Weekly podcast: MyHeritage, PageUp, Rochester Grammar School and, yes, the GDPR

This week, we discuss the compromise of 92 million MyHeritage users’ credentials, “unauthorised activity” at PageUp, a missing memory stick at Rochester Grammar School, and the first couple of weeks of the GDPR

Hello and welcome to the IT Governance podcast for Friday, 8 June 2018. Here are this week’s stories.

The genealogy and DNA testing site MyHeritage announced on Monday that more than 92 million users’ credentials were compromised last October.

In a pretty impressive turnaround, the announcement came only hours after MyHeritage’s chief information security officer, Omer Deutsch, found out about the incident when he was contacted by a security researcher who told him that he’d discovered a server containing “the email addresses and hashed passwords of 92,283,889 users who had signed up to MyHeritage up to and including Oct 26, 2017”.

No other data related to MyHeritage was found, and there was no evidence that the data in the file had been misused.

MyHeritage reassured its users that the intrusion was limited to their email addresses, and there was no reason to believe that any other systems were compromised. Sensitive data such as family trees and DNA data are stored on segregated systems that are protected by additional layers of security, it said.

Users will have to change their passwords and have been urged to implement two-factor authentication once it is available. “This,” MyHeritage said, “will allow users interested in taking advantage of it, to authenticate themselves using a mobile device in addition to a password, which will further harden their MyHeritage accounts against illegitimate access.”

In an update published on 6 June, MyHeritage announced that it had “completed the GDPR reporting process to the authorities” and was “getting ready to announce the breach to the users, individually, via email, a process that will take some time due to the large number of affected users”.

It’s not yet known how the data breach occurred.

PageUp, the software firm that manages millions of job applications all over the world, has announced that it has discovered “unauthorised activity” on its system. Karen Cariss, PageUp’s CEO, said:

“We take cyber security very seriously and have been working together with international law enforcement, government authorities and independent security experts to fully investigate the matter.

“There is no evidence that there is still an active threat, and the jobs website can continue to be used. All client user and candidate passwords in our database are hashed using bcrypt and salted, however, out of an abundance of caution, we suggest users change their password.”

According to an FAQ page on PageUp’s website:

“As a result of ongoing investigations and potential law enforcement involvement, we are limited in what technical details we can disclose since we do not want to impact these efforts.  That said, we can share that the source of the incident was a malware infection.  The malware has been eradicated from our systems and we have confirmed that our anti-malware signatures can now detect the malware. We see no further signs of malicious or unauthorised activity and are confident in this assessment.”

According to the BBC, PageUp has 2 million active users in 190 countries, and counts Aldi, Clydesdale Bank and Lindt among its customers. Some of them, “including [the] Australian supermarket Coles, suspended their job websites as a result of the breach.”

The Information Commissioner’s Office has been notified, as required by the GDPR.

The BBC reports that a memory stick containing data relating to more than 1,000 pupils at Rochester Grammar School in Kent was lost, exposing “names, years, school house, date of birth, email address and special educational needs of the pupils as well as target and attainment grades, and whether they speak English”. It was returned to the school by a member of the public.

A spokesperson for the Thinking Schools Academy Trust, which runs the school, told the BBC that “it places ‘the highest premium possible on data security’ and it is ‘exceptionally disappointing’ that strict policies and procedures were not followed”.

The school has notified the Information Commissioner’s Office, as required by the GDPR, and apologised to students and their families.

These breach notifications are among the first of many that the ICO will be receiving, thanks to the GDPR.

The GDPR’s first couple of weeks have been pretty interesting. The European Commission was found to be non-compliant (although it protests it’s not actually subject to the Regulation), numerous US websites opted to block European traffic rather than comply and the US Commerce Secretary, Wilbur Ross, said in the Financial Times that the new law would likely create barriers to trade.

The first legal challenges were launched by, surprise, surprise, Max Schrems and the new chair of the European Data Protection Board, Andrea Jelinek – a name I’m sure we’re going to hear a great deal more often in future – said the board was ready to fight legal battles with big technology groups. “If the complainants come, we will be ready,” she told the FT.

We’re all waiting to see what these first cases bring. These early days of enforcement will set the tone for the rest of the GDPR’s lifespan.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.