This week, we discuss a £200,000 fine for the IICSA, a move to suspend the EU-US Privacy Shield, how much a data breach might cost your organisation, and the sentencing of two National Lottery hackers.
Hello and welcome to the IT Governance podcast for Friday, 20 July. Here are this week’s stories.
The ICO (Information Commissioner’s Office) has fined the IICSA (Independent Inquiry into Child Sexual Abuse) £200,000 for sending a bulk email that identified possible victims of historic sexual abuse – in breach of the Data Protection Act 1998.
On 27 February 2017, an IICSA staff member sent a bulk email to 90 inquiry participants to inform them about a public hearing, rightly entering the participants’ email addresses in the ‘bcc’ field.
They then noticed an error in the email and sent another email to correct it. However, this time they mistakenly put the email addresses in the ‘to’ field, meaning each recipient could see the others’ email addresses.
One recipient then responded, hitting ‘reply all’ instead of ‘reply’, and adding two more email addresses to the ‘to’ field. The IICSA reacted by sending three further emails, asking the recipients to delete the original email and not circulate it any further. One of these emails generated another 39 emails sent to all recipients.
In total, 52 inquiry participants’ full names were revealed, identifying them as possible victims of child sexual abuse.
The IICSA and the ICO received 22 complaints about the breach. One complainant told the ICO he was “very distressed” by what had happened.
The ICO found that the IICSA “failed to provide staff with any (or any adequate) guidance or training on the importance of double checking that the participant’s [sic] email addresses were entered into the ‘bcc’ field”.
The ICO’s director of investigations, Steve Eckersley, said:
“This incident placed vulnerable people at risk, which is concerning. IICSA should and could have done more to ensure this did not happen.
“People’s email addresses can be searched via social networks and search engines, so the risk that they could be identified was significant.”
The IICSA has apologised to the affected individuals and amended its processes for handling personal data.
The European Parliament has called on the EU Commission to suspend the EU-US Privacy Shield – the framework for transfers of personal data from the EU to the US that was introduced in 2016 after the collapse of the Safe Harbor agreement.
The chair and rapporteur of the European Parliament’s Civil Liberties Committee, Claude Moraes, said:
“the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter. Progress has been made to improve on the Safe Harbor agreement but this is insufficient to ensure the legal certainty required for the transfer of personal data.
“In the wake of data breaches like the Facebook and Cambridge Analytica scandal, it is more important than ever to protect our fundamental right to data protection and to ensure consumer trust. The law is clear and, as set out in the GDPR, if the agreement is not adequate, and if the US authorities fail to comply with its terms, then it must be suspended until they do.”
The Parliament’s resolution has been backed by the Council of Bars and Law Societies of Europe, whose membership includes the bars and law societies of 45 countries from the European Union, the European Economic Area and wider Europe. It says the Privacy Shield should be suspended and only reimplemented “on the condition that the necessary guarantees and safeguards, which are currently lacking, have been implemented”.
IBM and Ponemon Institute have released the 2018 edition of their annual Cost of a Data Breach Study. According to this year’s report, which is based on “interviews with more than 2,200 IT, data protection, and compliance professionals from 477 companies that have experienced a data breach over the past 12 months”, the average total cost of a data breach is US$3.66 million – a year-on-year increase of 6.4%.
As ever, the faster breaches can be identified and contained, the lower the cost to the breached organisation: the study found that it took a mean of 197 days to identify data breaches and 69 days to contain them. Companies that contained a breach in less than 30 days saved more than $1 million compared with those that took longer.
Strong incident response management significantly reduced costs too: companies with incident response teams saw their costs reduced by as much as $14 per compromised record.
Finally, two men have been sentenced at Birmingham Crown Court to a total of 12 months’ imprisonment for subjecting the National Lottery’s website to a brute-force attack in which they used an online application to attempt thousands of login attempts.
Daniel Thompson, 27, from Newcastle and 21-year-old Idris Kayode Akinwunmi of Birmingham were jailed for eight months and four months respectively.
According to the Birmingham Mail, Camelot “identified thousands of unique IP addresses attempting to access National Lottery customer accounts” between 16 and 28 November 2016. Investigators from the National Crime Agency “established that the IP addresses were linked to Thompson and Akinwunmi who used the online application to force into Camelot’s web domain.”
In an interview, Thompson said he did it because he likes “to see how things work”. Akinwunmi told officers: “I was just being silly and naïve really… It was just a naïve act to make a little bit of cash.”
So, I bet you’re wondering exactly how much cash he managed to get his hands on… £13.
Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.