Weekly podcast: Honda and Flybe fined, WoW phishing, Minecraft malware, gift cards attacked

This week, we discuss companies falling foul of existing laws while attempting to comply with the GDPR, problems for Warcraft and Minecraft players, and a bot attack affecting gift cards on nearly 1,000 websites.

Hello and welcome to the IT Governance podcast for Friday, 31 March 2017. Here are this week’s stories.

Compliance is complicated, as Flybe learned to its cost this week when it was fined £73,000 by the Information Commissioner’s Office for contravening the Privacy and Electronic Communications Regulations 2003 (PECR) while apparently trying to comply with the new General Data Protection Regulation (GDPR) – which requires explicit consent from users to process their information.

An investigation found that Flybe used a third party to send 3,662,973 emails – 3,333,940 of which were delivered – to its customer database, asking them to update their details and marketing preferences. Unfortunately for Flybe, however, it was unable to produce evidence that any of these recipients had consented to receiving direct marketing emails.

In other words it contacted customers without their consent while trying to obtain their consent.

Flybe isn’t the only guilty company, however: in a similar breach of the PECR, Honda was fined £13,000 for sending 289,790 emails to its customers, asking them to update their marketing preferences.

Recognising that companies will be reviewing customer consent as they prepare for the enforcement of the GDPR from next May, Steve Eckersley, the ICO’s head of enforcement, commented: “Businesses must understand they can’t break one law to get ready for another.”

If you’re unsure about what you need to do, seek expert advice. I try to avoid mentioning IT Governance products on this podcast as much as I can because it’s supposed to be a news roundup, not an extended advertisement, but it is worth saying that we have a number of products and services designed to help organisations of all sizes comply with the GDPR, from compliance manuals to training courses and consultancy services. Have a look at itgovernance.co.uk/gdpr for more information.

Players of the popular massively multiplayer online role-playing game World of Warcraft are being targeted by a phishing campaign purportedly offering free in-game pets. Malwarebytes has identified “two variations on this so far”, which direct recipients to click a button to claim a “Brightpaw” or a “Mystic Runesaber”, apparently bought as a gift by a friend. However, clicking this button actually takes players to a phishing site that harvests their user credentials. As Christopher Boyd of Malwarebytes notes: “Keen Warcraft players will notice the email is branded with Battle(dot)net, the name of Blizzard’s online gaming service – but this name has just been retired, which may well set off a few alarm bells.”

World of Warcraft players aren’t the only ones to be suffering: ESET’s welivesecurity blog reports that “Minecraft players have been exposed to scams and aggressive ads brought by 87 fake Minecraft mods recently spotted on Google Play.” (For older listeners, Minecraft is a bit like online Lego.) The 87 fake mods, which were installed 990,000 times by Android users before being removed from the Play Store, fall into two categories.

The first has “no real functionality and [displays] aggressive ads”; the second redirects users to websites that “display all kinds of obtrusive content – ranging from ads, through surveys, free coupon offers, jackpot wins, porn, to fake updates and fake virus warnings attempting to scare the user”.

To remove these fake mods, first revoke their admin rights by going to Settings > Security > Device administrators, then uninstall them by going to Settings > Application manager.

Researchers at Distil Networks have discovered “a sophisticated bot attack” affecting gift cards used on nearly 1,000 websites. Dubbed GiftGhostBot, the automated token cracking attack “checks millions of gift card numbers to determine which have balances”; when it finds an account number that has a balance associated with it, it uses the account number to purchase goods – or the account number is sold on the dark web.

One retail site reported “peaks of over 4 million [balance] requests per hour, ten times their normal levels of traffic.” The result? Consumers lose money, retailers lose face, and websites lose service – 4 million requests per hour could easily lead to a slowdown or even overwhelm some servers enough to cause a denial of service.

Consumers are advised to check their gift card balances and not leave them unused. Retailers are recommended to include CAPTCHAs when customers check their gift card balances, to monitor their web traffic, put rate limits on gift card balance checks and apply technological solutions as necessary.

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

And don’t forget that IT Governance’s March book of the month is Once more unto the breach – Managing information security in an uncertain world, by Andrea C Simmons. Save 10% if you order by the end of the month. And as we’ll be well in to April before the next podcast, next month’s book of the month is our bestselling GDPR pocket guide – the ideal resource for anyone wanting a clear primer on the principles of data protection and their new obligations under the GDPR. Save 10% if you order in April.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.

One Response

  1. Neil Ford 7th April 2017