Category Archives: data breach

Morrisons staff suing over data breach. Del Brazil takes a look at what we know and what it might mean.

Advent IM Security Consultant, Del Brazil discusses some of the questions raised by the legal action from Morrisons employees over a data breach that led to their private information being leaked…

It has been reported in Computer Weekly that thousands of Morrisons staff are planning to sue the retailer over a data breach in which a disgruntled former employee published the bank, salary and National Insurance details of almost 100,000 employees, online.

Did Morrisons fail to prevent the data leak that exposed tens of thousands of its employees to the very real risk of identity theft and potential loss?  Only a fully and thorough investigation will reveal the answer along with exactly how the breach was committed and over what period of time the breach occurred.

Any investigation will highlight the security measures deployed at the time of the incident.  A decision will then be made by the Information Commissioners Office (ICO) or other investigative body, as to whether the measures implemented were in line with the Data Protection Act and that any measure was correctly configured, managed and/or monitored.

Advent IM Data Protection ConsultantsThe Data Protection Act 7th Principle says that: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

So in simple terms each and every organisation that stores, processes or handles personal data should be able to establish whether they can reasonably do more to protect the personal data they hold.  If the answer raises eyebrows or poses further questions then the simple answer should be yes; however all organisations should be consistently and regularly reviewing their security measures in order to highlight potential weaknesses or areas for improvement. What may be appropriate and adequate at one time, may not always remain the same, so the need for review and testing is key.

iStock_000018385055SmallIn the event that personal data is stolen, changed or misappropriated, then the repercussions to the individual could be devastating.  There is a possibility that their information may be sold on to a third party for spamming purposes or sold on to a criminal organisation with the intent of identity theft. The resulting financial losses to individuals are not only unfair and criminal, on a wholesale basis, but frequently go to fund other criminal and terrorist activities.  Sadly, there is a frequently a somewhat relaxed attitude towards the loss of personal data from an individual’s perspective as they believe that it won’t happen to them. However there is always a risk to your personal information being used for purposes that you are not aware of.  No one should ever be afraid to question an organisation or employer how they protect their information and what measures they are taking to ensure its security.  If there are resulting concerns about levels of protection or safeguards, then the Information Commissioner’s Office (ICO) may be contacted as they may investigate these concerns further.

Individuals can be quick to pass on their details to organisations/companies for genuine reasons; we all live a digital and data-driven life, in the belief that this information will be adequately protected.  Arguably, in some cases you have no choice than to share personal information especially from an employment perspective and it would reasonable to expect your employer to take sufficient care of your information to prevent it being accessed or passed to individuals/organisations intent on committing some form of illegal activity. Being aware of how our information is protected is not unreasonable and employees have a perfectly reasonable expectation that their employers will consider this part of their duty of care.

stick_figure_pointing_north_america_image_500_clrThe UK can sometimes follow the US culturally and the question has been raised as to whether the culture of litigation is one we can expect to see expand in the UK, particularly with this kind of high profile legal action. There are numerous incidents in the US where companies/organisations have been sued for failing to protect personal information, but can we expect this to become part of our corporate life? This is a very tricky question to answer, as the laws governing the protection of data in the US differ from those in the UK; although they do deliver the same message.  Each and every personal data breach is unique but the re-occurring question in any investigation will always be whether the individual, company and/or organisation took sufficient care to protect personal information by the deployment of appropriate technical, physical and procedural measures and what was the impact to individual concerned?  So whilst the regulation may differ, the spirit of the regulation is consistent and whether this is the future for the UK too will remain to be seen. Certainly we are seeing growing numbers of breaches and it is unlikely that this growth will continue without some kind reaction from the victims.

Advent IM Information Security AuditWhat is the likelihood that the Morrisons legal action is successful?  This would depend on the outcome of the ongoing investigation and as to whether Morrisons was deemed to have adequately protected their employee’s data.  Should the legal bid be upheld then the repercussions may potentially have a massive impact on all organisations storing and/or processing personal information.  There is a likelihood that organisations may go massively overboard with extra or increased measures in an attempt to defeat any possible threat of an insider attack without first reviewing and/or assessing the result of the findings of the ongoing Morrisons case.

The Morrisons data breach does raise a few questions though; what measures are deemed to be appropriate and sufficient to detect and/or deter an insider attack?  There is a fine balance between organisations having a high level of protective monitoring that gives employees the ‘Big Brother’ impression or such a low level that pretty much no monitoring takes place.  A very similar tone could be taken to staff vetting as at what point does vetting no longer be seen as an assurance practice but more of an intrusion into personal life?  These are questions that will continuously trouble both employers and employees.

Organisations are generally over reliant on technical solutions for protective monitoring to provide a quick fix rather than looking at the problem and identifying an appropriate solution.  There are a whole raft of technical solutions available, all of which require an element of physical monitoring and response.  It is an organisational decision as to whether to use a more technical solution with little staff interaction to maintain the system, as opposed to relying more heavily on human inspection of various logs; however consideration should also be given to allowing/ensuring that there are sufficient staff available to respond to alerts or discrepancies that may be detected in whichever solution is deployed.  Organisations should also ensure that they have a tried and tested plan in place to maximise their ability to understand, contain and respond to the ever increasing threat to personal information.

It is the opinion of the author that organisations should employ comprehensive protective monitoring procedures, which when coupled with a degree of staff vetting and a good security awareness programme should demonstrate to any governing body an organisation’s commitment to deterring or detecting insider threats.

Unfortunately the insider threat will never go away and with the value and importance of information increasing rapidly so the temptation for employees to sell personal information also increases.  Every level and type of industry relies upon information, no matter what form it takes and as such, every industry should keep an eye on this case as it develops.

Although organisations should pay close attention to this ongoing legal case raised by Morrisons employees and/or organisations shouldn’t be overly concerned until the full details of the investigation and the outcome of the legal case are made public.

Every organisation should ensure appropriate measures are in place (technical and non-technical) to secure and protect personal information to the best of their ability, including continually educating, training and making their staff aware of the insider threats.

Advertisements

“Five Eyes” intelligence document leak – Australian Defence bureaucrat off to jail

This week saw the news that the junior bureaucrat from the Australian Department of Defence, has been jailed for one year, following his guilty plea in the ACT Supreme Court to posting a secret Defence Intelligence Organisation, to an online forum. Julia McCarron gives her take on this quite staggering series of events.

Not a ‘Gooday’ for the Canberra APS

Surprise!

Well this a strange one for sure. So, Michael Scerba, a former junior Defence bureaucrat has been jailed in Australia for uploading secret information online. He downloaded a 15 page document from a secret Defence Intelligence report, burnt it to disk, took it home and posted the first two pages on an on-line forum. The post was viewed and commented on by a dozen people and re-posted but disappeared an hour after its original post.

This is bad on so many levels …

When they say he was a junior bureaucrat, he was actually a 21 year old Department of Defence (DoD) graduate … with only 8 months on the job behind him and a secret (negative vetting level one) clearance … and apparently “his mental health had impaired his judgement”. I accept that the article does not expand on these mental health issues or when these issues occurred, and I am in no way implying that mental health of any kind should be a barrier to employment as I do not believe it should in general. However, we are talking about a position in National security here with access to secret information, so assuming his issues occurred pre-employment. So first question: Why was a 21 year old graduate with mental health issues given a level of clearance high enough to enable access to, and the capability to download, information relating to National security?

You've got to have a system.

Something has to have gone wrong with the vetting process and/or the employment process where access rights and privileges are determined and applied. If he had underlying mental health issues surely these should have been detected prior to his employment or during the induction process. I would presume DoD staff have to go through stringent mental stability checks checks for security clearance purposes to minimise the risk of coercion or subversion? This seeming lack of procedure demonstrates the importance of a robust vetting process, particularly in a role so critical to the security of the nation. It also demonstrates the need to ensure privileges are granted relevant to the job role and on a ‘need to know’ basis. Did he really need to access to information that revealed the identity of intelligence sources, gathering methods and classified aspects of strategic partnerships between Australia and other countries?

Advent IM Cyber SecurityIt also opens up the question of removable media access and control in sensitive areas. Second question: Did he really need to be granted the ability to burn information to disk or USB at the level he was working at? Are there not search facilities at access points a la ‘Spooks’ that detect unauthorised media? I would have thought again that some sort of policy would have existed that meant staff were only allowed use of authorised removable media and that no media was allowed to be removed from the premises?

And finally, the claim by the Judge that, “Scerba had not intended to compromise national security, although he knew the disclosure could cause harm”. I find this claim quite astonishing. So he’s employed in a DoD job, with access to information pertinent to National security and he didn’t know the disclosure could cause harm or compromise National security? Really? Question 3: What kind of induction training was the DoD providing? I can’t believe they do not put employees through extensive security training highlighting how to handle data at various classification levels, the importance of data classification and handling and the consequences of failing to comply with policy. If they don’t then some serious questions need to be asked!

I think I’m with retired Lieutenant General Peter Leahy on this one though; jail time was definitely required for this serious National security data breach. But 12 months with only 3 served does not send out a good message to others employed by the DoD who, like Scerba, believe Julian Assange is their hero. This could just be the beginning unless changes to process are tightened up.

Post comment based on an online article in the Canberra Times dated 5th November 2015.

This isn’t just poor security….a post on the M&S security incident from Julia McCarron


Advent IM Director, Julia McCarron has turned her eye to the M&S security breach…

Well as our Marcomms Manager, Ellie superbly put it, “This isn’t just poor security, this is M&S poor security”.

Image result for M and s logoThe brand synonymous with quality has let the side down following what it claims was an internal system glitch that caused M&S online account users a bit of a surprise. They logged on only to find their account wasn’t theirs.

Following a number of complaints, M&S were quick to take the site off-line and the problem was resolved in 2 ½ hours, but not before 800 people’s personal details including names, dates of birth, contact details and previous order histories were exposed. Thankfully, financial details do not seem to have been breached.

So M&S can expect a knock on the door from the ICO. Commenting on the incident, Phil Barnett, VP Global at Good Technology of M&S, said that many companies are flying blind when it comes to security, because they don’t think it affects them. In this day and age, when cyber security incidents seem to happen every 5 minutes, companies are becoming more aware of the risks and need for good, security controls and practices. I would sincerely hope that companies such as M&S would be acutely aware of the perils. As Mr Barnett points out, “Data is a company’s biggest asset, and as mobility becomes more ingrained across every enterprise, security must become a higher priority”.

risk balance

So I guess M&S need to ask themselves why this happened? I cannot comment specifically as to the root cause of this particular incident, but often what can be the reason is that ICT systems change management process are either not in existence, not robust enough and/or do not consider the ramifications to security when updates, upgrades, code changes etc… are made. Security must be a key consideration and testing should be carried out before the change is made live, especially on personal data critical systems such as these. In addition, regular penetration testing both external and internal to the system is a must, especially when a major system change is made. Today’s technical vulnerabilities are evolving hourly but these simple actions can be the difference between being a successful big brand today and share prices falling through the floor tomorrow #talktalk #justsaying.

Advent IM HMG accreditation concepts training

However, I will concede that smaller businesses often don’t see security as a priority. They see it as a business disabler and costly. If there has been no incident to date why worry about? These companies are doing business on luck. The luck of the draw. But luck runs out for us all at some point. Good security is a must for each and every company, be it a self-employed nanny or a multi-national conglomerate. It doesn’t have to be expensive and can in fact give you the edge when dealing with clients or bidding for projects. Who wouldn’t choose the company they know will handle their data securely over the company that does nothing? Often no-cost processes and procedures can mitigate risk simply and quickly, particularly with data handling. We also have the Cyber Essentials certification, which is aimed at small businesses and is a set of technical controls companies can be measured against to ensure they are implementing a baseline level of technical security.

Whatever happens, in a week where security breaches have literally been big business, you need to think carefully about what your company is doing (or not doing) to protect its biggest asset. This isn’t just good security advice, this is Advent security advice.

The Insider that rarely gets questioned…

Insider Threat certainly isn’t going away, is it? Reading the continual survey results and news items I see published, it will still be an issue for a long time to come. We know that a lot of the Risk that Insiders bring can be mitigated with good policy and process combined with tech that is fit for purpose. But what of those insiders we don’t really like to  challenge? I speak of the C-Suite; our boards and senior management… surely they couldn’t possibly indulge in risky behaviour?

Risky behaviour is actually quite prevalent in our board rooms, security-wise I mean. (Check out https://uk.pinterest.com/pin/38632509277427972/) Unfortunately, some of the info assets that this level of colleague has access to is quite privileged and so in actual fact, the security around their behaviour actually needs to be tighter but in reality things are not always this watertight and IT security and other security functions will make huge exceptions, based upon the role and seniority instead of looking at the value of the information asset and how it needs to be protected. (Check out https://uk.pinterest.com/pin/38632509276681553/)

Its worth noting that senior execs are frequently the targets of spear phishing and given the level and sensitivity of assets they have access to, this is a huge risk to be taking with organisational security. Ransomware could also be deployed through this method and as a means of coercion. Whilst considering this level of access, we also need to think about the purpose of attack. If this was part of an industrial espionage type of operation, the plan might not be to steal data, it could be to destroy or invalidate it, in situ, in order to affect stock prices, for instance.  It is also worth noting that ex-execs or managers can still be a target and that means they still constitute a potential organisational threat.

Privileged access users like system administrators (sysadmins) also pose a potential threat in the same way as senior business users as there may little or no restrictions on what they can access or edit. A rogue sysadmin or similar could cause absolute chaos in an organisation, but the organisation might not even realise it, if they have also got the ability to cover their tracks. According to the Vormetric 2015 Insider Threat Report, the biggest risk group was privileged users and Executive Management categories were responsible for 83% of the overall risk from Insiders. Yet according to the same piece of research, only 50% have Privileged User Access Management in place and just over half had Data Access monitoring in place.

One more layer to add on top of this would be BYOD. Many businesses have considered whether BYOD is a good choice for them and many have decided to adopt it. Whilst data suggests it may contribute to data breach in adopting organisations, it can be a problem even for those who do not adopt it, as yet again senior execs are allowed latitude regarding the devices they use and may not be subject to the same scrutiny or oversight that general employees are. We know that almost a third of employees have lost up to 3 work mobile devices, we do not know how many have lost their own device also or whether it contained sensitive or valuable business data. We do know that some of these will be senior executives though and this, combined with other risky behaviours (check this out https://uk.pinterest.com/pin/38632509277975844/) will be a major contributor to the risk profile that they represent.

The U2 Album and some phishing

GrrOpinions vary on the success and indeed the ethics of Apple’s decision to place a copy of U2’s new music in iTunes libraries. Some people have welcomed it, though I assume these are the ones who did not have their personal preferences overridden. Apparently, it appears many people had not selected the auto download option in their settings but this seems to have made little or no difference. (These may or may not be some of the contributors to the Twitter hashtag #IblameBono currently occupying a space in my recommended trends. I hasten to add Advent IM has not contributed)

It has also become apparent that the album is not too easy to remove either… indeed the news today includes an update from Apple, who have now created a remove U2 with one click tool after the clamour from iTunes users. They do say that there is no such thing as bad publicity but I can’t help but wonder if invading people’s privacy in this way would ever be good news for a brand. Knowing that your wishes can be overridden with impunity is not reassuring. Realistically, I would think that regular reassurance and demonstration of privacy and security being respected would be a far better approach.

ID-10067364One of the unintended consequences of this has been a massive increase in the number of iTunes and Bono-based phishing emails. Some have offered a ‘delete the U2 album link or tool’ (either carrying or linking to malware). Others have capitalised on the fact that Apple have given something away by purporting to carry a link to a free film from Apple. Users who were suitably impressed by being given the free U2 album have been ‘softened’ into thinking it was perfectly believable Apple would now be sending them links to free movies. 

So users who were less than happy with the sneaking of U2 into their library may get caught by the first kind and those who were thrilled and were then happy to have more free Apple stuff may be caught by the second…

Whatever way you look at this, the U2 album has been a bit of a nightmare from a security perspective. #IMightBlameBono…

 

Big Data …. Friend or Foe?

Delighted to have a post from Advent IM Operations Director, Julia McCarron.

Ellie has been asking me for a while now to do a blog piece on ‘big’ data, and I must confess to dragging my heels because I wasn’t really sure what it was. I guess if I had put my mind to it essentially it must have been the aggregation of information that made it ‘big’ and I’m not far off with that. But last night’s edition of Bang Goes the Theory made me think about what it means … and the fact that ‘big’ is probably too small a word to describe its reach.

 ID-100180473If we want to be specific about it, big data is defined as a collection of data sets so large and complex that it becomes difficult to process using on-hand database management tools or traditional data processing applications.[1]  But it seems to me that this 2-D definition doesn’t do it justice. From what I can see, it’s about taking these large data sets and analysing them to find patterns – that’s what makes it ‘useful’. What you do with those patterns can be for good or bad and can range from diagnostic to research to marketing to preventative in nature, and affect people, places, processes, objects … you name it basically.

I know this kind of analysis goes on because I have a ‘loyalty’ card that regularly sends me money off vouchers for the things I buy on a frequent basis/ I know internet banner ads show me handbags for a reason, usually because I’ve just purchased another one online. I understand that it’s the accumulation of data about my buying habits that is profiled to appeal to me; but I hadn’t realised just how far this can go. On the programme in question a big data collection company said that as a result of the release of DfT data on bicycle accidents, someone had within days written an app for people which told them where to avoid riding their bicycle and therefore minimise the risk of having said accident. Who would have thought that was possible? Rolls Royce engines contain computers that analyse their activity, whilst in the air, and report in real time on peaks and troughs outside the ‘norm’, which enable airlines to do maintenance work before a problem occurs.

But if you think about it big data isn’t new. Einstein’s Theory of relativity came about because he carried out hundred of experiments and analysed them painstakingly by hand. Intelligence services cracked Hitler’s codes by looking for recurring patterns, first totally reliant on the human brain before that human brain created freecrumpetsmachines to make the analysis easier and quicker. I only get 100 free ‘bonus’ points with my next purchase of Warburton’s crumpets because a computer looks at my buying habits and has identified that I buy them every week. (Other crumpets are available – actually no they aren’t). All that has changed is the scale, speed, selectiveness and sensitivity of the collection and review of that data.

The issue comes though when that big data is also personal data, and this is probably where most of us start to question whether it’s a good thing or bad thing. The BGTT Team demonstrated how easy it is to profile individuals from their online data footprints. It’s not just about what you put on various social media but it could also be an innocent publication of contact details by your local golf club. I’m a security conscious person, for obvious reasons, but I’m sure if someone really wanted to they could find out more about me than I thought was possible, just by running a few scripts and analysing trends. I’m a genealogy enthusiast and within minutes I could potentially find out when you were born within a 3 month window, the names of your siblings, your mother and father …. and those all important security questions; your mother’s maiden name and town of your birth.  So should we attempt to simply lock everything down?

 At the same time as all this personal big data is being analysed its also being put to good use.  Researchers are creating medical devices that can analyse brain activity and detect when a second brain trauma is occurring … and they’ve done this by analysing patterns and trends from hundreds of thousands of scan outputs to create a simply, non intrusive device that monitors pressures, electrical current and stimulus. If I opt out of my having my NHS patient record shared, I could make it that bit harder to find a cure … or be cured.

Ultimately, we wouldn’t be where we are today without big data but there is no doubt that in a digital age big data will just keep growing exponentially. I don’t think we can avoid big data and I don’t think we should, but from a security perspective I think we all just need to think about what we post, what we agree to make available, what we join up to and what we are prepared to say about ourselves in public forums. If a field isn’t mandatory don’t fill it in, don’t agree for your location to be published and maybe tell a little white lie about your age (girls we are good at that!). We can never be 100% secure – it’s not possible. Even our fridge can go rogue on us now and order food we’ve run out of but don’t actually want to replenish. But having a security conscious mind can protect us, whilst still providing a big data contribution. 

[1] Wikepedia

some images courtesy of freedigitalphotos.net