Weekly podcast: Telemarketing, NHS botnet, charity DPA breaches and goodbye LeakedSource!

This week, we discuss a Florida telemarketing company leaking hundreds of thousands of sensitive files, Google apparently mistaking the NHS network for a botnet, 11 charities breaching the data protection act, and the demise of LeakedSource.

Hello and welcome to the IT Governance podcast for Friday, 3 February 2017. Here are this week’s stories.

First, data storage. VICI Marketing LLC – a Florida-based telemarketing company – has leaked hundreds of thousands of sensitive files online, including more than 17,500 audio recordings in which “customers give their names, addresses, phone number, credit card numbers, CV numbers and more,” according to researchers at MacKeeper Security Research Center. Each call provides more than enough information for criminals to “commit a wide range of crimes”, and some don’t even warn customers that the call is being recorded or stored, in direct contravention of 11 state laws. In 2009, the company paid $350,000 to settle a complaint by the Florida Attorney General’s Office that it had obtained stolen customer information. Under the terms of the settlement, VICI is “permanently prohibited from acquiring or using data without due diligence, using data of unlawful or questionable origin, accessing and using data for consumer telemarketing without background due diligence, and unlawful telemarketing.” If the terms of the injunction are violated, VICI could face a $1 million civil penalty.

Next, botnets. The Register reports that “Google is blocking access to the entire NHS network”, having mistaken it for a botnet. (Botnets, as you know, are large networks of compromised Internet-connected devices that are engineered by cyber criminals to work together, usually to send spam or carry out DDoS attacks.)

An email from an NHS trust’s IT department stated:

“Google is intermittently blocking access due to the amount of traffic from NHS Trusts Nationally (This is not being blocked by the IT Department).

“This is causing Google to think it is suffering from a cyber-attack.

“We are advising staff to use an alternative search engine i.e. Bing to bypass this problem.

“If you have ‘Chrome’ on your desktop the page will display correctly but if you ‘should’ get a CAPTCHA pop up, please follow the instructions to continue.”

It is, I suppose, plausible that a large volume of traffic could make Google think it was under attack and defend itself by blocking the offending source, but Google denies this. According to the Telegraph, a Google spokesperson said: “There are many reasons why users might see a CAPTCHA window when they do a Google search. Our systems are simply checking that searches are being carried out by humans and not by robots in order to keep web users safe. Once a user has filled out the CAPTCHA, they can continue to use Google as normal.”

Data protection now: the Information Commissioner’s Office has informed 11 charities that it will fine them for breaching the Data Protection Act. The charities – which haven’t been named – were investigated “as part of a wider operation sparked by reports in the media about repeated and significant pressure on supporters to contribute.” The charities have 28 days to respond to the ICO’s findings before a decision is made about enforcement action.

Last December, the ICO fined the RSPCA and the British Heart Foundation after they were found to have “secretly screened millions of their donors so they could target them for more money”. The new Notices of Intent are unconnected to that investigation.

The ICO can issue data controllers with fines of up to £500,000 for breaches of the DPA. Under the General Data Protection Regulation, however, fines for non-compliance are up to €20 million or 4% of annual global turnover – whichever is greater. The GDPR applies to all organisations that process EU residents’ personal data, will be adopted in the UK irrespective of Brexit, and will be enforced from 25 May 2018. See itgovernance.co.uk/gdpr for more information.

And finally… LeakedSource, the service that allowed users to look up account details that had been collected from data breaches, has disappeared – apparently as the result of a police raid. All of its social media accounts have gone too. According to a forum post cited by several news sources, “Leakedsource is down forever and won’t be coming back. Owner raided early this morning. Wasn’t arrested, but all SSD’s got taken, and Leakedsource servers got subpoena’d and placed under federal investigation.” The service has long been controversial, especially after it added data from last year’s mega breaches to its database. However, a Wired article last December quoted a LeakedSource spokesperson as protesting LeakedSource’s probity, saying: “Over two billion of ‘our’ records are literally a Google search away. Go ahead and Google ‘download myspace database’ and it’ll be in the top five results, for example. All we do is combine it in one easy to use location.”

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

And don’t forget that IT Governance’s February book of the month is The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour. Drawing on the experience of industry experts and academic research, this book considers information security both from end users’ and from security professionals’ perspectives, providing valuable insight into security issues relating to human behaviour, and explaining how a security culture that puts risk into context promotes compliance. Save 10% if you order by the end of the month.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.