Weekly Podcast: Home Sec duped, NotPetya, MalwareTech nicked, new data protection bill

This week, we discuss a prankster’s email conversation with Amber Rudd, the ongoing effects of the NotPetya malware pandemic, the arrest of WannaCry sinkholer Marcus Hutchins by the FBI, and the launch of a data protection bill to implement the GDPR in the UK.

Hello and welcome to the IT Governance podcast for Friday, 11 August 2017. Here are this week’s stories.

The home secretary, Amber Rudd, who irked many in the information security industry when she claimed that ‘real people’ had no interest in secure communication, has learned to her cost that email security is actually rather important, having been duped into revealing her personal email address to the same hoaxer – Sinon Reborn – who tricked a number of White House aides last month.

The Guardian reports that the self-styled email prankster and lazy anarchist “posed as a senior Downing Street aide and managed to hold an email conversation with the home secretary on her personal email account. Rudd revealed she was working with her special adviser Mohammed Hussein on a series of announcements to be made in August before realising she was corresponding with a hoaxer”.

Reborn told the Guardian he asked the home secretary: “Don’t you think you should be more aware of cyber security if you are home secretary?” He didn’t get a reply. According to the BBC, the Home Office downplayed the incident, saying “The home secretary does not use her personal email address to discuss government business.”

The NotPetya malware pandemic, which caused such havoc in late June, continues to have repercussions for affected organisations, and their customers and suppliers. The BBC has spoken to exasperated customers of the courier TNT – which is owned by FedEx – which was badly affected by NotPetya when “a significant proportion of its systems were infiltrated and data encrypted […] as a result”. Staff have apparently had to use “manual processes” and it is “’reasonably possible’ that some information will never be fully recovered”. As the BBC notes, it’s been “nearly a month and a half since NotPetya struck, but TNT has still not recovered operations”.

TNT is yet to publicly speculate on the financial impact of the incident, but with the number of companies relying on it to deliver their products, we can expect it to be a substantial sum. One thing is for certain: however big or small your business, the importance of a cyber resilience framework that addresses information security and business continuity throughout your supply chain cannot be overestimated.

Marcus Hutchins, the security researcher from Kryptos Research who sinkholed the domain that stopped the WannaCry ransomware from spreading in May this year, was arrested by the FBI on his way home from the DEF CON conference in Las Vegas last week in connection with the development of the Kronos malware, a Trojan that harvests banking credentials. He was granted a $30,000 bail on Friday, pending certain conditions – including surrendering his passport, wearing a GPS tag and having no Internet access – and was released on Monday. His defence attorney, Adrian Lobo, told reporters that Hutchins had pleaded not guilty and was shocked by the charges. He faces up to 40 years in prison if found guilty.

Finally, the government this week unveiled its proposals for a new data protection bill that will enshrine the EU’s General Data Protection Regulation (GDPR) in UK law. The GDPR – and therefore the new data protection act, which will replace the 1998 act – will affect every organisation that processes personal data.

The Department for Digital, Culture, Media and Sport also launched a consultation document about the EU’s Security of Network and Information Systems (NIS) Directive, which affects operators of essential services and digital service providers.

From March next year, organisations could face fines of up to £17 million or 4% of global turnover – whichever is greater – for breaches. Mike Cherry, the national chairman of the Federation of Small Businesses, warned that small companies are largely ignorant of what the new law will mean for them. He said: “They simply aren’t aware of what they will need to do, which creates a real risk of companies inadvertently facing fines.”

If you need more information about the GDPR – and what you need to do to comply – head over to our GDPR resource page . For more on the NIS Directive, see itgovernance.co.uk/nis-directive.

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.