Small and medium sized businesses are being warned to take
note as a company which suffered a cyber attack is fined £60,000 by the
Information Commissioner’s Office (ICO).
An investigation by the ICO found Berkshire-based Boomerang Video Ltd
failed to take basic steps to stop
its website being attacked.
Sally Anne Poole, ICO enforcement manager, said:
“Regardless of your size, if you
are a business that handles personal information then data protection laws apply to you. [What a concept! Bob]
“If a company is subject to a
cyber attack and we find they haven’t taken steps to protect people’s personal
information in line with the law, they could face a fine from the ICO. And under the new General Data Protection
Legislation (GDPR) coming into force next year, those fines could be a lot
higher.”
She added:
“Boomerang Video failed to take
basic steps to protect its customers’ information from cyber attackers. Had it done so, it could have prevented this
attack and protected the personal details of more than 26,000 of its
customers.”
The video game rental firm’s website was subject to a
cyber attack in 2014 in which 26,331 customer details could be accessed. The attacker used a common technique known as
SQL injection to access the data.
The ICO’s investigation found:
- Boomerang Video failed to carry out regular penetration testing on its website that should have detected errors
- The firm failed to ensure the password for the account on the WordPress section of its website was sufficiently complex
- Boomerang Video had some information stored unencrypted and that which was encrypted could be accessed because it failed to keep the decryption key secure
- Encrypted cardholder details and CVV numbers were held on the web server for longer than necessary
Ms Poole said:
“For no good reason Boomerang
Video appears to have overlooked the need to ensure it had robust measures in
place to prevent this from happening.
“I hope businesses learn from
today’s fine and check that they are doing all they can to look after the
customer information in their care.”
The ICO has a range of guidance available to help
businesses ahead of the implementation of GDPR on 25 May 2018. This includes website pages dedicated to the
data protection reform legislation, and an updated toolkit
for SMEs that includes a checklist to help organisations in their GDPR
preparations.
SOURCE: Information Commissioner’s Office
Note that DataBreaches.net had covered this breach (search
Boomerang Rentals), and had noted its frustrating and customer-irritating
incident response.
Of note, I think this monetary penalty by the ICO is
fairly consistent with what the Federal Trade Commission here has tried to do,
highlighting basic security steps and failures to maintain “reasonable”
security. One difference, however, is that the FTC has no authority to impose any
monetary penalty like this.
For some reason, I don’t believe this.
HMS Queen Elizabeth, UK’s Largest Warship, Runs On Windows
XP, Vulnerable To Hacking
It was recently revealed that HMS Queen Elizabeth,
Britain’s largest warship, which left Rosyth Dockyard, Scotland, heading to the
North Sea for its first ever sea trials, ran on the outdated operating system,
Microsoft Windows XP.
… Mark Deller,
commander air on the HMS Queen Elizabeth, defended the use of the operating
system on the ship, refusing to admit that it can be hacked. "The ship is well designed and there has
been a very, very stringent procurement train that has ensured we are less
susceptible to cyber than most," Deller told the Guardian.
Windows XP is the operating system that was incapable of
protecting organizations like the National
Health System (NHS) of the United Kingdom among others from a massive
WannaCry ransomware attack in May 2017. The
attack saw the cyber terror group take control of over 300,000 computers in 150
countries.
… “We are a very
sanitized procurement train,” Deller stated. “I would say, compared to the NHS buying
computers off the shelf, we are probably
better than that. If you think more NASA
and less NHS you are probably in the right place.”
(Related).
HMS Queen Elizabeth not vulnerable to cyber attack, defence
secretary insists
Britain's most powerful warship is not vulnerable to a
cyber attack, the Defence Secretary has insisted, after fears were raised about
its software.
… Sir Michael
Fallon insisted the security around the computer software on the aircraft
carrier is "properly protected".
Should it be a crime to conceal a security breach?
FBI: $1.45 Billion in Losses to Internet Crime Reported in
2016
The FBI has published its
Internet Crime Report 2016 based on information received by the Internet Crime
Complaint Center (IC3). It shows that
298,728 complaints were received by the IC3 during 2016 (up from 288,012 in
2015); and that reported losses to internet crime totaled more than $1.45
billion (up from $1.07 billion in 2015).
These figures, however, are likely to be only a fraction
of the full picture. The FBI estimates
that only 15 percent of the nation's fraud victims report their crimes to law
enforcement.
For my Ethical Hacking students. Let’s build one!
… The Wi-Fi
Pineapple is a piece of hardware that was originally created for network
penetration testing. Pen testing is an
authorized attack of a system in order to find vulnerabilities. The practise is part of a larger branch of
testing known as Ethical Hacking.
Also for my Ethical Hacking students. Can we tap into any Echo, anywhere? (And if so, who should we give one to?)
The Amazon Echo now doubles as a home intercom system
Amazon will officially release the Show in a few days, but in the meantime, the company is
introducing a long-awaited intercom feature for existing Echo devices. The addition uses Drop-In, a teleconferencing
feature introduced on the Show that lets close friends and family members call
into one another’s device with little warning.
I really didn’t like the feature when I
tested the device this week — I found it to be pretty intrusive compared to
standard calling
… The
system works through household groups created during the setup process, rather
than in-home Wi-Fi. That means the app
can also be used to check in on loved ones from afar, for those who have kids
or elderly relatives — or, one imagines, for more nefarious reasons.
Not surprising. By
their nature, start-ups are not “mature” in areas like security and privacy.
WASHINGTON, DC, June 27, 2017 – In a report released today
from graduate researchers at Carnegie Mellon’s Heinz College, new research
examines how educational technology startups balance limited resources and
privacy concerns. The graduate
researchers found that a disconnect between education providers and edtech
startups may be due to the limited consideration startups put into creating,
much less communicating, their privacy practices.
Additional findings include that, with startups’ limited
resources and emphasis on product development, privacy isn’t often a priority.
… While only
exploratory, the study asks important questions about how startups can best
protect student data and effectively communicate with the public regarding
privacy.
A summary of the report’s findings can be found here.
SOURCE: CMU
I don’t know many of these people. Should I?
TIME – The 25 Most Influential People on the Internet
by Sabrina
I. Pacifici on Jun 26, 2017
“For our third annual roundup of the most
influential people on the Internet, TIME sized up contenders by looking at
their global impact on social media and their overall ability to drive news… Here’s who made this year’s unranked list“
Hey, Google! Give
me a call. I happen to know a good
anti-trust lawyer.
Google hit with record EU fine over Shopping service
Google has been fined 2.42bn euros ($2.7bn; £2.1bn) by the
European Commission after it ruled the company had abused its power by
promoting its own shopping comparison service at the top of search results.
The amount is the regulator's largest penalty to date
against a company accused of
distorting the market.
The ruling also orders Google to end its anti-competitive
practices within 90 days or face a further penalty.
The US firm said it may appeal.
“I’m shocked.
Shocked I tell you!”
Global view of US worsens under Trump, Pew says
… Surveys of
residents in 37 nations across the world released on Tuesday found that since
Trump took office in January, the US's image overseas has sharply declined and views of
the new US leader in general are largely negative.
… When each
country was asked which leader they had confidence in to "do the right
thing regarding world affairs," only Israel and Russia had more confidence
in Trump than former US President Barack Obama.
It would have to be thus, if you are hiring from a global
pool of talent.
In Unilever's radical hiring experiment, resumes are out,
algorithms are in
When Saniya Jaffer arrived for a job interview at Unilever
PLC's Englewood Cliffs, N.J., office last October, she was a finalist for a
summer position in information technology. After three rounds of interviews and
assessments, the Chicago-native was about to encounter the first human in the
process.
Before then, 21-year-old Ms. Jaffer had filled out a job application, played a
set of online games and submitted videos of herself responding to questions
about how she'd tackle challenges of the job. The reason she found herself in front of a
hiring manager? A series of algorithms
recommended her.
… The company has
made more than 450 hires across the globe this way since the fall of 2016. Its experiment provides a glimpse of a
tech-fueled future of recruiting in which humans write job descriptions and
make the final decisions, but software and algorithms do the rest. Goldman Sachs Group Inc. and Wal-Mart Stores
Inc.'s Jet.com have begun using similar digital tools to hook young workers and
broaden their candidate base.
Worth a try?
Management, as seen from below.
No comments:
Post a Comment