Weekly podcast: EU GDPR, Morrisons lawsuit and a win against ransomware

In this week’s podcast, we discuss the formal approval of the EU GDPR, a lawsuit brought against Morrisons by its own staff, and a tool that recovers encrypted hard drives that have been infected with ransomware

Want the audio only version? Click here.

Hello and welcome to the IT Governance podcast for Friday, 15th April. Here are this week’s stories…

On Thursday, 14 April, the European Parliament voted to approve the General Data Protection Regulation; the GDPR’s long legislative journey is finally over. First proposed in 2012 by the European Commission, the GDPR will unify data protection across the EU, superseding national data protection laws such as the UK’s Data Protection Act 1998 (DPA). Among many new obligations under the GDPR, the most significant for companies that do business in the EU is the increase in penalties for non-compliance. Under the UK DPA, for example, the maximum fine for a data breach is £500,000. Under the GDPR, the maximum fine will be €20 million or 4% of the breached organisation’s annual turnover – whichever is the greater. You’ve now got two years and twenty days to comply with the new law, and that ain’t long. Make no mistake: Brexit or no Brexit, this could require your company to do a lot of work to comply. If you haven’t started preparing already, you really ought to get to work as soon as you can. For more details about the GDPR, have a look at our free data protection information pages on itgovernance.co.uk.

The number of Morrisons staff suing their employer following the 2014 data breach in which 99,998 employees’ personal details were leaked has reached nearly 6,000. The court deadline for joining the group action was 8 April 2016.

Nick McAleenan of JMW Solicitors, which is representing the group, said: “Whenever employers are given personal details of their staff, they have a duty to look after them. That is especially important given that most companies now gather and manage such material digitally and, as a result, it can be accessed and distributed relatively easily if the information is not protected.”

Morrisons internal auditor Andrew Skelton, who developed a grudge against the company after being accused of dealing controlled drugs at work, was jailed for eight years at Bradford Crown Court last July for leaking the information, which included details of staff salaries, bank details and National Insurance numbers.

A spokesman for Morrisons said: “We are contesting this case. We are not accepting liability for the actions of a rogue individual. We can confirm that we are not aware that anybody suffered any financial loss from this breach.”

As I’ve discussed in several recent podcasts, ransomware – a form of malware that encrypts users’ computer files until they pay a bitcoin fee for a decryption key – has been in the news a lot this year as strains including Locky, Maktub, Samas/Samsam/MSIL.B/C and Petya have spread like wildfire via phishing emails and cyber attacks on poorly secured servers.

For once, we have some good news: the Petya ransomware, which has been encrypting hard drives rather than files, having been spread via phishing emails that purport to link to job applicants’ CVs stored on Dropbox, has been cracked by a security researcher.

Twitter user leostone has created a tool that enables victims of Petya to access their files without having to cough up. Computer forensics expert Lawrence Abrams has put together a guide to using the tool to unlock a Petya-encrypted computer in seven seconds.

One small note of caution, however: not all ransomware is as easy to reverse-engineer, and new strains are emerging weekly. The ransomware threat is increasing dramatically at the moment, and businesses need to be proactive to protect themselves.

Well, that’s it for this week. Until next time, remember that you can keep up to date with the latest information security news on our blog. And whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.