Category Archives: Data Loss

Experts warn tube strikes increase risk of data loss

October 6, 2010

Monday’s tube strike left many people struggling to get to work in the capital and many more chose to stay at home and work online, to reduce hassle and improve productivity. However, some experts are claiming that this has opened the floodgates for potential data loss, as employees use portable storage to transfer the sensitive information required to work at home from their offices.

AEP Network’s Mark Darvill, said that with portable storage devices being used by many London commuters, the strike theoretically lead to a spike in the number of bags, coats and pockets that would contain such gadgets, increasing the probability of data loss occurring as a result.

Mr Darvill explained that organisations involved in finance and government had been reluctant to allow staff to transfer confidential data to their homes, because of several high profile data loss incidents and the likelihood of a scandal occurring as a result of theft or careless handling of the devices.

Experts like Mr Darvill believe that if businesses really want to retain productivity levels when hindrances such as the strike make it impossible for employees to get to work, then a greater emphasis on security is required wherever private data is being taken off-site.

It should be possible to allow workers to use their own technology to work from home, provided that it is approved by the IT department and authenticated each time that access is granted, to ensure that data is used for legitimate purposes, according to Mr Darvill.

While data leaking from an employee’s personal device is a risk, it is also recognised that malicious software can permeate a corporate system, if various unchecked devices are connecting remotely. So the security must work in both directions and at all points to be effective.

This double-edge security approach is seen as being the best way to enable safe home working conditions and, implicit in this suggestion, is the idea that portable storage which will be taken on public transport and runs the risk of being lost, is really a last resort that should be discouraged.

EU revises regulations on data protection and IT security

October 5, 2010

Cyber attack deflection and data loss prevention are key to many businesses and organisations, so the news that the EU has begun to formulate a new directive on the subject will be welcome to many.

While the directive will be intended to expand the official recognition given to cyber attacks of a previously unseen scale, it will also give member states the powers to better tackle and punish those cybercriminals associated with perpetrating such attacks.

The EU wants to make sure that there is transcontinental protection available to keep data and information safe and stored securely, as the growth threat of widespread, damaging attacks presses on the minds of many in the public and private sectors.

The European Commission’s Cecilia Malmstrom, said that this was a concerted effort to redouble the force of the movement to counteract and neutralise cybercriminals and malicious attacks on systems.

Malmstrom explained that the ultimate goal was to make the development and distribution of malware for financial gain an act recognised in international criminal law and punishable as appropriate.

It is thought that by updating regulations relating to cybercrime, the working partnership between law enforcement organisations and the judiciary aspects of each nation, will be improved and streamlined.

The sharing of information between various bodies will be less hampered by red tape if the directive is ratified and this will allow time-sensitive cases to be tackled with greater ease.

It is also proposed that the detection, cataloguing and mapping of cyber attacks will become a key concern, allowing central analysis to gather data on potentially harmful software and groups.

The European Network and Information Security Agency (ENISA) is also being targeted by a new drive to give greater powers to this international body. Within the next seven years ENISA is set to expand and become better equipped to tackle and intercept the increasing risks posed by criminal organisations.

ENISA will not only be facing off against lawbreakers, but it will also help businesses and organisations to prepare, by running simulations that will highlight the strengths and weaknesses of any security setup.

NHS admits further data loss via unencrypted USB storage device

October 4, 2010

A new data loss scandal originating from within one of the organisations governed by the NHS has come to light, once more involving the misplacement and subsequent discovery of a portable USB memory stick which was entirely exposed due to a lack of encryption.

Members of the Forth Valley NHS board are being investigated by the Information Commissioner’s Office (ICO), after the media was made aware of the loss. It emerged that an employee had transferred data from NHS systems over to the device, which were personal items, before parting ways with them due to loss or theft.

The board’s chief executive Fiona Mackenzie has committed to a formal undertaking authored by the ICO, that will ensure the future eradication of any unofficial data storage devices from use within the organisation, with staff only being allowed to transfer data on sanctioned, centrally controlled devices.

The board will not be taking a passive stance, but will rather increase security and block any personal memory devices from gaining access to systems.

The ICO’s Scottish representative, Ken Macdonald, reiterated previous statements made by colleagues by saying that, hopefully, this incident will make it clear to other organisations within the NHS that inadequate appreciation of data loss prevention policy amongst staff members, would lead to the leaking of confidential patient information – unless measures are taken.

Mr Macdonald said that he hoped the increasing emphasis on staff responsibility for the use of portable storage would not subsequently allow the heads of such organisations to deny their own part in protecting data when future incidents inevitably arise.

Security expert, Ander Pettersson, said that the portability and convenience of used USB storage devices was difficult to ignore and many businesses rely on mobile technology to increase productivity and flexibility. He recognises the potential for loss or theft posed by these devices and suggests that the NHS will need to invest in a secure USB system, that will retain the integrity of private data.

Mr Pettersson said that while organisations like the NHS have a responsibility for protecting the data of customers, the ICO would also have to use its own powers to police such organisations and impose penalties to prevent future debacles.

ICO planning data loss penalties for multiple firms

October 3, 2010

The Information Commissioner’s Office (ICO) has said that it is gearing up to hand out historic fines against various businesses and organisations which it has found to be in breach of the rules of the Data Protection Act after the loss or theft of private information.

The ICO’s David Smith said that by imposing these fines, it would send out a message to all firms, showing that the consequences of improper security and data handling policies would be severe.

Mr Smith told V3.co.uk that many observers had questioned whether or not the ICO would actually use new powers and hand out significant fines to offending firms. He explained that impending action would prove that it does not stand for businesses who do not meet the data protection standards expected of them.

Mr Smith would not divulge any information relating to the businesses being targeted by the ICO, but promised that further details would be published online with relative speed.

The ICO’s detractors have not only complained that it has failed to use its powers to fine with any kind of frequency, but have also pointed out that the half a million pound maximum, which was introduced earlier in the year, cannot be seen as a significant sum by the largest businesses who have the potential to suffer from the biggest data loss incidents.

The ICO wants to see businesses and organisations take responsibility for the data which they are charged with protecting and Mr Smith said that firms would also need to adhere to data retention limits and erase personal details after the expiry of the agreed upon term, rather than clinging to old information for as long as possible.

The most divisive aspect of Mr Smith’s statement was an allusion to home phone and broadband provider TalkTalk, which recently got into hot water, because it was monitoring the web activities of users, in order to test a new anti-malware service. Mr Smith said that firms could not get away with acting in a clandestine manner just because they were conducting a trial.

The ICO aims to make data protection more transparent, so that ordinary people can be assured that their information will be kept safe, without having to scour the terms and conditions of a given service.

Data loss affects Sky Broadband users

September 30, 2010

Data relating to customers of the Sky Broadband service has been exposed, after a leak was caused when a distributed denial-of-service attack (DDoS) was levelled against a legal practice involved with the firm.

ACS:Law unwittingly compromised the integrity of email addresses used by over 1000 people. Criminals quickly posted the files to P2P file sharing site The Pirate Bay and many of its users have already downloaded the documents.

Among the other data stolen in this incident is a document which details the personal information of Sky Broadband subscribers, including the downloads of adult movies which they have accessed in the past or distributed online, which could be extremely damaging and potentially leveraged for blackmail or fraud.

The documents were completely unencrypted, leaving them open to access by anyone who downloads them.

In an attempt to remedy the situation, the legal firm has mailed the people implicated in the online piracy ring and said that they must compensate those affected by paying �500 each. The threat of court action is hanging over those who refuse to pay.

ASC:Law was targeted with a DDoS attack by users of 4chan because of the actions which it has been taking to prevent online piracy, according to BBC News.

A Sky representative said that the data loss incident within ASC:Law was being treated with the utmost concern and attention and that an investigation was ongoing. They explained that they had been legally obliged to provide the law firm with details of users who had used illegal file sharing sites, but said that any time they did so they would ensure that the data was properly encrypted.

ASC:Law now faces scrutiny from the Information Commissioner’s Office (ICO) and a spokesperson said that the security and acceptability of its systems would be questioned, as it is clear that third parties could gain access to sensitive information with relative ease.

The ICO’s Christopher Graham, said that everything from the firm’s data encryption policies to its firewall and employee training techniques, would have to be examined in order to see whether or not it has breached the terms of the Data Protection Act. He pointed out that under relatively recent changes to ICO powers, a maximum fine of �500,000 could be imposed.

A Third of businesses impacted by data loss, study finds

September 27, 2010

A new study looking into the frequency of data loss incidents in the private sector has found that around 33 per cent of firms with more than 1000 staff have experienced data loss within the last year.

Security vendor Proofpoint commissioned the study, to analyse how data loss is a common concern for many businesses. Spokesperson, Keith Crosley, explained that it would be impossible to highlight data loss as a rarity.

The study identified several key categories of data loss which can affect businesses, including valuable or scandalous information being compromised, private client data being stolen or lost and details leaking as a result of employee action.

Analyst Michael Osterman, said that although the figures gathered as part of this survey seem bad, he believes the reality is actually more severe. He explained that many firms do not wish to alert potential clients in the event of a data loss, so as to maintain their reputations and avoid the action of industry regulators.

Mr Osterman said that the level of data loss in medium and large sized businesses was in keeping with trends established over past annual periods, despite the best efforts of many businesses to strengthen their resistance to data loss, using enhanced handling policy and frontline protection.

There are frequent high profile data loss cases which are reported widely in the mainstream media, but Mr Osterman and his colleagues believe that people are being shown only a small part of a much bigger picture.

Over 260 professionals responded to the survey, with organisation sizes ranging between 1000 and 20,000. Between the three major categories of data loss as laid out in the survey, the distribution of incidents was virtually equal, although it was the loss of information that could potentially cause embarrassment for the business that took the largest proportion at 36 per cent.

Mr Crosley spoke of the problems with social networking sites and their relation to the increase in data loss. He said that firms are becoming aware of the use of these tools by employees and, as such, were able to register more data loss incidents, which in turn keeps the figures consistently high, even as the fight against data loss intensifies.