Weekly podcast: German data breach, poor passwords, Marriott, NHS Digital and Patch Tuesday

This week, we discuss a high-profile German data breach, the top worst passwords of 2018, the resignation of NHS Digital’s CISO, and Microsoft’s latest patches.


Hello and welcome to the first IT Governance podcast of 2019 – for Friday, 11 January. If it’s not too late to say happy new year, happy new year.

It’s long been a habit of journalists and online commentators to open the year with predictions about the coming months, but I don’t think there’s much value in that from an information security point of view. You don’t need a crystal ball to work out that there’ll be more cyber attacks and more data breaches, and that everyone needs to focus on becoming more resilient to cyber attacks.

So, without further ado, let’s crack on with what’s happened so far in 2019.

A 20-year-old German student has admitted responsibility for one of the country’s biggest data breaches, which saw documents and the personal data of nearly 1,000 high-profile individuals, including politicians, journalists and celebrities, published on Twitter throughout December.

Holger Münch, the head of Germany’s Federal Criminal Police Office, the BKA, said there was no evidence that the man had any accomplices.

The man had apparently told police that he was not politically motivated, but had been driven by annoyance at statements made by the victims of his attacks.

Those affected included the chancellor, Angela Merkel, and the president, Frank-Walter Steinmeier.

Germany’s interior minister, Horst Seehofer, responding to criticism that the authorities had been too slow to act, commented that the victims’ poor password practices were partly to blame. According to the Guardian, he said: “I was shocked at how simple most passwords were: ‘ILoveYou’, ‘1,2,3’. A whole array of really simple things.”

Coincidentally, SplashData has just published its annual list of 100 weak passwords, culled from the previous 12 months’ publicly disclosed data breaches. The top ten worst passwords of 2018 were, counting down from ten to one:

10. iloveyou

9. qwerty

8. sunshine

7. 1234567

6. 111111

5. 12345

4. 12345678

3. 123456789

2. Password (good grief, really?)

And, at number one, yet again: 123456.

Comparing the list with 2017’s top 100, the most interesting new entry is ‘donald’ at number 23 – something of a surprise considering how important email security supposedly is to Republicans.

If you use any of the passwords in the list, now’s the time to start using a password manager to generate and store complex, unique passwords, and turn on two-factor authentication wherever it’s available.

In a corporate context, strong password and access management policies are critical, as is regular information security training – one careless user could cause a data breach, and with the GDPR (General Data Protection Regulation) now firmly in place that’s the last thing anyone wants.

Talking of data breaches, you’ll remember that, last November, Marriott disclosed that it had suffered a breach affecting the personal data of up to 500 million customers of its Starwood hotel chain.

It has now completed its investigation into the incident.

According to a statement published last week: “Marriott now believes that the number of potentially involved guests is lower than the 500 million [it] originally estimated. […] The company has concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database.”

The compromised information includes approximately 20.3 million encrypted and 5.25 million unencrypted passport numbers, and approximately 8.6 million encrypted and as many as 2,000 unencrypted payment card numbers.

The Information Commissioner’s Office is investigating. It would be pretty pointless to speculate on the level of GDPR penalty the hotel chain is likely to receive, but it is worth pointing out that its decision to store certain personal information in unencrypted form is likely to increase its exposure to fines.

Encryption isn’t mandatory under the GDPR, of course, but it is a very good idea, especially if personal data is reasonably likely to be inappropriately accessed and this would cause damage – whether material or non-material – to data subjects. A DPIA (data protection impact assessment) will help you determine whether it’s a necessary measure to take.

As ever, you can find all the information you need about the GDPR on our website.

NHS Digital’s chief information security officer, Robert Coles, has resigned after just three months in the role, which was created in the wake of the WannaCry infection that cost the service £92 million.

According to the National Health Executive, Coles is stepping down for personal reasons. Recruitment for his replacement is starting immediately.

HSJ reports that NHS Digital’s deputy chief executive, Rob Shaw, said: “We have enjoyed working with Robert, and his resignation is accepted with great regret. I would like to personally thank him for the passion he brought to the role and the early progress he has made in developing the system-wide cyber strategy.”

Meanwhile, NHS England this week pledged that all NHS organisations in the health and care system will have achieved “100% compliance with mandated cyber security standards” by summer 2021, in line with last February’s Lessons learned review of the WannaCry Ransomware Cyber Attack – and apparently in contrast to NHS Digital’s opinion last October that ensuring all providers achieved certification to Cyber Essentials Plus “would not be value for money”.

Finally, it was Patch Tuesday this week. Among Microsoft’s 50-odd patches for security flaws are fixes for seven critical vulnerabilities:

  • CVE-2019-0539, CVE-2019-0567 and CVE-2019-0568, remote code execution vulnerabilities that exist in the way the Chakra scripting engine handles objects in memory in Microsoft Edge;
  • CVE-2019-0547, a remote code execution vulnerability that exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client;
  • CVE-2019-0550 and CVE-2019-0551, remote code execution vulnerabilities that exist when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system; and
  • CVE-2019-0565, a remote code execution vulnerability that exists when Microsoft Edge improperly accesses objects in memory.

Test and install as soon as you can.

Oh, and, for the first time in what seems like aeons, Adobe’s updates apparently didn’t include any security patches for Flash Player.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.