This week we discuss the end of Google+, allegations of Chinese motherboard interference, and a £120,000 fine for Heathrow Airport
Hello and welcome to the IT Governance podcast for Friday, 12 October. Here are this wee- actually, can we have a quick word about that theme tune?
When we started this podcast back in July 2015 I confess I expected it to be a short-lived experiment that would fizzle out by the end of the summer. We therefore chose a theme tune without much thought. (In fact, I think the decision-making process basically went: “here’s an amusingly chirpy bit of free music; that’ll do”.)
I was wrong. Instead of fizzling out, the podcast has expanded to its current form, we pick up more listeners each week and even occasionally enjoy an element of audience interaction. (By the way, please don’t be afraid to say hello, ask a few questions, put me straight about any errors I’ve made, or whatever in the comments section of the blog. Feedback is always welcome.)
Although we’ve sort of grown accustomed to the theme tune, many listeners – newer ones especially – might hear it and think: “What on earth is this ghastly racket? Is that a Hammond organ? What are they thinking?”
So, a question: is it worth changing, or do you simply not care in the slightest? Let me know. If enough of you express an opinion, we might do something about it. Just a thought. Right, back to this week’s stories.
As many as 438 third-party apps were potentially able to access the data of up to 500,000 Google+ account holders without their permission because of a vulnerability in one of its APIs. Google discovered and fixed the flaw in March 2018 as part of an audit it called Project Strobe, but opted not to disclose it at the time.
In a blog post published on Monday, Google explained that it logs its API data for only two weeks, so it couldn’t “confirm which users were impacted”, although it did acknowledge that personal data, including users’ full name, birthdate, gender, profile photo, relationship status, email addresses and occupation, was exposed.
However, it said it had found no evidence that profile data had been misused or that any developer was aware of the bug.
“Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.”
However, the Wall Street Journal refuted this assertion, stating that Google’s decision not to disclose the incident was in fact calculated to avoid reputational damage and regulatory interest. It quoted an internal memo in which legal and policy staff warned Google executives that disclosing the incident would likely result “in [its] coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal” – which was developing at the time.
Google announced in the same blog that it would be shutting down the consumer version of Google+ by next August. Consumers are unlikely to mourn its loss: the company admits that 90% of user sessions are less than 5 seconds.
The enterprise version of Google+ will live on, though. For now.
An astonishing investigative report by Bloomberg Businessweek – which is well worth reading – claims that the Chinese People’s Liberation Army has implanted malicious microchips on server motherboards that are used extensively in the United States – including by Amazon, Apple and the US government.
According to Bloomberg, the supply chain of the Californian tech giant Supermicro, one of the world’s biggest manufacturers of server motherboards, was compromised in 2014 and 2015, and chips scarcely bigger than a grain of rice were implanted, which apparently opened back doors that enabled Chinese spies to access and exfiltrate data.
One prominent company that uses Supermicro servers was Elemental Technologies – a manufacturer of video compression and formatting software that provided services to the CIA and NSA among others, and was subsequently acquired by Amazon Web Services.
Amazon, Apple and Supermicro all categorically deny Bloomberg’s claims, and the UK’s NCSC and the US Department of Homeland Security both say they have no reason to doubt their statements.
However, according to Bloomberg, their denials “are countered by six current and former senior national security officials, who […] detailed the discovery of the chips and the government’s investigation”.
“In all,” Bloomberg states, “17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information.”
I don’t know about you, but I get the distinct impression that something important is being withheld: on the one hand, Bloomberg surely wouldn’t make such extraordinary claims without concrete evidence, but, equally, the companies concerned wouldn’t issue such vehement denials if there were even a glimmer of doubt about their assertions. Whatever the truth, I imagine this isn’t the last we’ve heard of this story – and I suspect someone’s not going to come out of it very well.
The Information Commissioner’s Office has fined Heathrow Airport Limited £120,000 “for failing to ensure that the personal data held on its network was properly secured” when, in October 2017, an airport employee lost a USB memory stick containing more than 1,000 unencrypted files. A member of the public found the memory stick, viewed its contents (it wasn’t password protected either), and then passed it to the Sunday Mirror.
According to the ICO, “Although the amount of personal and sensitive personal data held on the stick comprised a small amount of the total files, of particular concern was a training video which exposed ten individuals’ details including names, dates of birth, passport numbers, and the details of up to 50 [Heathrow] aviation security personnel.”
The ICO identified a number of concerns during its investigation, including the fact that just 2% of Heathrow’s 6,500-strong workforce had received data protection training, and ineffective security controls. The use of removable storage media such as USB memory sticks was widespread, in spite of Heathrow policies.
The ICO’s director of investigations, Steve Eckersley, said: “Data Protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise.
“Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them.”
A Heathrow spokesperson told the BBC: “Following this incident, the company took swift action and strengthened processes and policies.
“We accept the fine that the ICO have deemed appropriate and spoken to all individuals involved.
“We recognise that this should never have happened and would like to reassure everyone that necessary changes have been implemented, including the start of an extensive information security training programme which is being rolled out company-wide.”
The fine was issued under the Data Protection Act 1998, which was in force at the time of the incident, rather than the GDPR, which, as we all know by now, is backed by a regime of considerably stronger penalties.
Data breaches are commonplace. They happen all the time, for all manner of reasons, and affect organisations of all types and sizes. The last thing you need is to be caught unawares. If you want to assess your preparedness and learn about the steps you can take to improve your security, why not take our free breach ready quiz? You’ll get a detailed report, providing a summary of your answers and advice on the next steps to take to better prepare for a data breach.
Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.