Weekly podcast: banks, Thomas Cook, London cyber court and Facebook

This week, we discuss operational resilience in the banking and financial market infrastructures sectors, a data breach affecting Thomas Cook subsidiaries, London’s proposed new court building and the latest development in the Facebook/Cambridge Analytica scandal

Hello and welcome to the IT Governance podcast for Friday, 13 July. Here are this week’s stories.

The Bank of England, the PRA (Prudential Regulation Authority) and the FCA (Financial Conduct Authority) have asked the UK’s banks and financial services firms to report on their exposure to operational risks, such as cyber attacks, and explain how they would respond to system failures, such as those recently faced by Visa and TSB.

In a joint discussion paper on an approach to improve operational resilience in the banking and financial market infrastructures sectors, the three supervisory authorities emphasised the importance of planning “on the basis that operational disruptions will occur. This,” the paper explained, “is because it is not possible to prevent every risk materialising, and dependencies are often only identified once something has gone wrong”.

Operationally resilient firms should therefore have, among other things, “a comprehensive understanding and mapping of the systems and processes that support [their most important] business services”, “knowledge of how the failure of an individual system or process could impact the provision of the business service”, and “tested plans that would enable [them] to continue or resume business services when disruptions occur”.

The consultation period ends on 5 October.

In a joint statement, the FCA’s chief executive, Andrew Bailey, and the Bank of England’s deputy governor, Jon Cunliffe, said, “Operational disruption can impact financial stability, threaten the viability of individual firms and financial market infrastructures, or cause harm to consumers and other market participants in the financial system.”

The authorities’ initiative is, presumably, driven by the recent implementation of the EU’s Directive on security of network and information systems (NIS Directive), which sets out obligations for operators of essential services – in other words, the critical national infrastructure. In line with Recital 9 of the Directive, the banking and financial market infrastructure sectors are not in the scope of the UK’s NIS Regulations (the law that implements the provisions of the Directive in the UK) because they are regulated by the Bank, the PRA and the FCA. (I hope you’re following. I do know how EU Directives and Regulations can be confusing.)

We’ve been clear for many years that, in today’s hostile environment, no organisation is immune to attack; it is how you react that is key to controlling your risk, costs and exposure. For more information on cyber resilience and incident response management, visit our website.

The travel agent Thomas Cook has exposed passenger information relating to “tens of thousands – or maybe hundreds of thousands – of [trips]” because of a basic security mistake, according to the Norwegian programmer Roy Solberg.

Solberg found that bookings made via Thomas Cook’s subsidiary Ving were assigned incremental reference numbers, meaning it was possible to retrieve passengers’ full names, email addresses, departure dates, airports and flight numbers, and return dates, airports and flight numbers simply by changing the number in a URL by a single digit – a common vulnerability known as an IDOR (insecure direct object reference). It would have been relatively easy for a programmer to write a script to download the data.

Flight information from 2013 through to 2019 relating to bookings made with Thomas Cook via Ving Norway, Ving Sweden, Spies Denmark (I’ve probably pronounced ‘Spies’ wrong) and Apollo Norway was exposed before Thomas Cook eventually addressed the vulnerability 14 days after Solberg first contacted them. Other sites might also have been affected.

According to The Register, a Thomas Cook spokesperson who was “at pains to emphasise [that] this did not affect UK customers” said:

“We take any breach of our customer data extremely seriously. After being alerted to this unauthorised access to our online duty free shopping website in Norway, we closed the loophole and took responsible actions in line with the law.

“Based upon the evidence we have, and the limited volume and nature of the data that was accessed, our assessment is that this was not an incident which is required to be reported to the authorities. For the same reasons we have not contacted the customers affected.

“We regularly test our systems using third party agents and since becoming aware of this incident we have taken further steps across our IT systems to ensure that we don’t have a similar loophole elsewhere.”

London is to have a new court dedicated to cases involving cyber crime, fraud and economic crime. According to a press release from the Ministry of Justice and HM Courts & Tribunals Service, the new 18-court building will – subject to planning permission – be built on the site of Fleetbank House, just off Fleet Street, and will “replace the ageing civil court, Mayor’s and City of London County Court, and City of London Magistrates’ Court”.

The Lord Chancellor, David Gauke, said: “This state-of-the-art court is a further message to the world that Britain both prizes business and stands ready to deal with the changing nature of 21st century crime.”

David McIlwaine of the law firm Pinsent Masons commented on Out-Law.com: “This gives a clear indication of the expected increase in claims that will arise, presumably in response to the heightened prevalence of cyber attacks and the augmented amount of regulation through the General Data Protection Regulation (GDPR) and the Network and Information Security (NIS) Regulations.”

He added that there was likely to be “an increase in class actions from data subjects affected by data breaches, as these are more easily facilitated under [the] GDPR” and that it “will be interesting to see the new court’s involvement in these”.

Finally, I obviously can’t ignore the latest development in the Facebook/Cambridge Analytica scandal: this week, the ICO (Information Commissioner’s Office) issued an interim report on its investigation, and the Information Commissioner stated her intention to fine Facebook £500,000 for two breaches of the Data Protection Act 1998 – the maximum penalty applicable under the law that was in force at the time of the breaches.

It’s been estimated that it would take the social media giant about five and a half minutes to generate enough revenue to pay for the fine.

The ICO’s investigation is set to continue for some time yet, but the next phase of its investigative work is due to conclude by the end of October 2018.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.