The tech revolution that has done so much to shape business life in the 21st century has spawned developments ranging from electronic commerce to contactless payments.
“The digital economy is very important to the UK,” reports the Information Commissioner’s Office (ICO) in its most recent annual report. “Personal data and how it is handled is central to trade and growth and studies show the digital economy is growing 30% faster than the rest of the economy. Data knows no borders.”
Reporting on its most recent year to the end of March 2017, the ICO reports: “This year saw a significant increase in the number of data protection concerns brought to us with over 18,300 cases received; about 2,000 more than last year. Of these we have resolved more cases than ever before, closing over 17,300. 90% of cases were resolved within three months of receipt.”
The growth of the digital economy has involved huge volumes of confidential information on customers being kept online. It has, unfortunately, also been accompanied by increasingly sophisticated hacks and data theft.
Data theft – the act of stealing information stored on computers, servers, or other devices with the aim of compromising privacy, securing confidential information and/or extracting a ransom from the victim – is a growing problem for individual computer users, as well as the business world.
The risk of data theft isn’t just an external one. It occurs both outside and inside companies and reducing the risk of insider data theft at the corporate level is challenging. System administrators and employees have access to technology such as database servers, desktop computers, and external devices including USBs, smartphones, and other removable and mobile devices.
It’s an alarming part of life today that even the most successful corporates regularly make the news for not doing enough to protect data.
Internal breaches of data privacy often result from carelessness or lack of knowledge, rather than malicious behaviour. According to Michael Bruemmer, vice president of Experian’s data breach resolution group, more than 80% of the breaches that his team investigate “had a root cause in employee negligence.
“It could be from someone giving out their password, someone being spear-phished, it could be a lost USB, it could be somebody mishandling files, it could be leaving the door to the network operations centre open so someone can walk in,” he reports.
Rather than react after sensitive data is lost, Experian recommends that organisations take proactive steps to mitigate the risk of insider data theft. Measures should include establishing an acceptable use policy, training employees to use that policy, removing temptation, providing a means for employees to conveniently report suspicious activities, and remaining especially vigilant when employees leave the company.
A three-pronged defence strategy
There are further basic measures that organisations take to protect private or sensitive data.
One step is to encrypt it, although there are drawbacks to this approach. Encrypted information may make workflows cumbersome and may not always prevent an attack from an insider who has been trusted with passwords. It can also create a false sense of security.
Another option is to devalue the data held by actively deciding not to hold sensitive information, rather in the same way that a shop displays a window sign declaring “no cash kept on premises”. For example the company might review the need to hold credit card details, which could instead be outsourced to a company such as PayPal. Devaluing data makes the organisation less of a target and it can focus on what it needs to protect.
A further strategy is for the organisation to seek outside assistance, where regulation permits it, such as storing data in the cloud or hiring a security service provider. These services often offer security infrastructure unavailable to small organisations, as well as specialists to counter a lack of security expertise inside an organisation. However, outsourcing involves a lack of control, which potentially increases other risks.
Hackers’ favourite methods
The methods employed by hackers to infiltrate confidential business and customer data are steadily increasing and growing in sophistication. The following are five of the methods more commonly employed by data thieves:
Email phishing scams are among the oldest and most successful web hacking techniques. Perpetrators issue mass emails purporting to be an authentic communication from a bank, subscription service or online payment site. Recipients are instructed to verify their account information by clicking on a special link. Those who respond and supply their login information enable the hackers to divert money away from their account.
In another common phishing scam, the hacker contacts a target and advises them they have been the victim of a scam. Under the guise of offering help, the perpetrator asks the target to supply the very same confidential information – such as national insurance numbers and banking details – they allege has been stolen.
- Buffer overflow:
Buffer overflow techniques employed by more sophisticated hackers to gain access to customer data via online forms. The hacker navigates to an online form and proceeds to provide excessive data in a form field. Basic security techniques are unable to respond when a large volume of data is input into an unexpected entry point.
The web form might, for example, request a postcode. The form is programmed to expect between five to seven characters, but a knowledgeable hacker can break through the system with complex lines of code designed to steal data, cause damage, or provide the hacker with an alternate point of entry.
- Password hacking:
Systems can be vulnerable when users choose an overly simple password and/or don’t change the password initially allocated when they acquire a new computer or software. Many websites provide default user names and passwords for various models of router, so the dedicated hacker can simply employ trial and error to discover which router the company uses and then type in the default password.
Changing default passwords when new equipment and software is acquired is often not enough and passwords should be changed every 30 to 60 days to thwart hackers.
- Downloading free software:
Downloading free software, a shareware version of Microsoft Office, or accounting software into the system potentially exposes it to malware, viruses or ‘buggy’ software. Despite the risks, businesses are still often tempted to opt for free or cheap software rather than spend more on a tested commercial version without knowing whether it is safe.
- Fault injection:
Also known as ‘fuzzing’, fault injection is among the more sophisticated web hacking techniques. It involves criminals researching ways to infiltrate the company’s source code and then inputting a different code to see if they can crash the system. An example would be a hacker using a database query that could erase content, or typing in a Web URL to deliver a worm into the network.
The advent of artificial intelligence (AI) potentially means that the above examples soon become outdated. Businesses could start employing machine learning to detect insecurities and vulnerabilities within their systems and fix them. At the same time, more sophisticated hackers could turn these same advances to their own advantage.
While some well-established methods of hacking remain popular, perpetrators are demonstrating an ever-increasing level of sophistication in their attacks. One recent example involved Dutch security firm Fox-IT, which last month revealed it had been the target of a so-called ‘man-in-the-middle attack’.
The attack lasted for more than 10 hours, during which time hackers took control of the firm’s servers and were able to intercept clients’ login credentials and confidential data. They first gained unauthorised access to Fox-IT’s account via a third-party domain registrar, and then changed a domain name system record that designated the IP address corresponding to the company’s client portal.
The attackers were thus able to take over control of fox-it.com and traffic sent to it. They managed to bypass protections provided by HTTPS-based encryption by using their control of the Fox-IT domain to obtain a new transport layer security certificate. The process happened during the first 10 minutes of the attack, when all of the company’s emails were re-routed to the attackers. This allowed them to decrypt all incoming traffic and to cryptographically impersonate the hijacked domain
This month has already seen high street chain Carphone Warehouse fined £400,000 by the Information Commissioner’s Office (ICO) for security failures that exposed customer and employee data to risk.
One of the company’s computer systems was compromised following a cyber-attack in 2015, giving the perpetrator access to the personal data of more than 3m customers and 1,000 employees. It included: names, addresses, phone numbers, birth dates, marital status and the historical payment card details of 18,000 customers. Even phone numbers, postcodes and car registrations of Carphone Warehouse employees were accessed.
Morrisons: a landmark judgment?
Carphone Warehouse’s offence – and resulting financial slap on the wrist – could be eclipsed by the potential cost to supermarket chain Morrisons of a major data leak. Last month’s landmark court judgment against the company could have implications for many other businesses.
The perpetrator, a Morrisons employee, was former senior auditor at its Bradford office, and in 2014 posted online the payroll data of nearly 100,000 staff including their names, addresses, bank account details and salaries.
An action brought by 5,518 current and former staff held Morrisons responsible for breaches of privacy, confidence and data protection laws, and sought compensation for upset and distress caused. Their lawyers successfully argued that as the company was awarded £170,000 in damages against its ex-employee his other “victims” should also be compensated.
The Uber saga
At ride sharing group Uber, the revelation of a massive data security breach and subsequent cover-up was enough to finally claim the scalp of its former chief executive, Travis Kalanick after earlier controversies.
In November, it was reported that in 2016 hackers gained access to the names, email addresses and mobile numbers of 57m Uber customers and drivers. The licence details of 60,000 of Uber’s drivers in the US were also exposed.
Kalanick reportedly knew about the breach, as well as a $100,000 payment made by Uber to the hackers in return for their agreement to delete the data. The firm’s chief security officer, Joe Sullivan, was fired for covering up the incident.
Uber’s actions breached California state law. This requires companies to notify state residents of any breach of unencrypted personal information and to inform the attorney general of any breach affecting more than 500 residents.
The firm alerted the ICO that over half of its UK users, totalling 2.7m, had been affected and the National Cyber Security Centre recommended vigilance against any resulting email phishing attempts or scam emails.
Most vulnerable sectors
The ICO’s most recent report, covering the four years January 2013 to December 2016, found that the UK healthcare sector was particularly vulnerable to data breaches. Over the period the industry suffered 2,447 occurrences, or 43% of all reported incidents. Next came local government, but with 642 reported incidents and an 11% share it was a very distant second.
The number of data breach incidents in the healthcare sector also rose year-on-year, from 184 in the fourth quarter of 2014 to 221 in Q4 2016. In many cases, human error rather than external threat was the cause of the breach. A breakdown of the 221 incidents in Q4 2016 showed the top five causes as follows:
- Theft or loss of paperwork: 24%
- Miscellaneous incidents: 22%
- Data faxed/posted to incorrect recipient: 19%
- Data sent by email to incorrect recipient: 9%
- Failure to redact data: 5%
While healthcare recorded the highest volume of data breach incidents, across all sectors, the total number of security incidents reported increased by 32% between 2014 and 2016. The courts and justice sector experienced the most significant increase over the period, a 290% rise since 2014, which lifted it to within the top five worst affected industries by Q4 2016. Over the same period, data breaches reported by central government rose by 33% and the financial services sector by 44%.
Breaches at financial firms
One particularly alarming trend within the general rise in data protection breaches has been the increased number of incidents involving firms in the financial services sector.
In the year to April 2015, the ICO conducted 585 investigations into reported breaches of the Data Protection Act within the industry, a 183% increase over the previous year.
UK high street banks were subject to most ICO investigations of potential data breaches over the period. Lloyds Banking Group, Royal Bank of Scotland, Barclays and Santander UK, each had more than 50 reports about them investigated.
However the British Bankers’ Association put a positive spin on the figures, commenting: “The increase in reports indicates that banks’ compliance checks are working effectively and breaches are being identified and reported.”
This month saw the ICO issue fines totalling more than £150,000 against an insurance firm and two senior figures connected with it for a breach of data privacy.
The penalty, reported to be the highest imposed under the Data Protection Act was unusual in resulting not from hacking activity, but the unlawful acquisition of personal information.
The loss adjusting firm of Woodgate and Clark had employed private detectives to illegally obtain the private banking records of a businessman it was investigating. The case, investigated by the ICO, is an example of so-called “blue-chip hacking” in which companies such as legal, insurance and financial firms have illicitly acquired the confidential personal details of individuals.
Information commissioner Elizabeth Denham commented: “The illegal trade in personal information is not only a criminal offence but a serious erosion of the privacy rights of UK citizens. As well as these record fines, the organisations and individuals involved also face serious reputational damage as a result of being prosecuted by the ICO.”
The ICO has also fined charities whose fundraising activities contravened data protection law, albeit for relatively small amounts (in total £181,000). The British Heart Foundation and the RSPCA were fined in December 2016 and last April further penalties were meted out to 11 more charities.
The ICO said that several charities contravened the Data Protection Act as they had “screened millions of donors so they could target them for additional funds”. Others had “traced and targeted new or lapsed donors by piecing together personal information obtained from other sources – and some traded personal details with other charities creating a large pool of donor data for sale.”
Biggest data protection breaches
As befits the world’s largest economy, the biggest reported data breaches have involved US organisations, with at least 12 incidents over the past 15 years involving the personal information of 50,000-plus customers being compromised: