Tag Archives: data breach

When is a hack all-white?

From Chris Cope – Advent IM Security Consultant

hacker_d70focus_1What’s the difference between a ‘white hat’ security researcher and a hacker?  As a general rule of thumb, if  someone discovers a vulnerability on your system and informs you (without undertaking any unauthorised or unlawful activity in the process) then a ‘thank you’ is generally considered to be in order.  There are numerous ‘white hat’ researchers who trawl software and internet sites, detecting vulnerabilities and alerting the appropriate owners or developers.  Many companies have benefited from a quiet advisory and it’s reasonable to suggest that without ‘white hats’, the policy of releasing software and patching later, adopted by many vendors, would be severely undermined.

advent IM data protection blog

oops there goes the sensitive data

So why is a white hat researcher, Chris Vickery to be precise, in the news?  Mr Vickery discovered a database on a website.  The website belongs to a company called uKnowKids, this provides a parental monitoring service for your technology savvy children.  The database contained an array of information that the company did not want to be made public, including in the words of the BBC ‘detailed child profiles’.  However, the company claims that the information was not personal data and no customer information was at risk.  Mr Vickery was able to access the data base and take screenshots, which were sent to the company as proof of the vulnerability.  However, rather than thank him, the company accused Mr Vickery of risking their continued viability and claimed that his access was unauthorised.  By Mr Vickery’s account, the database was in a publicly accessible area and had no access controls in place.

Since the notification, uKnowKids has patched the vulnerability.

So what can we take from this?  UKnowKids obviously intended for the database to remain private.  Under UK law, Intellectual Property rights provide protection for confidential information, but there is one pretty fundamental requirement – the information needs to be protected.  Placing a database on a publically accessible internet page, without protection is, however, akin to leaving a sensitive file in paper format on a train.  Organisations shouldn’t be surprised if information left in such a public and insecure state is read by unintended third parties. 

Before protecting information, an organisation needs to understand what information it holds, and what needs protecting.  Once that is established, there are a variety of means that can be used to protect it; physical controls on physical copies, labelling of information, educating staff so they understand the required handling measures and routine audits all form part of the basic protections required for all types of information.  For electronic information, then one needs to consider technical measures such as access controls and encryption.  When a database, containing sensitive information, must be placed in an area where it is accessible from outside the organisation, then access to it must be very carefully controlled.

iStock_000014878772MediumIn this instance, the reputation of a company, which holds intelligence on children, could have been seriously undermined if a hostile breach had occurred, even without the loss of personal information.  If personal information was lost, then the financial implications could have been severe; increasingly so as new EU legislation on data protection comes into effect.  So make sure that you fully understand your assets (including information) and what level of protection they require and, when designing controls, its important to ensure that the full range of counter measures, including physical, personnel, procedural and technical, are considered, properly implemented and integrated.  And if you do come across a publicly spirited individual who warns you of a potential breach in your security, remember to say ‘thank you’.

NASA hacking?

A post on allegations of NASA being hacked from Del Brazil of Advent IM

There have been allegations of numerous hacks into the systems controlled or operated by NASA. These have ranged from secret UFO files being accessed, through to drones being infiltrated and subsequently controlled by unauthorised persons.

Advent IM Cyber SecurityThis raises the questions about how secure the NASA websites, servers and systems are.  There are a whole host of individuals who claim to have hacked NASA including a 15 year old who is alleged to have caused a 21 day shutdown of NASA computers, through to an individual who claims to have found evidence that NASA has or is in the process of building ‘space warships’ and finding lists of ‘non-terrestrial military officers.’

The latest alleged hack involves the release of various videos, flight logs and personal data related to NASA employees.  This hack is believed to originally to have started over 2 years ago with a hacker paying for initial access; although it is not yet confirmed, it is fair to assume that this purchase would be associated with a NASA employee.  The hacker then carried out a ‘brute force’ attack against an administers SSH password, resulting in a successful compromise within 0.32 seconds as the password is alleged to have been still set to the default credentials.  Having infiltrated the system with an administrator’s Image courtesy of Master isolated images at FreeDigitalPhotos.netpassword the hacker was then pretty much free to navigate his/her way around various NASA systems collecting information as they went.  It’s not unusual to find CCTV systems and/or other Base Management Systems Administrator settings being still set on their default setting, what is unusual is to find that NASA has systems are potentially falling foul of this too.  There were also claims that one of NASA’s unmanned drones used for high altitude and long duration data collections had been partially taken control of during the hacking with a view to potentially crashing it in the Pacific Ocean.

The information claimed to have been obtained includes 631 videos of weather radar readings and other in-flight footage from manned and unmanned aircraft between 2012 and 2013 along with personal information related to NASA employees.  It is widely

Image courtesy of digitalart at FreeDigitalPhotos.net

image courtesey digitalart on freedigitalphotos.net

 

reported on the internet that the personal information obtained relating to the NASA employees has been verified by another media client, as they have allegedly attempted to contact those individuals by telephone; although it is further reported that no actual conversations took place and that verification was obtained from answerphone machines pertaining to those NASA employees.   There is no reports that the same media client has received any return calls from the alleged NASA employees nor is there any documented communication from NASA’s IT Security Division, the Glenn Research Center, the Goddard Space Flight Center, the Dryden Flight Research Center, the NASA Media Room or the FBI.

This is certainly not the first and won’t be the last alleged hack of NASA.  It is well known that there are a whole host of individuals who are continuously attempting to attack large organisations; whether their motive be criminal or just inquisitive you can be assured that any alleged successful hack will make headline news. Hackers are widely regarded as kudos- seekers; reputation and status hungry within their own fields and targets like this are very highly sought after.

Protected filesLet’s consider the sensitivity of the alleged data?  Any sensitive or ‘secret’ information is likely to be securely stored in a manner to prevent or at least deter any potential hacker; however no system is 100% secure and so there is, albeit very small a possibility that a hacker maybe successful.

NASA have responded by stating that ‘Control of our Global Hawk aircraft was not compromised. NASA has no evidence to indicate the alleged hacked data are anything other than already publicly available data. NASA takes cybersecurity very seriously and will continue to fully investigate all of these allegations.’  So the old ‘he said, she said’ playground argument continues with neither party being proved or dis-proved but what we do know is that hackers will continue to attack high profile organisations for ‘Kudos’ status or bragging rights.

The cyber-buck stops in the boardroom…

Advent IM Security Consultant, Del Brazil gives us his view of some of the comments and take-outs that ALL boards need to be aware of, following Dido Harding’s appearance before a parliamentary committee on the TalkTalk Breach.

The TalkTalk security breach continues to roll on with the TalkTalk CEO Dido Harding telling a parliamentary committee on 23.12.15 that she was responsible for security when the telecoms firm was hacked in October. Although there was indeed a dedicated security team in place within TalkTalk it is unrealistic to place the blame solely at the feet of the security team as security is a responsibility of the whole organisation.  It is fair to assume that in the event of an security related issue, as in this case, one person must take overall responsibility and be held to account for the potential lack of technical, procedural measure that may have prevented the breach occurring.

It is a fair assumption to make that in the event that the security breach can be attributed to a single individual then that is an internal disciplinary matter for TalkTalk to resolve unless there is a clear criminal intent associated with the individual concerned.

It is worth noting that although every effort maybe taken to implement the latest security techniques or measures that there is always the possibility that a hacker, like minded criminal organisation or even a disgruntled member of staff may find a way through or around them.

As long as an organisation can demonstrate that they have taken a positive approach to security and considered a number of possible attacks and taken steps to mitigate any potential attack, this may satisfy the ICO that the one of the key principles of the DPA has been considered.

Organisations should always consider reviewing their security measures and practices on a regular basis to ensure that they are best suited to the ever changing threat.  It is appreciated that no one organisation will ever be safe or un-hackable but as long as they conduct annual threat assessments and consider these threats in a clear documented risk assessment they can sleep at night knowing that they have taken all necessary steps to defeat, deter and/or detect any potential attack.

advent IM data protection blog

The TalkTalk security breach has highlighted a number of failings, in the opinion of the author and although they are deemed to be of a serious nature praise should go to the TalkTalk team for being open, honest and up front from the onset.  This has resulted in quite a lot of bad press from which TalkTalk are still feeling the effects from; although some people say that ‘all publicity is good publicity.’  It is clear that TalkTalk are taking the security breach very seriously and are fully engaged with the relevant investigation bodies whilst making every effort to bolster their current security posture.

It is very easy for board members to assume to the role of Director of Security without fully understanding the role or having any degree of training or background knowledge.  Any organisation should ensure that it employs or appoints staff with the correct level of knowledge and experience to specific posts thus facilitating the ‘best person for the best role’ approach.  Currently security, but more specifically IT Security, is seen as a secondary role that can be managed by a senior person from any area within an organisation; however it is finally becoming more apparent to organisations that the IT Security role warrants its own position within the organisational structure of the organisation. Pin Image courtesy of Master isolated images at FreeDigitalPhotos.net

In the author’s opinion it is the organisations that have yet to report security breaches that are more of a concern as no one knows what level of security is in place within these organisations.  It’s not that the author is skeptical that there is an insufficient amount of security in place within these organisations but the fact that they do not report or publicise any cyber security related incidents that is of concern.  No one organisation is that secure that a breach of cyber security or at least a cyber related security incident doesn’t occur.  It’s far better for organisations to highlight or publish any attempted or successful attacks to not only assist other organisations in defeating or detecting attacks but it also shows a degree of transparency to their customers.

Holding on to data is not good practice; A look at the Wetherspoons breach.

Del Brazil turns his well-experienced eye to the Wetherspoons customer data breach and asks some questions about how data was being managed, given how long some of this data had been retained by Wetherspoons. 

wetherspoonIt has been recently reported that the Pub chain JD Wetherspoon has admitted that card data of 100 customers has been stolen from a database after it was hacked.  Weatherspoon’s have stated that “Very limited” credit and debit card information was accessed in the hack in June and that the information could not be used as part of any attempted fraud.  Weatherspoon’s further stated that personal details, including names and email addresses may also have been stolen from more than 650,000 people.

The Information Commissioner’s Office has been notified of the breach, which only came to light recently and is investigating accordingly.

The hacked database contained customer’s details which included names, dates of birth, email addresses and phone numbers; however the 100 affected whose card data was stolen had apparently bought Wetherspoon vouchers online between January 2009 and August 2014.

Will a lead lined wallet be the only solution?

“Only the last four digits of payment cards were obtained in the hack as the remaining digits were not stored in Wetherspoon’s database” said John Hutson, Weatherspoon’s Chief executive.  None of the card data stored by Weatherspoon’s was encrypted because other associated details were not stored on the database.

A letter to those customers whose details may have been hacked advises them to “remain vigilant for any emails that they are not expecting that specifically ask you for personal or financial information, or request you to click on links or download information”.

Despite an email warning being received about the suspected breach little if anything was done to further investigate the possibility of a hack taking place.  The email warning may have been captured by a spam filter and either quarantined or automatically deleted dependent upon the settings of the relevant servers.

Mr Hutson said that the hack has occurred between 15th and 17th June and there was no evidence that fraudulent activity had taken place using the hacked data from the database.  Yo40 1jdHe added: “We have taken all necessary measures to make our website secure again following this attack. A forensic investigation into the breach is continuing.”

istock_000011991144medium.jpgSerious questions need to be asked of Wetherspoon’s as to why they were retaining customer data for such a long period time in fact well past the time for which it was intended to be used for.  Further investigation should establish as to how and why the data was retained for such a long period of time and again one of the main data protection principles is at the forefront of the author’s mind.   If the data was being retained for an appropriate reason and with the individual’s permission was there sufficient security measures in place to safe guard against and/or deter would be hackers.

Weatherspoon’s have already given a clear indication that they fully intend to keep their retention of personal data to a minimum, as stated by founder and Chairman Tim Martin.  Is this likely to be to satisfy the ICO, well in essence, yes, as it does show a clear intention to limit the amount of personal data being retained by Weatherspoon’s; although once the ICO investigation has been completed it is likely that a number of requirements and/or recommendations will be imposed by the ICO.

It is of the opinion of the author that should the ongoing investigation by the ICO highlight significant failings by Weatherspoon’s in the protection of customer data then a fine should be imposed that is in line with the seriousness and size of the breach.  The ICO may take a dim view of this breach as it likely to flaunt one of the key data protection act principles in that Weatherspoon’s may have been storing customer data for longer than necessary and may have not afforded the information the appropriate level of security measures.

Currently there is no legal requirement for companies to report data breaches and/or losses to the ICO; however this is likely to change in the very near future.  In the author’s opinion that each and every company has a moral obligation to not only report the breach or loss of personal data to the individual concerned but also to any recognised institute, such as the ICO, so that improvements on data protection can be pushed forward by looking at previous failings.

Round-up: Top posts of 2015

2015 is almost over and we have been pleased and delighted to welcome many new followers and contributors to the Advent IM Holistic Security blog. It’s hard to wade through all the content but we thought it would be nice to present you with a list of some of our most popular posts this year, by month. (This is based upon what people read and not necessarily when they were published.)

jAN 2015In January, we warned you to watch out for phishing emails if you had nice shiny new devices for Christmas. We were recognised as Cyber Security Solution Suppliers to Her Majesty’s Government and we enjoyed a visit from The Right Honourable Francis Maude to talk all things CyberSec.

 

In FFEB 2015ebruary, we had a visit from James Morrison MP to talk about how cyber attacks affect local and national businesses, we launched Whitepaper on CCTV in schools and discussed the key ‘watch-outs’ in off-shoring data in relation to Data Protection

 

MAR 2015In March, we were exhibiting and speaking at the Security & Policing Event at Farnborough (we will be at the next one too, watch this space for details!) Mike Gillespie’s quote in The Sunday Times, talking about SMEs and Cyber Security back in 2014 suddenly shot back up the blog statistics, as people explored some of our older posts.

 

april 2015In April, law firms were in the sights of the ICO and we blogged about it and people looking for Senior Information Risk Owner Training found their way to the blog. Of course, if you do want to book training you need to go via the website

mAY 2015

In May, Ransomware was on everyone’s radar, including ours.  A lot of readers also sought out an old post on mapping the control changes in ISO 27001 2005 vs. 2013 and we were glad they found our tool to help them with this. We think that more businesses will want to think about this standard in 2016 as security awareness continues to grow and the common sense reveals the huge commercial benefits.

JUN 2015In June, the changes to EU Data Protection regulations had a lot of people talking. Dale Penn gave a no nonsense post, explaining what it meant and it was very well received. We had a Risk Assessment methodology post from Del Brazil, talking, Attack Trees. A post that was also very well read came from Julia McCarron who discussed the risk in continuing to run Windows XP

JUL 2015In July, Social Engineering was a key topic and one of our blog posts was very well visited, The Best Attack Exploit by Dale Penn is still receiving visits. Dale also wrote about hacking Planes, Trains and Automobiles, with clarity, as well as the coverage this kind of hacking was receiving.

AUG 2015In August, we heard about Hacking Team being hacked and it revealed some very risky security behaviour. Dale Penn wrote about this event and other security specialists being targeted. In August, a very old blog post started to get some traffic again as people wanted to read about secure destruction of hard drives and a guest post from Malcolm Charnock got hoisted back into the charts.

SEP 2015In September, TOR was in the press sometimes as a hero, but usually as a villain…well perhaps not a villain but certainly suspicious. We tried to throw some light on what TOR is for the uninitiated and explain why and how it is deployed by a variety of users. It came courtesy of Del Brazil. Another very old post on USBs also got raised from the archive – The Ubiquitous Security Breach.

OCT 2015In October, traffic to the blog doubled and we welcomed many more new readers. All of the posts mentioned here were read but far and away the winner was Crime of Our Generation from Chris Cope, talking about TalkTalk’s disastrous breach.  Marks and Spencers were discussed by Julia McCarron in light of their own security failure. Attack of the Drones discussed a variety of drone-related areas, uses and unintended consequences. A nuclear power plant worker was found researching bomb making on a laptop at work and the EU Safe Harbour agreement melted away. It was a very busy month…

NOV 2015In November, The Bank Of England expressed some firm opinion on cyber security requirements in the Financial sector. Morrisons staff took to the courts to sue over the data breach that exposed their personal information. Australia jailed a former junior bureaucrat who leaked defense material onto the notorious 4Chan website. The previous posts on TalkTalk, M&S, BoE, Safe Harbout and EU DP Regulations were also extensively read in November.

dEC 2015And finally, December…Well the Advent Advent Calendar has been a festive fixture for three years now so we had to make sure it was included and it has, as always,  been well trampled and shared. We also added a new festive bit of fun in the form of the 12 Days of a Phishy Christmas and some Security Predictions from the team for 2016. Why would anyone hack the weather? was a look at how attacks can be intended for other parts of a supply chain. Finally TalkTalk popped up in the news and a conversation again, as it emerged that Police had advised the firm not to discuss their breach.

Christmas card 2015

TalkTalk advised not to talktalk about their breach?

According the International Business Times, the Metropolitan Police advised TalkTalk not to discuss their breach. (you can read the article here)

Here, in conversation on the topic , is Advent IM Directors, Julia McCarron and Mike Gillespie and Security Consultant, Chris Cope.

Chris Cope small headshot

Chris Cope

“This is interesting as it shows the 2 different priorities at work.  For the police, the key aim is to catch the perpetrator.  This often means allowing an attacker to continue so they can be monitored on the network and their activities logged and traced without causing them to suspect that they are being monitored in such a way.  The Cuckoos Egg details how the Lawrence Berkeley Lab famously did just this in response to a hack of their system.  However, TalkTalk have a duty of care to their customers.  If personal information could be used to steal money, then they must weigh up the advice from the police, along with the potential impact of not publicising this attack on ordinary people. Its easy to see how a CEO can be caught in between trying to help the police, but also attempting to limit the damage to their customers.  Ultimately it’s a difficult decision, but one that could be made easier with correct forensic planning, i.e. working out how to preserve evidence of an attack, which can be provided to the police, whilst ensuring that normal services continue and customers are warned.  Making these decisions during an actual incident will only make a stressful time even more so; far better to plan ahead.”

Julia McCarron

Julia McCarron

“Totally agree … something to add…

This is a classic case of being stuck between a rock and a hard place. As Chris quite rightly says two different objectives were at play here and each had its merits. Ultimately it was a difficult decision to make but you can’t knock TalkTalk for once, as it appears to have been an informed one.

Whilst I also agree with Chris on the forensics front, experience has shown us that staff need to be aware of what to do ‘forensically’ in the event of an incident and this is often where the process falls down. Because such incidents are usually rare, the chain of evidence is often corrupted unintentionally because no-one knows what to do, or it’s no longer available due to the time lag in occurrence and detection.

Intrusion detection systems along with other technological measures will be an asset in reducing that time lag but key to success is scenario training. In the same way as we are seeing Phishing tests becoming the norm, especially in customer facing organisations like TalkTalk, is there a place for forensic readiness testing to ensure staff know what to do when a security attack occurs? Then vital evidence is at hand when hacks like this occur and the force awakens.”

Mike Gillespie_headshot

Mike Gillespie

“Totally agree, Chris. It’s a tough balance but the protection of the consumer should always come first in my opinion.

Forensic readiness planning is key and continues to be a weak area for many organisations – linking this with an effective communication plan is vital – and as with any plan it needs to be properly tested and exercised…….as do all aspects of cyber response…..using appropriate scenario based exercises.

All of this should be designed to drive continual improvement and to ensure our cyber response evolves to meet emerging threats.”

If you would like support for Cyber Essentials and completing your questionnaire, you can find details here

Morrisons staff suing over data breach. Del Brazil takes a look at what we know and what it might mean.

Advent IM Security Consultant, Del Brazil discusses some of the questions raised by the legal action from Morrisons employees over a data breach that led to their private information being leaked…

It has been reported in Computer Weekly that thousands of Morrisons staff are planning to sue the retailer over a data breach in which a disgruntled former employee published the bank, salary and National Insurance details of almost 100,000 employees, online.

Did Morrisons fail to prevent the data leak that exposed tens of thousands of its employees to the very real risk of identity theft and potential loss?  Only a fully and thorough investigation will reveal the answer along with exactly how the breach was committed and over what period of time the breach occurred.

Any investigation will highlight the security measures deployed at the time of the incident.  A decision will then be made by the Information Commissioners Office (ICO) or other investigative body, as to whether the measures implemented were in line with the Data Protection Act and that any measure was correctly configured, managed and/or monitored.

Advent IM Data Protection ConsultantsThe Data Protection Act 7th Principle says that: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

So in simple terms each and every organisation that stores, processes or handles personal data should be able to establish whether they can reasonably do more to protect the personal data they hold.  If the answer raises eyebrows or poses further questions then the simple answer should be yes; however all organisations should be consistently and regularly reviewing their security measures in order to highlight potential weaknesses or areas for improvement. What may be appropriate and adequate at one time, may not always remain the same, so the need for review and testing is key.

iStock_000018385055SmallIn the event that personal data is stolen, changed or misappropriated, then the repercussions to the individual could be devastating.  There is a possibility that their information may be sold on to a third party for spamming purposes or sold on to a criminal organisation with the intent of identity theft. The resulting financial losses to individuals are not only unfair and criminal, on a wholesale basis, but frequently go to fund other criminal and terrorist activities.  Sadly, there is a frequently a somewhat relaxed attitude towards the loss of personal data from an individual’s perspective as they believe that it won’t happen to them. However there is always a risk to your personal information being used for purposes that you are not aware of.  No one should ever be afraid to question an organisation or employer how they protect their information and what measures they are taking to ensure its security.  If there are resulting concerns about levels of protection or safeguards, then the Information Commissioner’s Office (ICO) may be contacted as they may investigate these concerns further.

Individuals can be quick to pass on their details to organisations/companies for genuine reasons; we all live a digital and data-driven life, in the belief that this information will be adequately protected.  Arguably, in some cases you have no choice than to share personal information especially from an employment perspective and it would reasonable to expect your employer to take sufficient care of your information to prevent it being accessed or passed to individuals/organisations intent on committing some form of illegal activity. Being aware of how our information is protected is not unreasonable and employees have a perfectly reasonable expectation that their employers will consider this part of their duty of care.

stick_figure_pointing_north_america_image_500_clrThe UK can sometimes follow the US culturally and the question has been raised as to whether the culture of litigation is one we can expect to see expand in the UK, particularly with this kind of high profile legal action. There are numerous incidents in the US where companies/organisations have been sued for failing to protect personal information, but can we expect this to become part of our corporate life? This is a very tricky question to answer, as the laws governing the protection of data in the US differ from those in the UK; although they do deliver the same message.  Each and every personal data breach is unique but the re-occurring question in any investigation will always be whether the individual, company and/or organisation took sufficient care to protect personal information by the deployment of appropriate technical, physical and procedural measures and what was the impact to individual concerned?  So whilst the regulation may differ, the spirit of the regulation is consistent and whether this is the future for the UK too will remain to be seen. Certainly we are seeing growing numbers of breaches and it is unlikely that this growth will continue without some kind reaction from the victims.

Advent IM Information Security AuditWhat is the likelihood that the Morrisons legal action is successful?  This would depend on the outcome of the ongoing investigation and as to whether Morrisons was deemed to have adequately protected their employee’s data.  Should the legal bid be upheld then the repercussions may potentially have a massive impact on all organisations storing and/or processing personal information.  There is a likelihood that organisations may go massively overboard with extra or increased measures in an attempt to defeat any possible threat of an insider attack without first reviewing and/or assessing the result of the findings of the ongoing Morrisons case.

The Morrisons data breach does raise a few questions though; what measures are deemed to be appropriate and sufficient to detect and/or deter an insider attack?  There is a fine balance between organisations having a high level of protective monitoring that gives employees the ‘Big Brother’ impression or such a low level that pretty much no monitoring takes place.  A very similar tone could be taken to staff vetting as at what point does vetting no longer be seen as an assurance practice but more of an intrusion into personal life?  These are questions that will continuously trouble both employers and employees.

Organisations are generally over reliant on technical solutions for protective monitoring to provide a quick fix rather than looking at the problem and identifying an appropriate solution.  There are a whole raft of technical solutions available, all of which require an element of physical monitoring and response.  It is an organisational decision as to whether to use a more technical solution with little staff interaction to maintain the system, as opposed to relying more heavily on human inspection of various logs; however consideration should also be given to allowing/ensuring that there are sufficient staff available to respond to alerts or discrepancies that may be detected in whichever solution is deployed.  Organisations should also ensure that they have a tried and tested plan in place to maximise their ability to understand, contain and respond to the ever increasing threat to personal information.

It is the opinion of the author that organisations should employ comprehensive protective monitoring procedures, which when coupled with a degree of staff vetting and a good security awareness programme should demonstrate to any governing body an organisation’s commitment to deterring or detecting insider threats.

Unfortunately the insider threat will never go away and with the value and importance of information increasing rapidly so the temptation for employees to sell personal information also increases.  Every level and type of industry relies upon information, no matter what form it takes and as such, every industry should keep an eye on this case as it develops.

Although organisations should pay close attention to this ongoing legal case raised by Morrisons employees and/or organisations shouldn’t be overly concerned until the full details of the investigation and the outcome of the legal case are made public.

Every organisation should ensure appropriate measures are in place (technical and non-technical) to secure and protect personal information to the best of their ability, including continually educating, training and making their staff aware of the insider threats.