Friday, 19 February 2016

Students hit by University of Greenwich data breach

Students' names, addresses, dates of birth, mobile phone numbers and signatures were all uploaded to the university's website. In some cases, mental health and other medical problems were referenced to explain why students had fallen behind with their work.
In one example, it was disclosed that a student had a brother who was fighting in a Middle Eastern army and references were made to an asylum application. Supervisors' comments about the students' progress were also documented.
In some instances, copies of emails between university staff and individual students were also published.
The University of Greenwich has apologised and said it is in the process of contacting those affected. They believe believe all the documents are now offline and have contacted Google to try to ensure cached copies of the documents cannot be retrieved from its search engine.
They were posted alongside minutes from the university's Faculty Research Degrees Committee, which oversees the registrations and progress of its research students.
The matter was brought to the BBC's attention by one of the students, who discovered the information could be found via a Google search.
They also flagged the matter to the UK's data watchdog. The Information Commissioner's Office has confirmed that an investigation is under way.
One legal expert warned there could be financial consequences.
"It does look as though there has been a significant breach of the Data Protection Act's obligations to process personal data securely, fairly and lawfully," said Ruth Boardman from the law firm Bird & Bird.
"[The university] may face enforcement action by the Information Commissioner (ICO) and claims by affected individuals.
"Under new rules due to be adopted in Brussels later in March, it would face a penalty of up to 10m euros [$11.2m; £7.8m]."
At present, the largest fine the ICO can impose is £500,000.
Cited and more on this story at BBC News

Friday, 12 February 2016

VTech's new T&C's:families using at 'own risk' ICO says not on my turf!

The UK's data watchdog has said that VTech's new terms and conditions would not absolve it of liability in the case of future hack attacks.
It emerged earlier this week that the toy company had changed its terms to say that families using its software did so at their "own risk".
This prompted a backlash in which some security experts suggested parents should boycott its products.
The UK's Toy Retailers Association has since said VTech remains "reputable".
However, at least two major stores have told the BBC that they are in talks with the Hong Kong-based manufacturer to decide how to proceed.

VTech was alerted to the fact it had been hacked in November when it was contacted by the Motherboard news site.

It later confirmed that more than 6.3 million children's accounts and 4.8 million parent accounts had been compromised.
The company later hired the security firm FireEye and subsequently restored its Learning Lodge app management platform at the end of last month.
But it caused further controversy when it changed its European terms and conditions to state parents must assume "full responsibility" for using its software.
"You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorised parties," it added.
"Use of the site and any software or firmware downloaded therefrom is at your own risk."
The firm told the BBC that the move was intended to help protect itself from legal claims.
"The Learning Lodge terms and conditions, like the T&Cs for many online sites and services, simply recognise that fact by limiting the company's liability for the acts of third parties such as hackers," a spokeswoman explained.
"Such limitations are commonplace on the web."
The terms include the caveat that VTech only absolves itself of responsibility in so far as "applicable laws" allow it to do so.
The Information Commissioner's Office has confirmed that this would not be possible in the UK.
"The law is clear that it is organisations handling people's personal data that are responsible for keeping that data secure," said a spokeswoman.
A data protection specialist added that this would be the case for other EU countries too.
"If VTech did suffer another breach, some people might be dissuaded from bringing a claim because of the terms and conditions, or VTech might be trying to give themselves room to argue that they aren't liable," said Paul Glass from the law firm Taylor Wessing.
"But under European and UK law the obligation is on the company in control of the data to take appropriate steps to protect the information from unauthorised disclosure or access.
"Even if VTech did try and argue that people were contractually prohibited from bringing a claim, it is a difficult position for the firm to take."
Cited and more on this story at BBC News 

Thursday, 4 February 2016

Human Error Blamed for More than Half of UK Public Sector

More than half of data breaches in the UK public sector originate from someone who has access to the systems, with loss in many cases being accidental or due to human error, according to the Public Sector Data and Information Security Survey.
Data loss due to internal access could be explained to an extent due to multiple data ownership. Over 80% of respondents claimed to be 'data owners', who can authorise or deny access to certain data. The 'data owners' are responsible for accuracy, integrity and timeliness, but 19% of data owners didn't know how many other data owners were there within their organisation.
One of the respondents commented: "Data owners determine who has what level of access but rarely do so and often delegate to IT."
GovNewsDirect conducted the survey at the end of 2015 in collaboration with access rights management firm 8MAN.
The survey covered 600 individuals from the entire public sector, with 68% of them belonging to local authorities, healthcare and education; 28% of respondents were either at director or C-suite level, and 20% had either 'information' or 'IT' in their job title.
The survey was undertaken to enable public sector employees to compare their practices with other organisations and identify specific areas of concern, with the advent of the new the General Data Protection Regulation (GDPR) across the 28 EU member countries.
A part of Article 8 of the European Convention on Human Rights, the GDPR replaces individual data protection acts across the EU, and could be a challenge to data owners and practitioners.
The regulation seeks to ensure that the data of EU citizens is not lost, transferred to third parties, or subjected to illegal use. It proposes substantial fines for serious cases of data breach or mismanagement.
The survey revealed that 65% of the respondents have serious concerns regarding data security within their organisation, with simple loss of data and errors of staff being the biggest concerns (60%), followed by compliance and IT system failures (40%).
External hacking was a concern for more than 35% of the respondents, while the least concern was about denial of service by hackers.
IT operating costs, cloud security, theft of laptops, lack of staff training, and failure of the staff to follow simple procedures were a few more concerns cited by the respondents.
According to the survey, 60% said data security lapses in their organisations happened due to errors of staff, while 40% said the breaches were because of simple loss of data.
Nearly 75% said they intend to improve data security by tightening procedures.
The average cost per breach in a large organisation also went up to the range of £1.46m - £3.14m, compared with £600,000-£1.15 in 2014.
Cited and the whole story at CBR Online 

Tuesday, 2 February 2016

TalkTalk's Cyber Attack Costs Rise To £60 Million #moneytalks

News out this morning suggests that new figures show TalkTalk's breach suffered costs of £60m.
The attack proved to be less successful than first believed with about 4% of the company's 4 million customers affected and no financial loss incurred by customers despite partial disclosure of payment details.
But customers were left fuming by the company's handling of the attack in it's early stage and its seemingly slack security systems. TalkTalk refused to let people terminate contracts without incurring charges and instead offered them a free upgrade, which almost half a million customers took up.
TalkTalk added fewer customers than expected following the attack because it closed down online sales operations and the cost of the disruption in the third quarter was about £15m, it said in a trading statement. There were also exceptional costs of £40m-£45m, taking the total bill for the cyberattack to £60m.
Dido Harding, TalkTalk’s chief executive, said: “It is encouraging to see the business returning to normal after a challenging quarter that was dominated by the cyberattack. Both churn and new connections recovered during December and January and independent external research has revealed that customers believe that we acted in their best interest.”
The company said earnings before interest, tax and other items for the year ending in March would be £255-£265m and that the dividend would increase by 15%. Before the trading update, analysts’ average forecast was for earnings of £264m.
The company’s shares rose 7% to 233p.