the primary source of the breach, as a precautionary measure we would ask all users to immediately change their password. Furthermore we would ask you to observe best practice in choosing all internet passwords and do not use the same password for more than one internet service. If you do use the same password for multiple services we would strongly urge you to rectify this immediately by logging into those systems and choosing a new password. Also, please note that reputable companies do not request personal details by email, if a company contacts you do not give any personal information until you have established they are legitimate.

  • Never give out personal banking information
  • Do not share your passwords with anyone
  • Do not open email attachments if you are suspicious, especially .exe files.

Please accept our apologies for any inconvenience or distress caused by this precautionary email. Should you wish to contact us please send an email to security@myjob.ie

Yours sincerely,

John Doupe

Today is Privacy and Data Protection Day

Posted on by

Today, the 28th of January 2011, marks the European Privacy and Data Protection Day.  In a time when our online privacy is being eroded by the use of social networks and companies and governments continue to store our personal details in ever increasing databases, today is a day to reflect on how your use of the Internet and social networks impacts on your privacy.

In today’s Irish Times Karlin Lillington has an excellent piece on privacy and the impact various government legislation has on it.  Indeed, earlier this week the Data Protection Commissioner’s office also issued a warning to politicians that they must respect people’s privacy when canvasing and not send unsolicited emails or texts unless they have gained the person’s permission. 

However, the worrying message from the above is that people seem to have little or no awareness of their right to privacy or the impact infringes to that right can have on their lives.  This can be seen by how much personal information people voluntarily give to social media networks such as Twitter and FaceBook.  It is also exemplified by the acceptance of greater and greater government monitoring of people’s activities all in the name of security.

I accept that governments need to be able to access certain information to investigate or prevent illegal activities it much be done in a balanced manner.  It is important the the rights of the individual are not impinged or trod and that appropriate controls and judicial oversight are in place.

Yesterday, saw the release of Privacy International’s European Privacy and Human Rights report for 2010 which highlighted a worrying trend in the increase in surveillance within countries within the EU.  In particular Ireland came under a lot of criticism.

HelpNet Security magazine has an excellent overview of the report together with some of my thoughts on the matter.

It is also worth noting the below privacy map published by the Forrester Group highlighting how different countries respect the privacy of their citizens.

 FaceBook announced this week that they will now provide secure web browsing using HTTPS for all activity within their social network which should protect individuals from having their information compromised by someone monitoring their network traffic.

So on today of all days perhaps you should go and check your privacy settings within your FaceBook user profile and with the upcoming elections you should take the opportunity to quiz your local candidates on their stance regarding our right to privacy.

Speaking at the 5th Annual Privacy & Data Protection Conference

Posted on by

I will be speaking at the 5th Annual Privacy & Data Protection Conference this year on the 27th of October.  The theme for the event is “Data Protection: Global Compliance Management” and I will be speaking on “Building an Information Security Culture and Policy”.  I will also be taking part in a panel discussion in information security.

The conference promises to be very informative and the organisers, Transatlantic Events, have brought together experts from the regulators, the lawmakers and the legal community from Ireland, the US, the EU, and the UK in order to debate the full range of issues that make up data protection compliance.  The conference will enable you to hear from experts as well as debate in open forum a range of issues from multi-jurisdictional compliance to niche areas such as outsourcing, monitoring, cloud computing, children’s privacy and data security breach management.

I am looking forward to hearing many of the other speakers at the event and hopefully meeting with some of you as well. 

You can register for the conference here.

Proposed Data Security Breach Code of Practise

Posted on by

As someone who has been campaigning for mandatory data breach disclosure laws in Ireland for a number of years I am pleased to see the proposed Data Security Breach Code of Practise from the office of the Data Protection Commissioner.  I have long argued that organisations need to realise that the data they hold on staff and customers is not theirs but rather has been entrusted to them by those individuals.  The purpose of breach notification should not be to punish the organisation that suffered a breach but rather to help the affected individuals take appropriate steps to protect themselves, especially nowadays with identity theft and financial fraud being so rife. 

The proposed code strives to reach a balance whereby organisations that have taken appropriate measures to protect sensitive data, e.g. encryption etc., need not notify anybody about the breach, nor if the breach affects non-sensitive personal data or small amounts of sensitive personal data.  Yet, companies who have not taken the appropriate measures will indeed be obliged to admit to their shortcomings and shoulder the responsibility for same.

The other benefit I see from this proposed code is how as an industry we all can learn from the mistakes or misfortunes of those who suffer a breach.  I believe we would not have as many encrypted laptops and other mobile devices that we do today were it not been for the widespread publicity of lost unencrypted devices in the past.  While you can argue that encryption alone is not the answer and may simply be a knee jerk reaction it is at least a step in the right direction.  Those attacking our systems are sharing the potential exploits and weaknesses amongst each other, having breach disclosure laws in place helps those of us tasked with defending those systems to better shore up those defences and potential weaknesses.

Ireland has shown itself to be a leader in introducing legislation to benefit its citizens, the smoking ban and plastic bag tax being two that come to mind.  The introduction of the Breach Code of Practise is another example of how Ireland can better protect her citizens and provide an effective information security governance framework for businesses to follow.

I would be interested in your thoughts on the matter.  Why not share them below in the comments or indeed submit your feedback to the Data Protection Commissioner.

The Cost of Privacy

Posted on by

I got an email today pointing me to this story in Time magazine, Trying to Escape the Surveillance State, where a journalist tries to live for a month without his privacy being impinged.   It led to a conversation about privacy and whether or not there is privacy on the Internet or will people pay the cost for the amount of personal information that they freely give to various sites such as Facebook, Twitter, LinkedIn etc.

I argue that there is privacy on the Internet depending on the choices you make.  In most cases an online transaction be that purchasing something online, joining a social network or sending emails has privacy as an element built into the cost of that transaction.  In order to buy those goods you surrender your privacy surrounding your personal details to receive those goods, you also probably use a credit card which means that your transactions are noted by your credit card issuer and finally sites may keep track of your activity to suggest recommended goods on your next visit.  This is no different from the physical world where you purchase items by credit card and perhaps use a loyalty card in the store. 

Joining a social network, e.g. Linkedin, also has its privacy transaction costs. You want the benefits of a social network then you need to surrender your personal details to become part of that network. In real life you join social clubs, meet friends in public places where you also trade part of your privacy to take part in the group.

Some will argue that governments monitoring of Internet usage is a breach of privacy, for example your Internet browsing and email history is retained under the EU Data Retention Directive and that your ISP knows all your activity from their system logs recently highlight by the Phorm controversy in the UK.

This is true but you can still take measures to protect your privacy online using various techniques such as anonymous proxies, never using your real name online, never purchasing items online and not joining any social networks or forums.

You can control your privacy on the web, the question needs to be asked, at what cost?

Annual Report from Data Protection Commissioner Released

Posted on by

The 21st annual report from the Data Protection Commissioner’s office has been released.  As usual it makes for some very interesting reading.  The report notes that the number of breaches reported to the office has doubled since the previous year.  Most of these reported breaches are from organisations within the public sector.  While the first reaction may be to say the public sector is not taking due care of the personal data entrusted to it, I would argue that the public sector is no better nor worse than the private sector. 

One of the main reasons for the increased number of reported incidents from the public sector is most likely due to the guidance issued by the Department of Finance in late 2008 “encouraging” government departments to report breaches to the Data Protection Commissioner.  See section 4 on page 23 of the guidance.

In my opinion the Data Protection Commissioner’s report reinforces the argument that Ireland should introduce mandatory data breach disclosure laws.  My own thoughts on that particular issue are in this presentation that I gave at the last NITeS seminar;

I strongly urge that you take the time to read the report and to ask yourself the question, “How effective are my security controls in protecting the personal data entrusted to my organisation?”  If you find it hard to determine how to answer the question there is a very good self assessment checklist available on the commissioner’s site.

Germany Introduces Mandatory Disclosure Laws

Posted on by

Thanks to the Privacy and Information Security Blog  I became aware of a very interesting development within the Germany with regards to amendments to German Data Protection legislation.  On July 3rd the German Federal Parliament passed a number of changes to the German Federal Data Protection Act and will come into force on the 1st of September 2009. 

Some of the key items are regarding data breaches and the requirements now facing German companies.  Any such companies suffering a security breach relating to the following;

  • Sensitive data as defined in the German Federal Data Protection Act
  • Personal data that is subjected to professional or official confidentiality requirements
  • Financial information such as credit card or bank details
  • Information relating to criminal offenses
  • Data held on cusotmers by Telcommunications companies

Should a breach on any of the above be deemed to “likely to have a serious impact” on the affected individuals and notification of the breach will not affect any criminal proceedings and the appropriate measures have been taken to secure the data then the affected organisation will be obliged to notify the affected people.  This notification should be made to both the Data Protection Authority and to the affected individuals.  Should the breach affect a large number of people then the notification should be made by placing a half page advertisement in daily national newspapers or other media that would provide similar coverage.

More information on the changes can be found here (PDF file).  Hopefully Ireland will soon follow suit.

Prime Time Investigates – Computer Crime

Posted on by

RTE‘s Prime Time Investigatesprogram ran a piece on 2nd of July on the extent of Cyber Crime in Ireland.  The program is now available online and it has me contributing to it.  The segment starts about 18 minutes into the program.

Interesting take aways from the program for business owners;

  • You have legal obligations under the Data Protect Act to protect your staff and clients’ personal information.
  • Good security is not difficult to implement

Other areas discussed in the program, and in particular during the panel discussion, relate to the effectiveness of the current Data Protection laws, whether or not we should have mandatory breach disclosure laws (something which I have spoken about before) and how is Ireland as a nation dealing with cybercime.  Items which I shall blog about soon.

The "Beta Culture" and Security

Posted on by

Today’s Irish Independent has an article on “Are buggy smart phones now the reality in our new ‘beta culture’?”  Marie Boran interviewed me for the pieceasking for my thoughts on the security implications resulting from our acceptance in using Beta products. 

From a security point of view I have to admit that I do have concerns over the growing “beta culture”.  The problem is compounded by what is now acceptable to release to consumers.  In many cases tagging the phrase “beta” to your product seems to be like a get out of jail card free.  But in spite of that tag a lot of these products are snapped up by the public without any consideration as to the potential risks.  Would you buy a Micro Wave, car or gas boiler if you were told it is not fully tested?  Yet for electronic gadgets, computer systems and application software the general public seems to  be comfortable entrusting their “digital life” to untried and untested solutions.

 Look at Google’s range of applicationsGmail is still beta, as is Google docs.  Yet millions of people and businesses are entrusting sensitive and personal data to these applications.  Another good example is the Google Chrome browser.  This is still a beta product yet when released it created a buzz and many people downloaded it onto their systems.  Within days a number of security bugs were found within Chrome and Google had to rush out patches.

The challenge many of the vendor companies face is that they have commercial deadlines to meet in order to satisfy shareholders and customers.  To compete, products are becoming more and more sophisticated and complex.  It used to be all you used your mobile phone for was making and receiving phone calls.  Now your phone is a mini-computer that can take pictures, videos, record and play music and browse the Internet.  But complex systems are very difficult to secure properly.  The problem is that criminals and hackers actively look to exploit bugs in these systems.  Badly designed and/or complex systems that are not properly tested will result in those criminals being successful.

 Consumers also seem to be not aware of the risks.  They want the latest and greatest gadgets or applications to show off to their friends or workmates, yet do not worry if the products they are using could result in their data being lost, corrupted or accessed by others.

The above is compounded by the fact that companies often have in their license agreements clauses that protect them from legal action from the customer should their device or application fail in such a way to cause them damages.  So if your sensitive financial details are stolen from your shiny new phone by criminals due to a bug in the phone’s software then you have little or no recourse with the manufacturer. 

Consumers need to be more cognisant of the risks they take with new systems and not rush out to buy the latest gadgets until they have been properly proven.  But with the appetite for newer and shinier toys ever increasing this may not happen.

Me I still stick by my trusty Nokia 6310i mobile phone.