Weekly podcast: Metro Bank, Student Loans Company, GDPR breaches and seals

This week, we discuss the compromise of Metro Bank’s two-factor authentication system, nearly one million cyber attacks on the Student Loans Company, nearly 60,000 GDPR breaches and a surprising discovery for some marine biologists.

Hello, and welcome to the IT Governance podcast for Thursday, 7 February 2019 – and thanks to Paula for stepping in last week while I was away. Here are this week’s stories.

Metro Bank has confirmed that some of its customers have fallen foul of targeted attacks on its two-factor authentication system, which texts security codes to customers’ mobile phones to verify transactions.

According to Motherboard, attackers have been exploiting vulnerabilities in the SS7 protocol – which is used by telecom companies to route texts and calls – for some time.

The problem with SS7 is that it doesn’t authenticate who sends requests, so anyone with access to the network will be treated as legitimate and their commands to reroute text messages will be obeyed. And although there are, of course, security measures to prevent unauthorised access, there will always be room for exploitation.

“Those who exploit SS7,” Motherboard explains, “can potentially track phones across the other side of the planet, and intercept text messages and phone calls without hacking the phone itself.”

The NCSC (National Cyber Security Centre) confirmed that it was “aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication (2FA)”, but added that “While text messages are not the most secure type of two-factor authentication, they still offer a huge advantage over not using any 2FA at all.”

Metro Bank did not comment on how many customers had been affected, or when the attacks took place, but a spokesperson said: “Of those customers impacted by this type of fraud, an extremely small number have been Metro Bank customers and none have been left out of pocket as a result. Customers should continue to remain vigilant and report any suspicious activity using the number on the back of their card or on our website.”

The SLC (Student Loans Company) suffered nearly one million cyber attacks in the last financial year, according to data released under the Freedom of Information Act.

ComputerWeekly reports that the Parliament Street think tank found that the SLC “was targeted in 965,639 attempts to infiltrate its systems in the 2017/18 financial year”, compared with just 3 attempts in 2015/16 and 95 in 2016/17.

The SLC also faced 323 attempted malware attacks and 235 malicious calls or emails in 2017/18.

According to itpro.co.uk, of those hundreds of thousands of attacks, only 127 got through the perimeter and were treated as incidents, and just one – a Monero cryptojacking attack via a third-party plugin – was successful. Pretty impressive, I’d say.

Parliament Street’s CEO Patrick Sullivan commented: “The sharp rise in cyber attacks is a trend we are seeing in all areas of the public sector, particularly following the WannaCry attack on the NHS in 2017. It’s more important than ever that organisations such as The SLC [protect] the confidential financial information [they hold].”

Increased organisational resilience to cyber attacks is essential in the face of such risks. As the SLC demonstrates, even if you successfully rebuff 99.9% of attacks, it’s important to ensure you can contain and recover from successful incidents, rare though they may be.

IT Governance’s Cyber Resilience Framework describes four levels of cyber resilience maturity. If you want to assess your organisation against it, you can take a free self-assessment test on our website.

Cyber resilience is particularly important when it comes to compliance with the GDPR (General Data Protection Regulation). According to a new report from the law firm DLA Piper, more than 59,000 data breaches have been reported across Europe since the GDPR came into effect last May.

The DLA Piper GDPR data breach survey found that “the Netherlands, Germany and the United Kingdom came top of the table with the largest number of data breaches notified to supervisory authorities with approximately 15,400, 12,600 and 10,600 breaches notified respectively”.

So far, 91 fines have been imposed under the GDPR, most of which, with the exception of Google’s €50 million fine from France’s CNIL, were relatively low in value.

However, DLA Piper comments: “It is still very early days for GDPR enforcement […] we anticipate that 2019 will see more fines for tens and potentially even hundreds of millions of Euros as regulators deal with the backlog of GDPR data breach notifications.”

You can find all the GDPR resources you need in order to achieve compliance at itgovernance.co.uk/gdpr.

And finally, you might have read this week that marine biologists from the National Institute of Water and Atmospheric Research in New Zealand have made a curious discovery in some leopard seal excrement.

Wait, what? Well, volunteers collect samples of the seals’ faecal matter and send it the NIWA for analysis. As the institute explains in a blog post, this “can tell them what these Antarctic predators eat, a little bit about their health and how long they may have been in New Zealand waters”.

In November 2017, a vet from Invercargill did exactly that, and the scientists put it in the freezer for later analysis. Three weeks ago, it was defrosted and found to contain… a USB stick. Having left it to dry for a couple of weeks, the scientists plugged it in to a computer and were amazed to discover that it still worked – and contained photos. If it belongs to you, you can have it back in return for another sample.

It’s obviously alarming that the poor creature should, like so many marine animals, have consumed plastic, but it seems to me that some information security advice might also be pertinent here: no matter how curious you might be, do resist the urge to plug unknown portable storage devices into your computer – even if (and I can’t stress this enough) they’ve been eaten and excreted by a leopard seal, frozen for over a year, defrosted, washed and left to dry. They might contain malware.

No, really. In 2016, Elie Bursztein, the head of Google’s anti-abuse research team, and researchers from the University of Illinois left 297 USB flash drives on the university campus to test the anecdotal belief that users will plug them into their devices without thinking. They found that 98% of the drives were picked up during the observation period, and files were opened on 45% of them. The first drive was connected in less than six minutes. In cyber crime terms, that sort of success rate is pretty unbeatable – so it’s important to remember that not all cyber attacks come from phishing emails or malicious websites.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.