Weekly podcast: BT, Bithumb, Islington Council and World Cup phishing

This week, we discuss a £77,000 fine for BT, Bithumb’s loss of £24 million, Islington Council’s PCI DSS fail and some topical phishing campaigns.

Hello and welcome to the IT Governance podcast for Friday, 22 June 2018. Here are this week’s stories.

The Information Commissioner’s Office fined BT £77,000 this week for sending nearly 5 million spam emails to its customers. The unsolicited emails were sent between December 2015 and November 2016, and promoted three charities: BT’s My Donate platform, Giving Tuesday and Stand up to Cancer.

The ICO found that all of the emails were direct marketing, not service messages, and had been sent to recipients without their consent, in contravention of Regulation 22 of the Privacy and Electronic Communications Regulations 2003.

BT accepted that the emails for Giving Tuesday and Stand up to Cancer were sent unlawfully, but disputed the ICO’s assessment that the My Donate emails were direct marketing.

The ICO’s head of enforcement, Steve Eckersley, said: “Organisations have a responsibility to ensure they are acting within the law. Where they do not, the ICO can and will take action. This particular investigation was prompted by a concerned member of the public.  We investigated the matter and uncovered the full extent of this activity which shows how important it is for people to report nuisance emails.”

BT commented: “There was no financial benefit to BT and minimal impact on customers – in fact, almost five million emails elicited just one complaint.

“We are pleased that the ICO has acknowledged that this was not a deliberate contravention of regulations.

“In turn, we have accepted the facts set out by the ICO and have apologised.”

Bithumb, the Seoul-based cryptocurrency exchange, stopped trading earlier this week after 35 billion won (£24 million) worth of coins were stolen by hackers.

The values of several virtual currencies, including Bitcoin and Ethereum, fell in response.

In a subsequently deleted tweet, Bithumb explained that “some […] cryptocurrencies valued [at] about $30,000,000 was stolen. Those stolen cryptocurrencies will be covered from Bithumb and all […] assets are being transferred to cold wallet[s].” (Cold wallets are unconnected to the Internet. Hot wallets, on the other hand, are connected to the Internet and are more vulnerable.)

Bithumb added (in tweets that are still live): “All deposit and withdrawal service[s] will be stopped to make sure [of our] security. We will keep [you notified] of the restart of the service. We apologize for your inconvenience and [thank you] for your understanding.”

Shortly afterwards, it tweeted: “We are providing compensation”, before announcing that it was giving away $10 million worth of Ethereum to its users.

Coincidentally, Bithumb upgraded its security system four days before the incident.

Regular listeners to this podcast (hello to both of you) will remember that Bithumb was breached last summer, when the personal details of 32,000 customers were stolen and used to conduct a phishing campaign to defraud others of funds after an employee’s PC was hacked.

Islington Council has been criticised for asking local residents to send their full payment card details via email to pay for parking bay suspensions, in contravention of the PCI DSS (Payment Card Industry Data Security Standard)  – the security requirements enforced by the payment card industry that mandate that card security codes or CVV numbers are never stored.

Every organisation that handles payment card data must comply with the PCI DSS or risk financial penalties or even the withdrawal of their facility to take card payments.

Compliance requirements for merchants and service providers differ depending on a number of factors, including the size of the organisation and the volume of transactions it undertakes. The criteria that a merchant or service provider has to meet are set by the individual payment brands (Visa, American Express, MasterCard, etc.), each of which has its own compliance programme and criteria for compliance. Small wonder that so few companies pass their interim assessment.

A breach of the PCI DSS is also a breach of the GDPR (General Data Protection Regulation), which requires organisations to implement appropriate technical and organisational measures to protect personal data.

If you need to find out more about the PCI DSS, you can find information on our website at itgovernance.co.uk/pci_dss.

Finally, it should be no surprise that there’s been a marked increase in phishing emails relating to the World Cup this week.

Among many doing the rounds at the moment, IBM’s X-Force reports on an email purporting to be from FIFA and Coca-Cola that claims the recipient has won a $1 million prize that needs to be claimed within 30 days. Needless to say, they haven’t. If you follow the link you end up on a malicious site where you really shouldn’t enter your personal information.

Meanwhile, Check Point said this week that another phishing campaign was attempting to lure victims into downloading a fixtures list and results tracker. Instead, it downloads malware.

Keep ‘em peeled.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.