Data privacy: 2018’s technology and regulatory focus
The tech revolution that has done so much to shape business life in the 21stcentury has spawned developments ranging from electronic commerce to contactless payments.
“The digital economy is very important to the UK,” reports the Information Commissioner’s Office (ICO) in its most recent annual report. “Personal data and how it is handled is central to trade and growth and studies show the digital economy is growing 30% faster than the rest of the economy. Data knows no borders.”
Reporting on its most recent year to the end of March 2017, the ICO reports: “This year saw a significant increase in the number of data protection concerns brought to us with over 18,300 cases received; about 2,000 more than last year. Of these we have resolved more cases than ever before, closing over 17,300. 90% of cases were resolved within three months of receipt.”
The growth of the digital economy has involved huge volumes of confidential information on customers being kept online. It has, unfortunately, also been accompanied by increasingly sophisticated hacks and data theft.
Data theft – the act of stealing information stored on computers, servers, or other devices with the aim of compromising privacy, securing confidential information and/or extracting a ransom from the victim – is a growing problem for individual computer users, as well as the business world.
The risk of data theft isn’t just an external one. It occurs both outside and inside companies and reducing the risk of insider data theft at the corporate level is challenging. System administrators and employees have access to technology such as database servers, desktop computers, and external devices including USBs, smartphones, and other removable and mobile devices.
Security lapses
It’s an alarming part of life today that even the most successful corporates regularly make the news for not doing enough to protect data.
Internal breaches of data privacy often result from carelessness or lack of knowledge, rather than malicious behaviour. According to Michael Bruemmer, vice president of Experian’s data breach resolution group, more than 80% of the breaches that his team investigate “had a root cause in employee negligence.
“It could be from someone giving out their password, someone being spear-phished, it could be a lost USB, it could be somebody mishandling files, it could be leaving the door to the network operations centre open so someone can walk in,” he reports.
Rather than react after sensitive data is lost, Experian recommends that organisations take proactive steps to mitigate the risk of insider data theft. Measures should include establishing an acceptable use policy, training employees to use that policy, removing temptation, providing a means for employees to conveniently report suspicious activities, and remaining especially vigilant when employees leave the company.
A three-pronged defence strategy
There are further basic measures that organisations take to protect private or sensitive data.
One step is to encrypt it, although there are drawbacks to this approach. Encrypted information may make workflows cumbersome and may not always prevent an attack from an insider who has been trusted with passwords. It can also create a false sense of security.
Another option is to devalue the data held by actively deciding not to hold sensitive information, rather in the same way that a shop displays a window sign declaring “no cash kept on premises”. For example the company might review the need to hold credit card details, which could instead be outsourced to a company such as PayPal. Devaluing data makes the organisation less of a target and it can focus on what it needs to protect.
A further strategy is for the organisation to seek outside assistance, where regulation permits it, such as storing data in the cloud or hiring a security service provider. These services often offer security infrastructure unavailable to small organisations, as well as specialists to counter a lack of security expertise inside an organisation. However, outsourcing involves a lack of control, which potentially increases other risks.
Hackers’ favourite methods
The methods employed by hackers to infiltrate confidential business and customer data are steadily increasing and growing in sophistication. The following are five of the methods more commonly employed by data thieves:
- Phishing:
Email phishing scams are among the oldest and most successful web hacking techniques. Perpetrators issue mass emails purporting to be an authentic communication from a bank, subscription service or online payment site. Recipients are instructed to verify their account information by clicking on a special link. Those who respond and supply their login information enable the hackers to divert money away from their account.
In another common phishing scam, the hacker contacts a target and advises them they have been the victim of a scam. Under the guise of offering help, the perpetrator asks the target to supply the very same confidential information – such as national insurance numbers and banking details – they allege has been stolen.
- Buffer overflow:
Buffer overflow techniques employed by more sophisticated hackers to gain access to customer data via online forms. The hacker navigates to an online form and proceeds to provide excessive data in a form field. Basic security techniques are unable to respond when a large volume of data is input into an unexpected entry point.
The web form might, for example, request a postcode. The form is programmed to expect between five to seven characters, but a knowledgeable hacker can break through the system with complex lines of code designed to steal data, cause damage, or provide the hacker with an alternate point of entry.
- Password hacking:
Systems can be vulnerable when users choose an overly simple password and/or don’t change the password initially allocated when they acquire a new computer or software. Many websites provide default user names and passwords for various models of router, so the dedicated hacker can simply employ trial and error to discover which router the company uses and then type in the default password.
Changing default passwords when new equipment and software is acquired is often not enough and passwords should be changed every 30 to 60 days to thwart hackers.
- Downloading free software:
Downloading free software, a shareware version of Microsoft Office, or accounting software into the system potentially exposes it to malware, viruses or ‘buggy’ software. Despite the risks, businesses are still often tempted to opt for free or cheap software rather than spend more on a tested commercial version without knowing whether it is safe. - Fault injection:
Also known as ‘fuzzing’, fault injection is among the more sophisticated web hacking techniques. It involves criminals researching ways to infiltrate the company’s source code and then inputting a different code to see if they can crash the system. An example would be a hacker using a database query that could erase content, or typing in a Web URL to deliver a worm into the network.
The advent of artificial intelligence (AI) potentially means that the above examples soon become outdated. Businesses could start employing machine learning to detect insecurities and vulnerabilities within their systems and fix them. At the same time, more sophisticated hackers could turn these same advances to their own advantage.
Increasing sophistication
While some well-established methods of hacking remain popular, perpetrators are demonstrating an ever-increasing level of sophistication in their attacks. One recent example involved Dutch security firm Fox-IT, which last month revealed it had been the target of a so-called ‘man-in-the-middle attack’.
The attack lasted for more than 10 hours, during which time hackers took control of the firm’s servers and were able to intercept clients’ login credentials and confidential data. They first gained unauthorised access to Fox-IT’s account via a third-party domain registrar, and then changed a domain name system record that designated the IP address corresponding to the company’s client portal.
The attackers were thus able to take over control of fox-it.com and traffic sent to it. They managed to bypass protections provided by HTTPS-based encryption by using their control of the Fox-IT domain to obtain a new transport layer security certificate. The process happened during the first 10 minutes of the attack, when all of the company’s emails were re-routed to the attackers. This allowed them to decrypt all incoming traffic and to cryptographically impersonate the hijacked domain
Recent cases
Carphone Warehouse
This month has already seen high street chain Carphone Warehouse fined £400,000 by the Information Commissioner’s Office (ICO) for security failures that exposed customer and employee data to risk.
One of the company’s computer systems was compromised following a cyber-attack in 2015, giving the perpetrator access to the personal data of more than 3m customers and 1,000 employees. It included: names, addresses, phone numbers, birth dates, marital status and the historical payment card details of 18,000 customers. Even phone numbers, postcodes and car registrations of Carphone Warehouse employees were accessed.
Morrisons: a landmark judgment?
Carphone Warehouse’s offence – and resulting financial slap on the wrist – could be eclipsed by the potential cost to supermarket chain Morrisons of a major data leak. Last month’s landmark court judgment against the company could have implications for many other businesses.
The perpetrator, a Morrisons employee, was former senior auditor at its Bradford office, and in 2014 posted online the payroll data of nearly 100,000 staff including their names, addresses, bank account details and salaries.
An action brought by 5,518 current and former staff held Morrisons responsible for breaches of privacy, confidence and data protection laws, and sought compensation for upset and distress caused. Their lawyers successfully argued that as the company was awarded £170,000 in damages against its ex-employee his other “victims” should also be compensated.
The Uber saga
At ride sharing group Uber, the revelation of a massive data security breach and subsequent cover-up was enough to finally claim the scalp of its former chief executive, Travis Kalanick after earlier controversies.
In November, it was reported that in 2016 hackers gained access to the names, email addresses and mobile numbers of 57m Uber customers and drivers. The licence details of 60,000 of Uber’s drivers in the US were also exposed.
Kalanick reportedly knew about the breach, as well as a $100,000 payment made by Uber to the hackers in return for their agreement to delete the data. The firm’s chief security officer, Joe Sullivan, was fired for covering up the incident.
Uber’s actions breached California state law. This requires companies to notify state residents of any breach of unencrypted personal information and to inform the attorney general of any breach affecting more than 500 residents.
The firm alerted the ICO that over half of its UK users, totalling 2.7m, had been affected and the National Cyber Security Centre recommended vigilance against any resulting email phishing attempts or scam emails.
Most vulnerable sectors
The ICO’s most recent report, covering the four years January 2013 to December 2016, found that the UK healthcare sector was particularly vulnerable to data breaches. Over the period the industry suffered 2,447 occurrences, or 43% of all reported incidents. Next came local government, but with 642 reported incidents and an 11% share it was a very distant second.
The number of data breach incidents in the healthcare sector also rose year-on-year, from 184 in the fourth quarter of 2014 to 221 in Q4 2016. In many cases, human error rather than external threat was the cause of the breach. A breakdown of the 221 incidents in Q4 2016 showed the top five causes as follows:
- Theft or loss of paperwork: 24%
- Miscellaneous incidents: 22%
- Data faxed/posted to incorrect recipient: 19%
- Data sent by email to incorrect recipient: 9%
- Failure to redact data: 5%
Source: ICO
While healthcare recorded the highest volume of data breach incidents, across all sectors, the total number of security incidents reported increased by 32% between 2014 and 2016. The courts and justice sector experienced the most significant increase over the period, a 290% rise since 2014, which lifted it to within the top five worst affected industries by Q4 2016. Over the same period, data breaches reported by central government rose by 33% and the financial services sector by 44%.
Breaches at financial firms
One particularly alarming trend within the general rise in data protection breaches has been the increased number of incidents involving firms in the financial services sector.
In the year to April 2015, the ICO conducted 585 investigations into reported breaches of the Data Protection Act within the industry, a 183% increase over the previous year.
UK high street banks were subject to most ICO investigations of potential data breaches over the period. Lloyds Banking Group, Royal Bank of Scotland, Barclays and Santander UK, each had more than 50 reports about them investigated.
However the British Bankers’ Association put a positive spin on the figures, commenting: “The increase in reports indicates that banks’ compliance checks are working effectively and breaches are being identified and reported.”
Blue-chip hacking
This month saw the ICO issue fines totalling more than £150,000 against an insurance firm and two senior figures connected with it for a breach of data privacy.
The penalty, reported to be the highest imposed under the Data Protection Act was unusual in resulting not from hacking activity, but the unlawful acquisition of personal information.
The loss adjusting firm of Woodgate and Clark had employed private detectives to illegally obtain the private banking records of a businessman it was investigating. The case, investigated by the ICO, is an example of so-called “blue-chip hacking” in which companies such as legal, insurance and financial firms have illicitly acquired the confidential personal details of individuals.
Information commissioner Elizabeth Denham commented: “The illegal trade in personal information is not only a criminal offence but a serious erosion of the privacy rights of UK citizens. As well as these record fines, the organisations and individuals involved also face serious reputational damage as a result of being prosecuted by the ICO.”
The ICO has also fined charities whose fundraising activities contravened data protection law, albeit for relatively small amounts (in total £181,000). The British Heart Foundation and the RSPCA were fined in December 2016 and last April further penalties were meted out to 11 more charities.
The ICO said that several charities contravened the Data Protection Act as they had “screened millions of donors so they could target them for additional funds”. Others had “traced and targeted new or lapsed donors by piecing together personal information obtained from other sources – and some traded personal details with other charities creating a large pool of donor data for sale.”
Biggest data protection breaches
As befits the world’s largest economy, the biggest reported data breaches have involved US organisations, with at least 12 incidents over the past 15 years involving the personal information of 50,000-plus customers being compromised:
- Yahoo, 2013-2014: Unreported until September 2016, the internet giant announced that a data breach launched by “a state-sponsored actor” had exposed the names, addresses, birth dates and phone numbers of 500m users. By December, the revelation of a second and more extensive earlier breach saw the figure double to 1bn and last October Yahoo admitted all 3bn user accounts had in fact been breached.
2. Adult Friend Finder, 2016: The FriendFinder Network, comprising casual hook-up and adult content websites was breached in October 2016, with hackers collecting 20 years of data from six databases that included names, email addresses and passwords of over 412m accounts.
3. US businesses, 2005-2012: Launched from Russia and the Ukraine, the hackers targeted US financial organisations and companies, including the Nasdaq, retailers JC Penney and 7-11 and airline JetBlue. The prolonged attack had stolen 160m credit and debit card numbers and infiltrated 800,000 bank accounts before it was exposed.
4. eBay, 2014: In May 2014, the e-commerce site revealed that a data breach had revealed names, addresses, date of birth and encrypted passwords of 145m users, who were asked to change their passwords.
5. Equifax, 2017: The credit bureau revealed last September that a breach discovered several weeks earlier has revealed the personal information of 143m customers, including the credit card data of 209,000 consumers. While the attack’s impact was mainly in the US, the data of 694,000 UK customers was compromised.
6. Heartland Payment Systems, 2006-2008: Over a period of more than a year, from late 2006 to early 2008, a breach at payments processor Heartland Payment Systems gave hackers access to more than 130m credit and debit card numbers
7. TJX 2003: TJX, the parent company for US discount retailers TJ Maxx and Marshalls, admitted in 2007 that hackers had accessed credit and debit card numbers of 94m customers, or just over double its initial estimate of 45.7m, in breaches dating back four years.
8. Anthem 2015: The health insurance group’s records were infiltrated in January 2015 and the names, Social Security numbers and other details on up to 80m customers taken. Litigation arising from the breach was settled last June at a cost of $115m.
9. Sony PSN 2011: In April 2011, Sony warned customers that hackers had stolen the personal information of 77m users of its online gaming service the PlayStation Network, which was temporarily shut down following discovery of the breach.
10. JP Morgan Chase 2014: The US banking giant was the target of a cyberattack in the summer of 2014, which compromised the data of 76m US households and 7m small businesses.
11. Target 2013: The retailer’s system was hacked over the Thanksgiving and pre-Christmas sales period in late 2013. An initial estimate that 40m credit and debit cards were affected was later revised upwards to 70m.
12. The Home Depot 2014: Shortly after the Target attack, the DIY chain revealed in September 2014 that hackers had used malware to access its system and gain access to 56m customer records.
Fines for data protection breaches
Total fines of around $250m were imposed in 2016 by various US authorities on organisations found guilty of data privacy breaches. The regulatory enforcement figure was far higher than Europe, where fines of just over £2.2m were handed out by the UK’s ICO the same year, slightly exceeded by Italy where the figure was £3.3m.
In 2016, 35 fines were served for contravening data protection laws in the UK, compared to 18 in 2015 for a total of just over £2m, itself an increase on the 2014 total of £1.2m. Under the Data Protection Act the maximum penalty for contravention is £500,000, a figure that will increase significantly with the introduction of the GDPR in May 2018.
Use of stolen data
Organisations whose computer systems fall victim to hackers often receive a ransom demand from the perpetrators. Typically, perpetrators demand payment of the ransom in the digital currency bitcoin to make detection more difficult.
In a recent case, US healthcare operator Hancock Health paid a $55,000 ransom to hackers to regain access to its computer systems. Ransomware was employed to lock more than 1,400 files, which included patients’ medical records. Hancock was given seven days to pay, or face the files being permanently encrypted.
The theft of credit card or debit card details has enabled swift-acting hackers to make fraudulent transactions before the loss is detected. However, a recent report from security specialist ThreatMetrix noted: “Fraudsters are no longer looking to make a quick buck from stolen credit cards. Instead, they are targeting more ambitious attacks that produce long-term profits, leveraging sets of stolen identity data.” Increasingly, this data is used to fraudulently open a new account.
IT and business security reports website Secplicity recent published what it dubbed ‘A Hacker’s Post-Breach Checklist’ detailing the following five steps that a criminal is likely to go through after successfully accessing personal data:
- Inventory the stolen data:
The hacker will look through the stolen data files for authentication credentials, personal information such as names, addresses, phone numbers and email addresses, plus financial information such as credit card details. - Sell personal information:
The hacker will then package up personal information and sell them, typically in bulk. The more recent they are, the more valuable. A report on news website Quartz suggests that a full set of an individual’s personal information including identification number, address, birthdate, and possibly credit card info costs from $1 to $450 with a median cost of $21.35 (£15.47). - Look for the good stuff:
The hacker will then inventory authentication credentials further and look for potentially lucrative accounts. Government and military addresses are very valuable, as well as company email addresses and passwords for large corporations.
As individuals often re-use their passwords, hackers can often use credentials for military or corporate accounts to target other companies. For example, file hosting service Dropbox was breached in 2012 using credentials stolen earlier that year in a data breach at LinkedIn. A hacker may plan such a hack himself, or he/she sell the credentials to others on the dark web for a much higher price. - Offload the cards:
Credit card numbers and other financial information is packaged and sold in bundles. An individual with the right knowledge could easily buy credit card information in groups of ten or a hundred.
Usually a “broker” buys the card information before selling it to a “carder” who goes through a shell game of purchases to avoid being detected. First the “carders” use stolen credit card to buy gift cards for stores or for Amazon, then use those cards to buy physical items. The carder may then sell the electronics through legitimate channels such as eBay, or through an underground dark website. - Sell in bulk:
After several months, the hacker will bundle up authentication credentials and sell them in bulk at a discounted price. By now, most of the credentials are worthless since the company has most likely discovered the breach and taken steps to repair it. For example, a database containing the entire LinkedIn credentials dump is still available.
Source: Secplicity
Current data protection acts
Pending the introduction across the European Union of the General Data Protection Regulation (GDPR), which comes into effect on May 25 2018, any UK organisation processing personal information must comply with eight principles of the Data Protection Act.
Introduced in 1998, the Act outlines that all such information is:
- fairly and lawfully processed
- processed for limited purposes
- adequate, relevant and not excessive
- accurate and up-to-date
- not kept for longer than is necessary
- processed in line with an individual’s rights
- kept secure
- not transferred to other countries without adequate protection.
Impact of the General Data Protection Regulation
Companies across Europe will have to raise their game in ensuring the security of data when the EU’s long-heralded GDPR is enforced this May.
“Compared to the US where privacy laws have been strict for decades and cyber security and privacy regulation is continuously evolving, firms in Europe now also have to prepare for tougher liabilities and notification requirements,” says Emy Donavan, global head of cyber for insurer Allianz Global Corporate & Specialty (AGCS). “Many businesses will quickly realise that privacy issues can create hard costs once the GDPR is fully implemented.”
In total the GDPR contains 99 articles outlining the rights of individuals and the obligations placed on organisations covered by the regulation. People will be allowed easier access to the data that companies hold about them, there is a duty placed on organisations to obtain the consent of those they collect information about, and a new fines regime is proposed for significant contravention of the rules.
This might sound daunting, but the UK’s information commissioner, Elizabeth Denham” describes the GDPR as an “evolution” rather than a “revolution” in data protection legislation, as many of its requirements are already included in the UK’s Data Protection Act.
So what’s new? The GDPR stipulates that the “destruction, loss, alteration, unauthorised disclosure of, or access to” people’s data must be reported to the relevant country’s data protection regulator where it could have a detrimental impact on those who it is about.
‘Detrimental impact’ includes, but isn’t limited to, financial loss, confidentiality breaches and damage to reputation and more. The regulator must be notified of any breach within 72 hours of it coming to light and the people it potentially impacts must also be informed.
Post-Brexit the UK is implementing a new Data Protection Bill which largely includes all the provisions of the GDPR. Other than a few minor changes, UK law will largely reflect the new EU regulation.
Other new requirements
GDPR requires larger businesses, with 250-plus employees, to document why people’s information is being collected and processed, keep descriptions of the information that is held, how long it’s being held for and also detail what technical security measures are in place.
In addition, any company that conducts large-scale “regular and systematic monitoring” of individuals or processes large volumes of sensitive personal data must employ a data protection officer (DPO). While larger businesses and public authorities may already have such an individual, others will have to hire a new staff member.
The DPO’s duties include reporting to senior members of staff, monitoring compliance with GDPR and providing a point of contact for employees and customers.
A further requirement is that businesses must obtain consent to process data in some situations. When an organisation relies on consent to lawfully use a person’s information they must clearly explain that consent is being given and there needs to be a “positive opt-in” to confirm this.
GDPR penalties
A major cause of the attention being paid to the GDPR is the potential fines that regulators can impose on an organisation for failing to correctly process an individual’s data, failing to respond properly to a security breach or failing to appoint a DPO if it meets the guidelines for when one should be hired.
The financial penalties are significantly heavier than those imposed in the past, with minor offences potentially incurring fines of up to €10m or 2% of the firm’s global turnover (whichever is greater). These figures increase to up to €20m/4% of global turnover for more serious offences.
However, UK information commissioner Elizabeth Denham has played down speculation that the ICO will use the GDPR to sharply increase the financial penalties on organisations that contravene the rules. “We will have the possibility of using larger fines when we are unsuccessful in getting compliance in other ways,” she said recently. “But we’ve always preferred the carrot to the stick”.
Other consequences
Being fined for a data privacy breach by the regulator may often be the least of a company’s worries. It may be eclipsed by a resulting loss of customers, a hit to the share price and/or the departure of the most senior executives.
It’s generally agreed that even the most secure computer systems can be infiltrated by the determined hacker so the focus has shifted from an organisation’s efforts to prevent a breach to developing a well-coordinated response when one occurs.
US retailer Target became the “poster child for major data breaches” after the Thanksgiving/pre-Christmas period in 2013, when it revealed that 70m credit/debit card numbers and records of customers’ personal information had been stolen.
The company’s profits fell by 20-30% in the quarter following the breach, with Target’s perceived lack of customer involvement impacting very negatively. Sales eventually recovered, but not enough to recoup the financial damage caused by the breach.
UK companies learned much from two high-profile data breach incidents in 2015, involving telecoms group TalkTalk and retailer Carphone Warehouse. Although similar in nature, the companies’ respective responses were very different.”
Dido Harding, then TalkTalk’s CEO, promptly set out on what aimed to be a damage limitation exercise. Unfortunately this was done without the company “first getting its ducks in a row” as it emerged that around 157,000 customers had been affected by the breach rather than TalkTalk’s entire customer base of 4m.
While Carphone Warehouse suffered the bigger breach, the company handled it more adeptly. TalkTalk’s breach led to a parliamentary enquiry, while Carphone Warehouse was able to limit the media attention received. Damage to its share price was short-lived and the resulting loss of customers was minimal.
Regulation outside Europe
USA:
It might come as a surprise to discover that the US lacks an official national authority specifically charged with data protection, although the Federal Trade Commission comes nearest.
The FTC, as an independent agency of the US government responsible for consumer protection, has jurisdiction over most commercial entities and can issue and enforce privacy regulations in specific areas such as telemarketing.
Add to this a wide range of regulators in sectors such as health care, financial services, communications and insurance, which have the authority to issue and enforce privacy regulations.
The FTC is authorised to prevent unfair and deceptive trade practices and can enforce actions against inadequate data security measures, and inadequately disclosed information collection, use and disclosure practices. State attorneys have similar authority and may also bring enforcement actions, particularly where there has been a high profile data security breaches.
China:
The world’s second-largest economy also has no national data protection authority.
There were moves towards national regulation in December 2012, when the Resolution of the Standing Committee of the National People’s Congress relating to Strengthening the Protection of Information – aka the Digital Data Protection Rule – was issued. This contained high-level national rules relating to the protection of personal data in the digital form.
Pending further progress, principles and rules relating to data protection are contained in various laws, regulations and local provisions.
There are also national guidelines on personal data – the Personal Data Protection Guidelines – issued in 2013 by the General Administration of Quality Supervision, Inspection and Quarantine. These aren’t mandatory regulations or rules but rather are non-binding technical guidelines on the collection, use and disclosure of personal data by non-government organisations through information systems.
Japan:
Japan established the Personal Information Protection Commission, a government body charged with the protection of personal information, at the start of 2016. It operates independently, although its chairperson is appointed by the prime minister. Prior to this, privacy protection was managed by the relevant supervisory ministry for various private sector industries.
Japan’s reformed privacy law came into effect at the end of May 2017. Although it differs in several areas from the EU’s GDPR, last July the European Commission and Japan’s government published a joint statement on international transfers of personal data. It stated that the EU and Japan would aim by early 2018 to recognise each other as having adequate levels of personal data protection.
Australia:
In Australia, the Privacy Commissioner – operating under and through the Office of the Australian Information Commissioner (OAIC) – is the national data protection regulator responsible for overseeing compliance with the country’s Privacy Act.
More on data protection laws by jurisdiction here.