Weekly podcast: Carphone Warehouse, USB drives, VTech and Patch Tuesday

This week, we discuss a £400,000 ICO fine for Carphone Warehouse, an unfortunate prize from Taiwan’s Criminal Investigations Bureau, a $650,000 FTC settlement for VTech and the highlights of this month’s Patch Tuesday.

Hello and welcome to the IT Governance podcast for Friday, 12 January 2018. Here are this week’s stories.

Carphone Warehouse has been fined £400,000 by the Information Commissioner’s Office for breaching the Data Protection Act. The fine is one of the largest the ICO has issued.

In 2015, Carphone Warehouse suffered a cyber attack that compromised the personal information of three million customers, including their names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 of them, payment card details.

According to the ICO, an investigation revealed “multiple inadequacies in Carphone Warehouse’s approach to data security and determined that the company had failed to take adequate steps to protect the personal information. […] The incident also exposed inadequacies in the organisation’s technical security measures. Important elements of the software in use on the systems affected were out of date and the company failed to carry out routine security testing. There were also inadequate measures in place to identify and purge historic data.”

The Information Commissioner, Elizabeth Denham, said: “A company as large, well-resourced, and established as Carphone Warehouse should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.

“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”

Carphone Warehouse commented: “We accept today’s decision by the ICO and have co-operated fully throughout its investigation into the illegal cyber-attack on a specific system within one of Carphone Warehouse’s UK divisions in 2015.

“As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues. The ICO noted that there was no evidence of any individual data having been used by third parties.”

Obligatory GDPR mention: in May, the 1998 Data Protection Act will be superseded by a new law, which increases data subjects’ rights and gives data controllers and processors significantly greater responsibilities. What’s more, every organisation that processes the personal data of EU residents must comply. Visit our GDPR resource page for more information.

Taiwan’s Criminal Investigations Bureau has apologised after handing out malware-infected USB drives as prizes in a cybersecurity quiz designed to highlight a government crackdown on cybercrime. According to the Taipei Times, 54 of the 250 drives handed out at the data security expo in December were infected with malware that could steal personal data. Although the drives were manufactured in China, state-sponsored espionage was ruled out: an employee of the New Taipei City-based contractor Shawo Hwa Industries apparently infected the drives while testing their storage capacity. Only 20 have been recovered.

The electronic toy manufacturer VTech has agreed a $650,000 settlement with the US Federal Trade Commission (FTC) for violating a US children’s privacy law – the Children’s Online Privacy Protection Act (COPPA) – by “collecting personal information from children without providing direct notice and obtaining their parent’s consent, and failing to take reasonable steps to secure the data it collected”.

The offence came to light when the FTC was investigating the data breach VTech suffered in 2015. According to an FTC news release, “VTech failed to use reasonable and appropriate data security measures to protect [the] personal information it collected”.

Acting FTC Chairman Maureen K. Ohlhausen said: “As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data. Unfortunately, VTech fell short in both of these areas.”

Finally, it was Patch Tuesday this week: apart from a number of fixes for the Spectre and Meltdown bugs affecting Intel, ARM and AMD CPUs – some of which caused problems of their own, especially when it came to compatibility with certain antivirus products –  there were updates for an Office remote code execution vulnerability, a certificate validation flaw and cross-site request forgery vulnerability in .NET, and, somewhat inevitably, a fix for Adobe’s famously bug-riddled Flash Player. Don’t leave yourself vulnerable; test and apply patches as soon as you can.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.