All posts by Damien Garvey

Cyber Thieves Target Tesco

February 18, 2014 Damien Garvey

Cyber thieves have targeted Supermarket chain Tesco which has resulted in more than 2,000 online accounts being suspended.

Tesco have had to suspend the accounts when thousands of usernames and passwords appeared on a text sharing portal. It is believed that the details were not stolen from Tesco but from other websites with the cyber thieves relying on users using the same username and password credentials for several different online accounts.

It is also reported that the cyber thieves also targeted the accounts to steal Tesco Clubcard points. However, it is thought that less than ten people have actually had points stolen by the cyber thieves.

Tesco have confirmed the attack and have stressed that they do take data security very seriously. Tesco also confirmed that they are in the process of informing the affected customers� whilst also investigating the attack.

In a statement released by Tesco, the spokesperson stated, �We take the security of our customers’ data extremely seriously and are urgently investigating these claims. We are contacting all customers who may have been affected and are committed to ensuring that none of them miss out as a result of this.”

The spokesperson added, �We will issue replacement vouchers to the very small number who are affected.�

This latest attack shows that it is very important to ensure that when setting up online accounts, different username and password credentials are used for each account to help ensure that their data remains safe. If each user affected had done this, then the attack against Tesco would have been unsuccessful and all of their accounts would have remained active.

The strength of the password used when setting up any online account is very important. A strong password should be used as this will help reduce the chances of a hacker or cyber thief from accessing your online account. This is reduced even further if a strong but different password is used for each online account.

Do you use different username and password credentials for different online accounts?

NI Department of Justice Fined by ICO after Data Breach

February 13, 2014 Damien Garvey

Northern Ireland�s Department of Justice has suffered from an embarrassing data breach which has resulted in them being hit with a��185,000 fine by the�Information Commissioner�s Office (ICO). The fine was reduced to �148,000 for early payment.�

The data breach occurred when one of the department�s agencies, the Northern Ireland Compensation Agency, sent 59 locked filing cabinets without keys to auction without checking what was in them beforehand.

Once the person who bought the filing cabinet at the auction had managed to break into it, he then contacted police upon realising the contents within. The filing cabinet was full of confidential paperwork from the 1970s to 2005. This paperwork contained confidential data such as personal details belonging to victims of a terrorist attack, the injuries that they suffered and the amount of compensation that they had been offered.

The Police Service of Northern Ireland took the documents and handed them back to the department who in turn, reported the incident to the ICO.

After the ICO�s investigation, the Department of Justice have stated that they are confident that none of the data has been compromised as the cabinet had remained locked until the person who purchased it had forced it open. The department is also confident that none of the other filing cabinets contained any files and were keen to stress that they openly cooperated with the ICO as soon as they knew about the data breach.

Justice Minister David Ford stated, �I, and my Department, take the security of personal data very seriously and accept that this was a breach of the Data Protection Act and should not have happened. We informed the Information Commissioner as soon as we became aware of the breach. The Justice Committee was also subsequently made aware.

Ford added, �The Department has co-operated fully with the Information Commissioner and paid the penalty imposed. This was an unfortunate breach of data security caused by simple human error and not a systemic problem within the Department. We are satisfied that none of the information was compromised and none of the other cabinets sold contained any files.�

Ford concluded, �Detailed procedures have now been implemented to ensure that, in future, any personal data contained in furniture that is being disposed of will be dealt with securely.�

Ken Macdonald who is the assistant commissioner for Northern Ireland believes that the fine imposed is suitable due to the potential harm that this data breach could have had if the data had fallen into the wrong hands.

Macdonald stated, �This is clearly a very serious case. While failing to check the contents of a filing cabinet before selling it may seem careless, the nature of the information typically held by this organisation made the error all the more concerning. The distress that could have been caused to victims and their families had this fallen into the wrong hands is self-evident.”

This latest security breach just shows that it is now imperative that companies have a strict data security plan in place which is followed and fully understood by all employees. This is another incident where if the department had been proactive rather than reactive with ensuring that appropriate procedures were in place, they would have saved themselves a significant amount of money and damage to their reputation.

Use of Encryption on the Increase

February 12, 2014 Damien Garvey

The results of a study which investigated the trends in the use of encryption to help protect data have been released and show that the use of encryption is on the increase.

The 2013 Global Encryption Trends Study which was conducted by Ponemon Institute and sponsored by Thales involved more than 4,800 business and IT managers in the UK, US, Germany, France, Australia, Japan, Brazil and Russia.

The results of the study revealed that there has been an increase in number of companies using encryption solutions over the last 9 years. 35% of organisations involved in the study revealed that they have an encryption strategy across the whole enterprise. This is an increase of 6% from last year where the reported figure was 29%. The number of companies involved in the study who didn’t have any kind of encryption strategy in place has also dropped to 14% from 22% last year.

The main reason for the increase of implementing an encryption strategy was to help reduce the impact of a data breach. The main reason for these concerns is because of the ever increasing threat of cyber thieves and cyber hackers which resulted in a record number of data breaches in 2013. This shows a shift in the thinking of business and IT managers as their main reason for implementing an encryption strategy was to help protect the company�s reputation.

The companies who believed that they had an obligation to report any data breaches, nearly half of the companies involved believed that they wouldn’t need to disclose any details that they had actually suffered a data breach if the data was encrypted.

One of the major issues that the business and IT managers find with utilising encryption strategies is key management. More than half of the respondents rated the difficulties of key management more than seven out of ten whilst 30% of respondents ranked it as nine or ten out of ten.

The chairman and founder of The Ponemon Institute, Dr Larry Ponemon, stated, �Encryption usage continues to be a clear indicator of a strong security posture but there appears to be emerging evidence that concerns over key management are becoming a barrier to its more widespread adoption.

Ponemon added, �For the first time in this study we drilled down into the issue of key management and found it emerging as a huge operational challenge. But questions are and should be asked about the broader topics of policy issues and choice of encryption algorithms � especially in the light of recent concerns over back doors, poorly implemented crypto systems and weak key management systems.�

By ensuring that data is encrypted can go a long way in ensuring the security of the data if it falls into the wrong hands. However, there is no guarantee that just because the data is encrypted, that the data is safe as there have been instances where the encryption keys have been successfully hacked resulting in the data being unencrypted. Encryption should be the last line of defense in data protection as the best way to ensure that it remains safe is to ensure that a strong security plan is in place and that security software is kept up to date. This will help to prevent the data from falling into the wrong hands to start with.

Education in data security can also go a long way in helping to reduce the risk of data falling into the wrong hands and by no means, should be overlooked.

In order to support a security plan, a robust backup solution should be in place to ensure that data can be recovered if it is lost, deleted or modified by staff, cyber hackers or thieves.

Barclays Start Investigation after Data Breach

February 11, 2014 Damien Garvey

Barclays Bank has become the latest organisation to have to deal with a data breach which has resulted in confidential data belonging to thousands of customers being stolen and put up for sale.

It is understood that the bank has started an urgent investigation after it was revealed that the details of up to 2,000 customers were given to the Mail on Sunday by a broker who also claimed that details for another 27,000 people were also up for sale.

It is reported that the data has been stolen from Barclays Financial Planning Services which was closed down in 2011. It is believed that the compromised data includes passport and national insurance numbers which is very valuable in the black market as the information can be used for investment scams. Data such as customers� earnings, savings, mortgages and insurance policies was also compromised in the breach.

The broker who passed on the information explained why the stolen data is so valuable for traders.

The broker claimed, �The data is a gold mine for traders because it is so incredibly detailed. It gets them inside the customer�s head.�

The broker added, �They would start by saying that they had a great investment opportunity that would suit someone on a particular income or with a particular amount of money to invest. Of course, they already knew this about the person they were talking to.�

The bank has started analysing the details of the compromised data so they can determine who has been affected and how the data was stolen.

In a statement, Barclays claimed, �We will take all necessary steps to contact and advise those customers as soon as possible so that they can also ensure the safety of their personal data. Protecting our customers’ data is a top priority and we take this issue extremely seriously. This appears to be criminal action and we will co-operate with the authorities on pursuing the perpetrator.�

Barclays added, �We would like to reassure all of our customers that we have taken every practical measure to ensure that personal and financial details remain as safe and secure as possible.�

The Financial Conduct Authority (FCA) who is investigating the data breach have confirmed that they are currently trying to work out how the data was compromised and that it is now vital to have appropriate security plans in place.

A spokesperson for the FCA stated, �Barclays have contacted us and we will be working with them to understand exactly what has happened and what steps consumers may need to take. Consumers rightly presume their data is safe with their bank, and this should serve to remind all firms how important it is they have the correct procedures in place to ensure data is secure and used appropriately.�

It is now vital that all companies ensure that they have the best security plan in place and is regularly tested to help protect themselves against the threat of cyber hackers and cyber thieves. This should be supported with a robust backup solution to ensure that data can always be recovered no matter what action a hacker or cyber thieves takes such as modifying or deleting the data.

Identity Theft on the Increase

February 10, 2014 Damien Garvey

The number of identity theft victims in the USA increased to 13.1million in 2013 from 12.6 million in 2012. This is an increase of 500,000 cases and shows that thieve are becoming more sophisticated with their methods to illegally obtain confidential data.

The statistic have been gathered and presented by Javelin Strategy & Research who conduct an annual survey. The results for 2013 are the second highest since the start of the survey in 2004 with the greatest number of identity theft victims being 13.9 million in 2009. However, something to keep in mind is that this survey was completed in October 2013, before the retail company Target was successfully attacked by cyber thieves.

The study by Javelin Strategy & Research concluded that data breaches were one of the main sources of fraud in 2013. In total, one in three people who received notification of a data breach resulted in their identity being used for fraudulent activities.

Alphonse Pascual who is a senior analyst of security, risk and fraud at Javelin believes that there has been a shift in method of attacks where large organisations are being targeted more frequently.

Pascual stated, �Rather than a large number of smaller breaches as was more common in the past … we are now seeing larger retailers being targeted on a much more consistent basis.�

Pascual was also very critical of the larger organisations who are keeping confidential data belonging to thousands of people and their security measures which seem to be getting successfully bypassed on a more regular basis.

Pascual claimed, �This data clearly exposes just how ineffective current security practices have become. The businesses we trust with our personal information have become easy targets.�

As the number of victims of identity theft has increased in 2013, the amount of money that was stolen actually decreased. A total of $18 billion was stolen in 2013 which is a reduction of $3 billion in 2012 which totalled $21 billion. This reduction has been largely credited to financial institutions as they are now detecting fraudulent activities at a much quicker rate and are therefore closing down accounts much sooner.

Adam Levin who is the chairman of Identity Theft 911 believes that despite the reduction of money being stolen, the number of identity theft victims is very worrying due to the consequences that it can have on the victim.

Levin stated, �It’s not just about dollars and cents; it’s about the victims. ID theft disrupts your life. It creates real havoc and sometimes the consequences are horrendous. We need to keep these criminals from breaking and entering databases in the first place.�

By following a few simple steps, you can significantly reduce the possibility of becoming another victim of identity theft and identity fraud.

By ensuring that security software is installed on all computers and mobile phones and keeping them up to date by ensuring the latest security updates have been downloaded and applied helps significantly. These devices should be protected by strong passwords which should be changed on a regular basis. Monitoring bank account and credit card statements regularly and ensuring that all personal documents that are no longer needed are shredded and disposed of appropriately will also go a long way to ensuring that you don�t become a victim of identity theft and identity fraud.

High School Students Hack Teachers’ Computers

February 7, 2014 Damien Garvey

Eleven high students have been expelled from their school after they hacked their teachers’ computers to change their grades.

The students from Corona Del Mar High School, southern California, managed to install a hardware keylogger to obtain their teachers’ login credentials. The students were then able to log in remotely and used the credentials to access information about upcoming tests and to alter their grades.

It is believed that private tutor, Timothy Lance Lai, made the keylogging device accessible for the students and taught them how to use it. Lai is currently wanted by local police for questioning.

One of the students who was involved in the incident has submitted a statement to the police stating he and Mr Lai had gone to the school late at night and placed a keylogger device on the computer of the chemistry teacher.

According to court documents, the police were made aware of the hack in June 2013 when science teacher, Kim Rapp, informed the school administrators that someone had accessed her computer and changed some grades.

Upon the revelations of the hack, school officials’ have started the process of looking into the scope of the incident and are having to analyse 52,000 changes that were made to student grades within the last year.

Six of the students who were involved have already left the school and the other five students have already transferred to another local school.

In a statement released by the high school, it stated that, “an intensive audit of all teachers’ grade books so that we can ensure the integrity and accuracy of all posted grades. Despite needing some time to wrestle with the disappointment of this unfortunate incident, we are confident that the school community will rise above this event.”

Security expert John Hawes believes that as children continue to become more tech savvy, greater security challenges are being posed for organisations and schools.

Hawes stated, “The ever-increasing use of technology in education keeps raising new problems, from security and privacy viewpoints. Kids are endlessly inquisitive so it will always be a challenge to keep them out of things they want to pry into, but it shouldn’t be beyond our capabilities.”

It is now imperative that a strong security plan is in place and is regularly tested to help reduce the likelihood of your organisation suffering a data breach which could have unprecedented consequences. This should be supported by a robust backup solution so data can be recovered to the desired version if it is modified or deleted.