Weekly podcast: Ransomware, TalkTalk and Privacy Shield

In this week’s podcast, we look at a ransomware attack on Lincolnshire County Council, the cost of last year’s TalkTalk’s cyber attack and the new EU-US Privacy Shield.

Hello and welcome to the IT Governance podcast. Here are this week’s stories…

A ransomware attack on Lincolnshire County Council last week – apparently caused when an employee opened a malicious email – forced the council to shut down its systems and rely on pens and paper. The ransomware – malware that encrypts all the data on an affected device until a ransom is paid (usually a bitcoin; in this case the princely sum of £350, which the council wisely refused to pay) – has now been removed after IT staff worked over the weekend.

Julie Hetherington-Smith, the council’s chief information officer, said: “We’ve done a lot of checking and we, and the police, are confident that the data is safe. Nothing has been lost”.

Detective Sergeant Carole Walton of Lincolnshire Police commented: “From individuals, to small businesses, to large organisations, we all need to continually refresh our understanding of the current threats in order to protect ourselves. It is estimated that 80% of cyber-attacks could be prevented. We need to arm people with knowledge and encourage vigilance in the fight against this unseen villain.”

The cyber attack that hit TalkTalk last October continues to have repercussions for the telecoms giant. According to its interim results for the six months to 30 September 2015, released on 11 November, TalkTalk estimated the one-off financial impact of the cyber attack to be £30-35 million. Now, it says in its Q3 trading update that the attack could cost it more than £60 million, with £40-45 million in “exceptional costs” – largely the result of unconditional free upgrades for customers – and £15 million in reduced trading revenue. Customer churn was heavy, too, with up to 101,000 customers leaving following the cyber attack. (For comparison, Ponemon Institute’s 2015 Cost of Cyber Crime Study for the UK put the cost of the average cyber attack at £4.1 million.)

The European Union and the United States have reached a last-minute agreement on international data transfers following last October’s ruling by the European Court of Justice that Safe Harbor, the 15-year-old pact between the EU and the US, was invalid. Shortly after the expiration of the 31 January deadline set by the Article 29 Working Party – the body responsible for data protection in the EU – the European Commission announced that the EU-US Safe Harbor agreement will be superseded by something called the ‘EU-US Privacy Shield’.

Details are vague so far, but a press release from the Commission states that the new agreement will include “Strong obligations on companies handling Europeans’ personal data and robust enforcement”, “Clear safeguards and transparency obligations on U.S government access”, and “Effective protection of EU citizens’ rights with several redress possibilities”. Steps in the right direction, certainly, but, knowing EU bureaucracy, I can confidently predict that it’ll be a while before the new framework is put in place.

And that’s it for this week. Until next time, remember that you can keep up to date with the latest information security news on our blog. And whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.