Weekly podcast: Plusnet, TV Licensing, BEC scams and data breach causes

This week, we discuss a data breach at Plusnet, poor security at tvlicensing.co.uk, why most BEC scams succeed, and what causes most data breaches

Hello and welcome to the IT Governance podcast for Friday, 7 September. Many thanks to Jay and Lewis for holding the fort while I was away. Here are this week’s stories.

In one of the biggest projects it’s undertaken in 21 years, the broadband provider Plusnet migrated to a new customer billing system at the weekend, and – as befalls so many companies during large-scale system upgrades – suffered a data breach in the process.

According to The Register, “some customer accounts showed other people’s names and addresses during a planned upgrade to its billing systems” – but not, it stressed, payment information. And this was only one of the issues facing users: former and existing customers reported receiving incorrect payment notifications, and customers were unable to access their accounts at all because of an extended maintenance period.

A Plusnet spokesperson said: “We’d like to reassure all our customers that we immediately prevented access to the My Account section of the website and we quickly fixed the problem. We take the protection of our customers’ data extremely seriously, and have informed the relevant authorities.”

In July, I mentioned that the newest version of Google Chrome was marking websites that used HTTP as ‘not secure’. One such site belonged to TV Licensing, the public body that administers the TV licence fee here in the UK.

Mark Cook blogged about his concerns on Wednesday after the agency’s social media team reassured him on Twitter that its site was actually secure, despite not using HTTPS to transmit viewers’ personal information – including their names, email and home addresses, and bank details.

The security researcher Troy Hunt, whom Cook copied into his Twitter exchange, was prompted to comment: “I don’t get British humour.”

Funnily enough, the TV Licensing site went offline shortly afterwards, with the agency promising on Twitter to restore the service as soon as it can. As of the time of this recording – Thursday afternoon – the site is still down.

The error page is on HTTPS, though.

A new Barracuda study of 3,000 BEC (business email compromise) attacks – a type of social engineering in which criminals impersonate senior staff members and attempt to persuade others to transfer money to the wrong recipient or disclose sensitive corporate information – has found that the majority of them succeed because of their simplicity.

According to Barracuda, BEC scams “are responsible for billions of dollars in fraud losses”, and mainly target “employees with access to company finances or payroll data and other personally identifiable information”.

However, technical security measures are largely ineffective at stopping them: some 60% of BEC emails are in plaintext and don’t contain malicious links – which means they get past security filters, especially as they’re often sent from legitimate, albeit compromised, accounts.

Training your staff to recognise phishing emails, such as BEC scams, is essential. You can find out more about staff awareness courses on our website.

Talking of the importance of staff awareness training, since the GDPR came into effect in May the number of data breach notifications to the ICO (Information Commissioner’s Office) has inevitably increased dramatically. One of the many good things about this is that it provides much more useful data about the most common types of breaches that occur, which we can all learn from to improve our security.

Recent analysis by Kroll of data released under the Freedom of Information Act found that human error was to blame for 88% of UK data breaches reported to the ICO in 2017/18.

As reported by numerous outlets, there were:

  • 447 reports of people sending information to the wrong recipient via email
  • 441 reports of people sending information to the wrong recipient in the post or via fax
  • 438 reports of loss or theft of paperwork
  • 256 reports of failing to redact data
  • 164 reports of data being left in an insecure location
  • 147 reports of people failing to use bcc in emails, and
  • 133 reports of unencrypted devices being lost or stolen.

Cyber incidents accounted for relatively few incidents in comparison. In 2017/18, there were:

  • 102 reports of unauthorised access
  • 53 reports of malware
  • 51 reports of phishing
  • 33 reports of ransomware
  • 20 reports of brute-force attacks, and
  • 2 denial-of-service attacks.

This supports what we’ve said for years: effective information security should cover people and processes as well as technology, and staff awareness training is essential to maintain a culture of security.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.