Weekly podcast: swiftQueue, Neymar and FTSE 350 cyber governance

This week, we discuss an data breach at an NHS contractor, the hacking of FC Barcelona’s Twitter account, and a new government report on cyber security awareness.

Hello and welcome to the IT Governance podcast for Friday, 25 August 2017. Here are this week’s stories.

According to an exclusive report in The Sun, a member of the Anonymous hacking collective claims to have stolen 1.2 million patients’ data from swiftQueue, a private contractor whose Cloud-based appointment booking system is used by eight NHS trusts to manage patient appointments with GPs, hospitals and clinics.

An Anonymous source told The Sun they’d accessed swiftQueue’s database, containing 11 million records, including passwords, by exploiting unpatched vulnerabilities in the company’s software that should have been addressed “several years ago”, but swiftQueue says an initial investigation suggests that 32,501 “lines of administrative data” – including “patients’ personal details, such as names, dates of birth, phone numbers and email addresses” – were actually compromised, not 11 million.

The source told The Sun: “The public has the right to know how big companies like SwiftQueue handle sensitive data. They can’t even protect patient details.”

The Metropolitan Police is investigating, and the NHS and swiftQueue are notifying affected patients.

The government recently granted the NHS £21 million to improve its cyber resilience following the WannaCry ransomware attack, and is working with health care organisations to assess whether assurance frameworks, such as the government’s Cyber Essentials scheme and ISO 27001, meet their cyber security needs, and through the Information Governance Toolkit to implement them.

If you’re an NHS supplier and need more information about the Cyber Essentials scheme, ISO 27001 and the IG Toolkit, visit our website.

We don’t normally cover football news – for good reason – but FC Barcelona fans were surprised to read on the club’s Twitter account that it had signed Angel Di Maria from Paris Saint-Germain on Tuesday, shortly after Barça announced plans to sue Neymar for €8.5 million for an alleged breach of contract following his move to PSG earlier this month.

On Wednesday morning, the Catalan club confirmed that its account had been attacked, tweeting: “Our accounts have been hacked tonight. We’re working to solve the problem as soon as possible. Thanks for your patience.”

A Saudi Arabian group calling itself OurMine – which has apparently also “hacked the Facebook account of CNN, and Twitter accounts of Netflix, Marvel and Facebook CEO Mark Zuckerberg among many others” – claimed responsibility, according to Goal.com.

Finally, the government released its FTSE 350 Cyber Governance Health Check 2017 report this week – its latest annual assessment of the cyber security awareness and preparedness of the UK’s largest 350 firms.

According to the report, a whopping 68% of company directors haven’t received any training to deal with cyber incidents – a surprising figure given that 54% of boards consider cyber risk a top priority and 57% of boards claim to have a clear understanding of the potential impacts resulting from a loss of or disruption to key information or data assets.

Other findings include the fact that only 31% of boards receive comprehensive and informative management information on cyber risk, and just 6% of boards say their business is completely prepared to meet the requirements of the General Data Protection Regulation (GDPR).

True, the law doesn’t come into effect until next May, and 71% of respondents said they were “somewhat prepared” to meet the GDPR’s requirements, showing themselves to be at least on the way to compliance, but this level of cyber maturity among FTSE 350 firms shows that board-level awareness of cyber security risks still has a long way to go.

When asked which GDPR requirements were causing businesses the greatest concern in terms of meeting compliance, the largest proportion of respondents expressed concern about data subjects’ right to have their personal data deleted and the Regulation’s consent requirements, which are much tougher than those of the Data Protection Act 1998. (A very quick word of advice from me: if you’re concerned about data subjects consenting – and withdrawing their consent – remember that consent is only one of six lawful bases for processing personal data under the GDPR. Have a look at Article 6 of the Regulation and the ICO’s guidance on lawful processing – one of the others might be more suitable.)

As the digital minister, Matt Hancock, commented: cyber maturity “needs to improve at a faster rate to ensure we can stay ahead of future cyber security challenges. […] Furthermore, as we approach the deadline to introduce […] the General Data Protection Regulation, businesses should continue to prepare themselves for the responsibilities that come with these new requirements.”

For more on the GDPR – and how to meet its requirements – head over to our GDPR resource page.

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.