Weekly podcast: Russia warning, RBKC fined and TaskRabbit breached

This week, we discuss an alert from the NCSC, US DHS and FBI, a £120,000 fine for the Royal Borough of Kensington and Chelsea, and a data breach at IKEA’s TaskRabbit marketplace.

Hello and welcome to the IT Governance podcast for Friday, 20 April 2018. Here are this week’s stories.

The UK’s National Cyber Security Centre (NCSC) has issued a joint Technical Alert with the US Department of Homeland Security (DHS) and the FBI about malicious cyber activity carried out by the Russian government after multiple sources reported that “Russian state-sponsored actors are using compromised routers to conduct spoofing ‘man-in-the-middle’ attacks to support espionage, extract intellectual property, maintain persistent access to victim networks and potentially lay a foundation for future offensive operations”.

According to the NCSC, the targets are “primarily government and private-sector organisations, critical infrastructure providers, and the internet service providers (ISPs) supporting [them].”

Ciaran Martin, the NCSC’s CEO, said: “Russia is our most capable hostile adversary in cyberspace so tackling them is a major priority for the National Cyber Security Centre and our U.S. allies. This is the first time that in attributing a cyber attack to Russia the U.S. and the UK have, at the same time, issued joint advice to industry about how to manage the risks from the attack. It marks an important step in our fight back against state-sponsored aggression in cyberspace.”

Network device manufacturers, ISPs, and their owners or operators should refer to the mitigation advice provided in the advisory. Smaller organisations are advised that “simple, quick and low-cost steps” will protect them “from the vast majority of threats”, and should look to the government’s Cyber Essentials scheme for help.

The Royal Borough of Kensington and Chelsea has been fined £120,000 by the Information Commissioner’s Office (ICO) for breaching the Data Protection Act by unlawfully identifying 943 people who owned vacant properties in the borough.

Following the Grenfell Tower tragedy, in which 71 people died when 151 homes were destroyed by fire in June 2017, there were calls for empty properties in the borough to be requisitioned to provide housing for those displaced by the fire.

The council received three Freedom of Information requests from journalists asking for the addresses of empty properties in Kensington and Chelsea, as recorded in a 2015 report. A council employee produced a pivot table that included a list of empty properties and their owners, which it didn’t intend to disclose. They then copied and pasted the information into a new spreadsheet without deleting the underlying personal data and sent it to the applicants by email. Double-clicking on any cell revealed the identities of the properties’ owners.

Three high-profile owners were subsequently named in the press, and the whole spreadsheet was published on a blog for approximately an hour.

The Information Commissioner found that the council “failed to take appropriate organisational measures against the unauthorised processing of personal data in contravention of the seventh data protection principle” of the DPA by failing to provide any or adequate training on the functionality of Excel spreadsheets or guidance on checking spreadsheets before they are disclosed under the Freedom of Information Act.

The £120,000 penalty will be reduced by 20% to £96,000 if it is paid by 10 May.

TaskRabbit – IKEA’s odd jobs marketplace, which helps people find freelancers to perform household tasks – announced on Monday that it was “investigating a cybersecurity incident”.

The TaskRabbit website and apps were taken offline, the site hosting a single page with a set of FAQs and a security update that suggested personal information had been compromised. It advised users: “As an immediate precaution, if you used the same password on other sites or apps as you did for TaskRabbit, we recommend you change those now”.

More information became available on Wednesday. According to a message from TaskRabbit’s CEO Stacy Brown-Philpot, “preliminary evidence shows that an unauthorized user gained access to our systems. As a result, certain personally identifiable information may have been compromised”.

TaskRabbit is believed to have more than one million users, but it’s not known how many have been affected by the incident or what information was compromised. Those who were affected will be notified. In the meantime, users are advised to monitor their accounts for suspicious activity.

The TaskRabbit site and apps are now back online again.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.