House of cards collapses from privacy overreach

One of the summer’s big data privacy stories saw Ireland’s data protection watchdog criticise the Government’s Public Services Card scheme. Originally just for accessing social welfare payments, the PSC scheme expanded over time. The DPC’s investigation found the Government had no legal basis to tell citizens they needed the card to access public services like a passport or a driving licence. The Commission also ordered the Department to destroy supporting information that people had provided during the application process for the card. 

Privacy experts and civil liberties campaigners had criticised the project’s scope creep. Evidently the DPC reached a similar conclusion. The card (and the SAFE 2 registration system behind it) involved “the collection, storing and processing of large amounts of personal information about nearly every person in the State”. In 2011, 4,000 people applied for a Public Services Card. By 2018, more than 3.2 million cards had been issued because many people believed they needed one. 

Beyond the question of national interest, there are lessons for organisations about GDPR and good data protection practice. On LinkedIn, Brian Honan wrote that the lessons include ensuring they gather people’s personal data under the right lawful basis, as well as having a data retention policy. He said the case is “a strong reminder that the penalties under GDPR are not just monetary (the infamous €20m fine) but the supervisory authorities can force you to stop processing or deleting the personal data”. Our data protection consultant Tracy Elliott also blogged about the case, noting the lessons for transparency, legality and data retention. 

Cyber insurance claims rise… but is there a controversial reason why?

Business email compromise overtook ransomware to become the biggest source of claims against cyber insurance policies in EMEA last year. Data from AIG shows that email fraud accounted for 23 per cent of all claims. This was a huge jump from 11 per cent in 2017. 

Ransomware remained prominent, though. Almost one in five claims (18 per cent) were to mitigate costs related to infections. BitDefender noted AIG’s comments that ransomware became “increasingly targeted and disruptive” in 2018. ZDNet reported that claims are growing in frequency. Last year saw almost as many claims as in the previous two years put together. Professional services companies like legal and accounting firms were the hardest hit by cyber claims. Next came financial services. The full report is full of detail and is available to download here. 

But could there be a darker side to cyber insurance? An investigation by ProPublica alleges that insurers in the US are paying ransoms because it’s cheaper for them than covering the financial losses that a customer would incur by not paying. ProPublica is a nonprofit journalism group that aims to uncover abuses of power. Its report reached a controversial conclusion that insurers are, in effect, fuelling the ongoing growth of ransomware attacks. Thought-provoking stuff…

The Internet of insecure Things is getting worse

The Internet of Things is one of technology’s hottest trends but its rapid rise has often come at security’s expense. The Cyber Independent Testing Lab examined binary hardening features in IoT firmware. It analysed 1,294 products (4,956 versions and 3,333,411 binaries) from 22 vendors between 2003 and 2019. The five-person team concluded security hygiene often worsened over time and found that there were “no positive trends”.

The group wrote up their analysis here, complete with a deep analysis of the findings. The contents also formed the basis of presentations at HushCon and ShmooCon. As the Parallax reported from the latter conference, this means the average home Wi-Fi router’s security has deteriorated since 2003. 

Earlier this year, a security company found that security cameras are the most likely IoT devices for hackers to target. Research from SAM Seamless Network said that 47 per cent of vulnerable devices found on home networks were connected cameras. Findings like these are worth keeping in mind for any business implementing an IoT project over the coming months. We blogged about this issue almost two years ago. It doesn’t give us any pleasure to say little has changed in the meantime. 

Links we liked

New guides help forensic investigators to triage potentially compromised Cisco devices. MORE

Challenges in bringing on-premise forensics techniques to the cloud. MORE 

A comprehensive long-read post on security monitoring, logging and alerting in AWS. MORE

The Cloud Security Alliance has a new blog series on cloud computing threats. MORE

The CSA has made its self paced Cloud Security Knowledge training free online. MORE

Controversial: much championed by security pros, DMARC may not actually fix phishing. MORE

French cops bid ‘adieu’ to cryptomining botnet, and remove malware from victims. MORE

Excellent post on the confusion around malware naming conventions. MORE

In search of fresh security data points? Symantec’s latest threat report has your back. MORE 

Palo Alto’s Greg Day looks at the Irish Government’s commitment to cybersecurity. MORE

Adding game mechanics and competition can help to improve security culture. MORE

Getting into a cybersecurity career through non-traditional routes. MORE