Weekly podcast: UK rail cyber attacks, hotel malware, Datadog breach and your questions answered

This week, we discuss a series of major cyber attacks on the UK rail network, a malware attack at Omni Hotels & Resorts affecting 50,000 cards and a data breach at SaaS platform Datadog, and answer a listener question about the new EU-US Privacy Shield


Hello and welcome to the IT Governance podcast for Friday, 15th July. Here are this week’s stories.

The UK rail network suffered at least four major cyber attacks in the last year according to Darktrace – the company that defends most of it. Dave Palmer, the chief technology officer of Darktrace, told the Telegraph: “In an era of imperfect defences and increasingly complex networks, determined threats can always get in. Today, all businesses can be affected, regardless of size or sector.”

It’s not known who was behind the attacks, but Sky News notes that the security breaches appear to have been “exploratory rather than disruptive”. Security researcher Sergey Gordeychik from Kaspersky Lab commented: “Hackers can get access not only to simple things like online information boards or in-train entertainment, but also to computer systems which manage trains by itself, which manage signals, manage points, and in this case, if they have enough knowledge, then they can create real disaster related to train safety.”

A spokesman for Network Rail – which isn’t a Darktrace customer – said: “Britain has the safest major railway in Europe… safety is our top priority, which is why we work closely with government, the security services, our partners and suppliers in the rail industry and security specialists to combat cyber threats.”

Dallas, Texas-based Omni Hotels & Resorts has been hit by a malware attack on its point-of-sales systems, affecting more than 50,000 credit and debit cards at 49 locations. Detected on May 30, 2016, the malware is believed to have been in operation between December 23, 2015 and June 14, 2016. Card numbers, cardholder names, security codes and expiration dates were all exposed. Customers were not notified of the data breach until the issue was resolved.

Omni Hotels & Resorts said in a statement: “Upon learning of the intrusion, we promptly engaged leading IT investigation and security firms approved by the major credit card companies to determine the facts and contain the intrusion. The issue has been resolved, and we have taken steps to further strengthen our systems. We have contacted law enforcement and are cooperating with its investigation.”

Software-as-a-Service platform Datadog – whose customers include big players like Facebook, Spotify and Netflix – has suffered a data breach affecting multiple production infrastructure servers. It’s handled the incident pretty well, though. Even though it stores passwords using bcrypt with a unique salt – making it very difficult indeed for criminals to access them – it has invalidated all stored passwords as a precaution and advised admins to immediately revoke or rotate any credentials used in their accounts. In a security notice about the incident, Chief Security Officer Andrew Becherer lists the two emails sent to users, and includes a link that customers can use to reset their passwords direct. Known vulnerabilities have been mitigated and forensics experts are investigating. Organisations that run Datadog agents on their servers have not been affected by the incident.

Now, a couple of weeks ago, Madeupname III (no relation) asked about the EU’s new data agreement with the US and how it would affect US companies. The Safe Harbor arrangement’s replacement – the EU-US Privacy Shield – was formally adopted by the European Commission earlier this week. The Privacy Shield imposes stronger obligations on US companies that process Europeans’ personal data than Safe Harbor did, including tighter conditions for onward transfers. US companies that process European data need to register to be on the Privacy Shield list and self-certify that they meet the requirements each year. The US Department of Commerce will monitor and actively verify that companies’ privacy policies are in line with the Privacy Shield’s principles, and companies will have to display their privacy policy on their website. If there is a complaint, companies will have to reply to individuals within 45 days, and must cooperate and comply with European data protection authorities if handling human resources data. You can find more information on the European Commission fact sheet ‘EU-US Privacy Shield: Frequently Asked Questions’.

Well, that’s it for this week. Don’t forget to comment below, telling us a bit about yourself and what you’d like more information on. And until next time, remember that you can keep up to date with the latest information security news on our blog. And whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.