Weekly podcast: Equifax once more, Bristol Airport, Smeg and Mirai creators

This week, we discuss a record ICO fine for Equifax, cyber attacks on Bristol Airport and Smeg, and the sentencing of the creators of the Mirai botnet

Hello and welcome to the IT Governance podcast for Friday, 21 September. Here are this week’s stories.

The Information Commissioner’s Office has fined the credit ratings agency Equifax £500,000 for failing to protect the personal information of up to 15 million UK citizens.

In total, the personal information of some 147.9 million customers, most of them American, was compromised in the 2017 data breach – including their names, dates of birth, passwords, and driving licence and financial details.

The fine is the maximum penalty allowed under the Data Protection Act 1998 – which was in force at the time of the incident – and the largest fine the ICO has given to date.

Indicating how important it is for data controllers to ensure the security practices of processors acting on their behalf, the ICO noted that: “The UK arm of the company failed to take appropriate steps to ensure its American parent Equifax Inc, which was processing the [personal data of UK customers] on its behalf, was protecting the information”.

Equifax was found to have breached five of the 1998 DPA’s eight data protection principles, including by failing to secure personal data, having poor retention practices which led to personal data being stored longer than necessary, and lacking “a legal basis for international transfers of UK citizens’ data”. Data was also found to be vulnerable to unauthorised access.

The Information Commissioner, Elizabeth Denham, commented: “We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”

She added: “Multinational data companies like Equifax must understand what personal data they hold and take robust steps to protect it. Their boards need to ensure that internal controls and systems work effectively to meet legal requirements and customers’ expectations. Equifax Ltd showed a serious disregard for their customers and the personal information entrusted to them, and that led to today’s fine.”

A ransomware attack forced Bristol Airport to pull the plug on its flight information system last Friday, and resort to writing arrival and departure times on whiteboards – much to the bemusement of passengers.

James Gore, a spokesperson for the airport, told the BBC:

“We believe there was an online attempt to target part of our administrative systems and that required us to take a number of applications offline as a precautionary measure, including the one that provides our data for flight information screens.

“That was done to contain the problem and avoid any further impact on more critical systems.

“The indications are that this was a speculative attempt rather than targeted attack on Bristol Airport.”

Functionality was restored “to digital screens in key locations” on Saturday evening, although the Bristol Post reported this Wednesday that flight display boards were “still experiencing issues” five days after the attack.

No flights were disrupted as a result of the incident, nor were safety or security systems put at risk.

Bristol airport wasn’t the only organisation to shut down its systems after a cyber attack: last Wednesday the domestic appliance manufacturer Smeg announced: “Unfortunately we have been the victim of a targeted cyber attack and as such have taken immediate steps to totally shut our systems down to protect our customers and ourselves”.

It took until this Monday for the company to recover. It tweeted: “A quick note to let everyone know we are back up and running after last weeks [sic] unfortunate cyber attack. Thank you very much for your patience last week. We are working hard to get back to all customer enquiries ASAP.”

Responding to questions from The Register, Smeg said:

“The National Crime Agency is leading the criminal investigation into the cyber incident affecting Smeg. These investigations are complex and take time before full details can be established.

“Smeg and the National Crime Agency are pleased to confirm we have no reason to believe customer’s [sic] personal or financial information has been compromised. All customers, however, should continue to remain vigilant. Any suspicious activity should be reported to Action Fraud via www.actionfraud.police.uk.

“We continue to slowly get the business back online and are dealing with communications as quickly as possible. Our business continuity plan is now in full swing.”

The creators of the Mirai botnet, which wrought havoc in 2016, have avoided prison sentences after providing assistance to the FBI “that substantially contributed to active complex cybercrime investigations as well as the broader defensive effort by law enforcement and the cybersecurity research community” – according to the US Department of Justice.

Last December, 22-year-old Paras Jha, 21-year-old Josiah White and 22-year-old Dalton Norman pleaded guilty to charges under the Computer Fraud & Abuse Act, but after “cooperating extensively with the FBI”, were each sentenced this week to five years’ probation and 2,500 hours of community service, ordered to pay $127,000 in restitution and “voluntarily abandoned significant amounts of cryptocurrency seized during the course of the investigation”.

The defendants must continue to cooperate with law enforcement as part of their sentences.

Special Agent Jeffery Peterson said: “Cyber criminals often develop their technical skills at a young age. This case demonstrates our commitment to hold criminals accountable while encouraging offenders to choose a different path to apply their skills.”

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.