This week, we discuss Amazon’s exposure of customer names and addresses, jail sentences for two TalkTalk hackers, and a data breach affecting a City of York rubbish app.
Hello and welcome to the IT Governance podcast for Friday, 23 November. Here are this week’s stories.
Just days before Black Friday, Amazon suffered a data breach in which an undisclosed number of customers’ names and email addresses were accidentally exposed on its website.
According to The Register, the online retail giant emailed affected customers on Tuesday, unapologetically saying:
We’re contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.
Customer Service Department
Amazon customers around the world reported receiving the email, and the more security-conscious among them observed that it looked more like a phishing email than an official communication. However, Amazon’s UK press office acknowledged that it was in fact genuine.
Asked to provide further information, it tersely commented: “We have fixed the issue and informed customers who may have been impacted”.
Under the GDPR (General Data Protection Regulation), a personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” (my emphasis).
Data controllers such as Amazon must notify the relevant European supervisory authorities – such as the UK’s ICO (Information Commissioner’s Office) – of data breaches affecting EU residents’ personal data within 72 hours of becoming aware of them, if there is likely to be a risk to individuals’ rights and freedoms. The individuals themselves must be informed if there is likely to be a high risk to their rights and freedoms.
Asked if Amazon had notified it of the breach, the ICO said:
“It is always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. The ICO will however continue to monitor the situation and cooperate with other supervisory authorities where required.”
Two Tamworth men have been jailed for their part in the 2015 cyber attack on TalkTalk that saw the personal information of 156,959 customers compromised.
Matthew Hanley, 23, and Conner Douglas Allsopp, 21, both of Tamworth in Staffordshire, received prison sentences of 12 and 8 months respectively for offences under the Computer Misuse Act 1990.
Detective Constable Rob Burrows, the investigating officer, said: “Hanley hacked into TalkTalk’s database with the sole intention to steal customer personal data and sell it to criminals and fraudsters for his and Allsopp’s financial gain. Allsopp was a willing participant in the crime. If successful this could have put thousands of people at risk of fraud.”
Hanley and Allsopp took advantage of SQL injection vulnerabilities in TalkTalk’s systems that were identified by another attacker, which he then shared online.
The then-17-year-old – who could not be named because of his age – was fined £85, given a 12-month rehabilitation order, and had his hard drive and iPhone confiscated in December 2016. He told Norwich Youth Court that he was showing off.
In October 2016 the Information Commissioner’s Office fined the company £400,000 for security failings that led to customer data being accessed. The Information Commissioner, Elizabeth Denham, said:
“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
City of York Council has suffered a data breach affecting the personal data of 5,994 residents – including their names, addresses, telephone numbers, email addresses and encrypted passwords.
According to the BBC, a council app called One Planet York, which provided information about rubbish collection and recycling, “was hacked by someone who found a way to access phone numbers, encrypted passwords and addresses of those using it”.
The council told the app’s users:
“We value your privacy and deeply regret this incident occurred.
“We have conducted a thorough review of the One Planet York app, we have deleted all links with the app and as a result, will no longer support it going forward.
“We have deleted it from our website and asked for it to be removed from the app stores and ask that you now delete it from your device.
“We cannot say for certain what the third party responsible has done with the data.”
A council spokesperson said the incident has been reported to North Yorkshire Police.
Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.