The latest round up of legal and regulatory developments and other news on cyber security from the Datonomy blogging team at Olswang LLP.
- The Information Commissioner’s Office has fined an online holiday insurance company £175,000 after hackers were able to exploit a known vulnerability in the JBoss Application Server to obtain over 5,000 of their customers’ credit card details. The ICO investigation found that the company had no policy or procedure in place for reviewing and applying software updates, and had breached the Payment Card Industry Data Security Standard. This is the latest in a long line of ICO fines for IT security failures. The breach was considered “very serious”, hence the level of the fine. Wider points of interest include the following: aggravating factors included the fact that the data was used for fraudulent transactions and the fact that the company should have been aware of the vulnerability; mitigating factors included the fact that the company’s systems were subject to a criminal attack; the company voluntarily reported the breach to, and cooperated with, the ICO and notified customers and provided them with a free Experian Data Patrol subscription to mitigate further risk. Although the fine was primarily related to a breach of the Seventh Principle (security), the Fifth Principle (data retention) was also in play, in that the site had unnecessarily stored customers’ CVV numbers. Read the full penalty notice here.
- The Home Office has warned all small to medium-sized enterprises that they risk putting a third of their revenue at risk if they don’t get serious about cybersecurity. The statement came as the results of a government campaign, Cyber Streetwise, revealed the prevalence amongst small and medium-sized business owners of several misconceptions, such as: “only companies that take payments online are at risk of cyber crime” and “small companies aren’t targets for hackers”
- Network and Information Security Directive: Further trilogue negotiations were due to take place on the draft NISD last week. At the time of writing, it is hard to determine from public domain sources what progress has been made. The website of the Council of the European Union, which represents Member States, has announced the existence of two new documents relating to the proposal. Frustratingly, these documents are not yet available on the website – there is typically a lag of days or weeks between such documents being added to the register and actually uploaded. The new documents appear to be: an examination of the Presidency text proposals dates 19 February and a draft consolidated text dated 24 February. We’ll report further on the state of play when the content of these documents, and other reports, become available.
- Avid policy-watchers may also be interested in a recent blog post by Alexander Klimburg, Senior Research Fellow at the Hague Centre for Strategic Studies entitles “Two years later, the EU’s cyber security strategy stumbles forward”. The article reviews the state of play on the NISD and other EU policy initiatives in the sphere of cyber security.
- The European Network and Information Security Agency (ENISA) has concluded its year-long simulated cyber crisis, Cyber Europe 2014, including 23 European Union countries. The simulated exercise aimed to review cyber crisis management mechanisms throughout the continent. Early indications suggest that the Europe has a strong and maturing community of cyber crisis managers, however, the report is not due to be published until May 2015. Plans are already underway for Cyber Europe 2016.
- ENISA has published a “Security Framework for Governmental Clouds”. The report provides a framework for governments planning to migrate from physical servers to cloud servers by considering security controls and procedures. The level of cloud adoption amongst governments throughout Europe is currently relatively low, however, the report seeks to address the issues of security and privacy that should enable successful mass deployment.
- The Head of Unit for Trust and Security DG Connect at the European Commission, Jakub Boratynski, recently commented at the “Trust in the Digital World” conference that cyber security is the key to creating a single digital market in Europe. Boratynski underlined the idea that without online security economies cannot flourish.
- The head of New York’s Department of Financial Services (DFS), Ben Lawsky, has admitted fears that U.S. financial market could face an “Armageddon-type” cyber attack, or a “cyber 9/11” during a speech given to Columbia Law School. Consequently, the DFS are considering new rules that would obligate financial services companies to better protect themselves against hackers. Read the full speech here.
Attacks, statistics and other news
- The latest weekly update issued by the UK’s National Computer Emergency Response Team (CERT) was published on 26 February and is here.
- The data breach dominating UK headlines over the weekend was the recent attack on Talk Talk. The ISP has recently completed its own investigation, following a sudden rise in customer complaints about scam phone calls last Autumn, according to this BBC coverage. According to this report, non-sensitive data about “small thousands” of Talk Talks 4 million customer base were exposed due, it is alleged, to weaknesses in a third party’s systems. Talk Talk is reported to be taking legal action against that third party supplier. For more details about how the hackers then exploited the data to compromise customers’ bank accounts, see this coverage on the Guardian. Talk Talk is reported to be providing support for affected customers and to have cooperated with the ICO, which are likely to be mitigating factors; it will be interesting to see whether the ICO takes formal enforcement action if the DPA is found to have been breached (see the recent fine above against Staysure).
- Following last week’s story regarding details of British and American spies hacking into the computer networks of the world’s largest SIM card manufacturer, Gemalto, the company have now claimed that though it “probably happened” a number of the claims are exaggerated. Gemalto never sold SIM cards to four of the 12 operators listed and any stolen encryption keys would only be able to be used to spy on 2G communications. Read more on com.
- According to the latest weekly update from CERT and this report on Wired, Europol have enlisted the help of several of the world’s largest tech companies in order to combat the malicious botnet, “Ramnit”. Reports suggest that Ramnit has infected 3.2 million computers worldwide and has the ability to disable antivirus protection and collect personal and banking information. Europol have now seized the servers operating the botnet after over five years of operation.
Contributors to this week’s update: Tom Pritchard, Paralegal and Claire Walker, Head of Commercial Know How.