This week we discuss Google Chrome flagging sites that use HTTP as not secure, BA’s GDPR fail, and a massive data breach affecting more than 100 manufacturing companies.
Hello and welcome to the IT Governance podcast for Friday, 27 July. Here are this week’s stories.
Google released version 68 of its Chrome browser this week and, with it, has started marking all websites that use HTTP as ‘not secure’ in a move to nudge site owners towards using HTTPS.
(HTTPS, as you probably know, encrypts traffic between users and the sites they visit with the TLS, or transport layer security, protocol. I’m not going to go into detail here, but early versions of TLS and its predecessor, SSL, or secure sockets layer, have a number of known vulnerabilities and are not secure, so TLS version 1.2 or later should be used. Version 1.3 was approved by the Internet Engineering Task Force in March.)
Google announced its intentions to flag unencrypted websites in February, and numerous authorities have advised site owners to improve their security by using HTTPS for years now – including the UK’s National Cyber Security Centre, which says all websites should use HTTPS, “even if they don’t include private content, sign-in pages, or credit card details”.
However, Cloudflare reckons that 542,605 of the top million sites still haven’t switched to HTTPS for some reason.
If your site still uses HTTP, don’t worry: it’s easy to make the change – and it needn’t cost you a penny. For instance, Let’s Encrypt is a free, automated and open certificate authority, and the security researcher Troy Hunt, who runs haveibeenpwned.com, has set up httpsiseasy.com, which shows how to configure and make the most of HTTPS.
The GDPR, or General Data Protection Regulation, has already had a marked effect on organisations’ attitudes to data security, as reflected in the significant increase in the number of incidents reported to the ICO (Information Commissioner’s Office). In a recent webinar, the ICO said there were 1,792 self-reported incidents in June – the first full month after the law came into effect on 25 May – compared with 398 in March, 367 in April and 657 in May.
Although this increase could well be the result of businesses misunderstanding the Regulation’s data breach notification requirements, it’s surely better to err on the side of caution than to risk breaching the new law. Data security incidents, whether major or minor, can affect all organisations. It’s how they’re handled that counts. This is why it’s so important to have proper incident response plans in place.
Talking of misunderstanding the GDPR, TechCrunch reports that British Airways has been taking a lot of flak after its social media team asked passengers to post their personal information on Twitter in order – ironically – to comply with the GDPR. Many customers replied publicly before BA twigged that it really ought to have asked them to send the information in a direct message.
UCL PhD student Mustafa Al-Bassam drew attention to the error in a Twitter thread in which he also complained that he could only check in online if he disabled his adblocker, which meant his personal information would be shared with third parties without his explicit consent.
According to TechCrunch, BA commented: “We take our responsibility to protect our customers’ details very seriously. We’d never ask customers to send personal information publicly. When a genuine error is made, we will always go back to the customer to clarify this.
“Our social media colleagues look after around 2,000 enquiries a day, and like all customer service teams we are always careful to confirm that we are talking to the right person before making any changes to their booking.”
If you need more information about the GDPR, and how to comply with its data protection requirements, visit itgovernance.co.uk/gdpr.
Security researchers from UpGuard have reported that they recently discovered ten years’ worth of sensitive documents from more than 100 manufacturing companies exposed on a publicly accessible rsync server belonging to the engineering firm Level One Robotics. Among the companies affected were divisions of Volkswagen, Chrysler, Ford, Toyota, General Motors and Tesla.
The 157 gigabytes of data included “assembly line schematics, factory floor plans and layouts, robotic configurations and documentation, ID badge request forms, VPN access request forms, and, ironically, non-disclosure agreements detailing the sensitivity of the exposed information”.
Personal data relating to some Level One Robotics employees, including scans of their driving licences and passports, was also compromised in the breach, as was sensitive business data, including “invoices, contracts, and bank account details”.
Worse still, UpGuard says, “the permissions set on the rsync server at the time of the discovery indicated that the server was publicly writable, meaning that someone could potentially have altered the documents there, for example replacing bank account numbers in direct deposit instructions, or embedding malware”.
Level One promptly addressed the issue when informed by UpGuard.
Supply-chain security is a critical, but often neglected, issue. Nearly eight out of ten respondents to a recent survey by CrowdStrike think that their organisation needs to spend more on it.
With more and more external suppliers granted privileged access to client networks and information, it’s essential to ensure that your organisation is secure at all points. In practical terms, the only way to ensure that third parties are handling data satisfactorily is to only use those companies that have recognised security certifications, such as ISO 27001.
Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.