This week, we discuss Hilton’s settlement following breaches in 2014 and 2015, an important WordPress update that fixes a SQL injection vulnerability, and a new phone service to help small organsations prepare for the GDPR.
Hello and welcome to the IT Governance podcast for Friday, 3 November 2017. Here are this week’s stories.
Hilton has agreed to pay a settlement of US$700,000 following data breaches at its hotels in 2014 and 2015. The settlement will be split between New York and Vermont, whose attorneys general investigated the incidents. New York will receive $400,000 and Vermont $300,000.
Hilton’s point-of-sale systems were hit by malware that collected customer payment card data in November and December 2014, and from April to July 2015. 363,952 credit card numbers were affected in total.
A press release from the New York Attorney General’s Office reports that as well as failing to notify affected New Yorkers in “the most expedient time possible and without unreasonable delay”, as stipulated in New York General Business Law § 899-aa(2), its “investigation found that Hilton was also not in compliance with certain Payment Card Industry Data Security Standard (“PCI DSS”) requirements”.
New York Attorney General Eric T Schneiderman said: “Lax security practices like those we uncovered at Hilton put New Yorkers’ credit card information and other personal data at serious risk. My office will continue to hold businesses accountable for protecting their customers’ personal information.”
As part of the settlement, “Hilton has agreed to provide notice to affected New York residents and the Attorney General’s office of a breach involving private information in compliance with, and as defined by, GBL § 899-aa” and “has agreed to annually obtain a written assessment of the extent of its compliance with [the] PCI DSS and report to the Attorney General if it is not fully compliant”.
For more information about the PCI DSS, visit itgovernance.co.uk/pci_dss.
WordPress users have been “strongly encouraged” to upgrade to version 4.8.3 as soon as possible to mitigate a serious SQL injection vulnerability that could allow attackers to take over installs of WordPress and the servers they run on via remote code execution. WordPress’s Gary Prendergast blogged that “WordPress core is not directly vulnerable to this issue”, but plugins and themes could accidentally cause a vulnerability.
Anthony Ferrara, who discovered the vulnerability, explained that the previous version of WordPress (4.8.2), which was released on 19 September, was intended to patch the flaw, but instead “broke a LOT of sites” and “didn’t actually fix the root issue (but just a narrow subset of the potential exploits)”.
Ferrara reported the issue to WordPress via HackerOne the next day – 20 September – but complains that he had to wait “5 weeks to even get someone to consider the actual vulnerability”. The fix was finally issued this Tuesday – 31 October.
As ever, it’s worth pointing out that now the vulnerability has been made public, cyber criminals will soon start trying to exploit it. If your WordPress site isn’t set to update automatically, you can download the latest version from the WordPress website, or update via the dashboard on your site. Your site will remain vulnerable to attack until you do.
The Information Commissioner’s Office this week launched a dedicated phone advice service to help small organisations prepare for the EU’s General Data Protection Regulation and the Data Protection Bill that will enact its requirements in the UK next May.
The Information Commissioner, Elizabeth Denham, said:
“All organisations have to get ready for the new data protection rules, but we recognise that the 5.4 million small organisations in the UK face particular challenges.
“Small organisations want to be ready when the new law comes into force in May 2018, but they often struggle to know where to start. They may have less time and money to invest in getting it right and are less likely to have compliance teams, data protection officers or legal experts to advise them what to do.
“Our new phone service and all the other resources already on our website plus even more advice and guidance yet to come will help steer small businesses through the new law.”
The GDPR will mark a significant increase in responsibility for all organisations in the UK that process personal data: it substantially extends the data rights of individuals, and requires data controllers and processors to implement appropriate and proportionate technical and organisational measures to protect personal data.
Moreover, it is backed by a regime of “effective, proportionate and dissuasive” administrative fines for breaches, and grants aggrieved data subjects the right, under certain circumstances, to bring proceedings against organisations for failing to secure their personal data properly. For more information about the new law and what you can do to comply, visit our GDPR resource page.
Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog.
Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.