This week’s Thursday thoughts is out on Thursday!
News in the month that the UK chip and pin limit went up to £100 that the UK is the “Bank Scam Capital of the world”! No longer is it just a “prince” wanting your help in moving his money now bank fraud is sophisticated and takes place over a number of days and involves fake websites, phone numbers and a number of real sounding officials.
The latest phone scam this week came from “a Customer Welfare team” wanting to put us on their non-existent priority services register. Don’t fall for it and warn your vulnerable family members particularly those who are likely to look for the “help” they are offering.
There is some new guidance from the ICO on identifiability too. I often say it is not just the obvious forms of identification that you have to worry about. Sometimes a person can be identified because they are the only one with access to that information!
One to watch will be whether Facebook will change its name or not and whether this will help it move into the metaverse more easily.
Two massive fines this week, one potential for Facebook of €28 - €36 million, and one for Sky Italia of €3,296,326. But also a local municipality for failures which resulted in a successful cyber attack and a university for the use of remote monitoring software “Respondus” during this summer’s exams.
Vlogs and Blogs of the Week
Data Protection Diaries - How to do supplier assurance (and why it’s so important!)
Databasix UK Ltd - Data Rockstars Coffee PODcast on hybrid working
Clare Paterson - How to manage data protection risks when buying software
Britain has aparently become the bank scam capital of the world
Not an accolade most of us would like to see and certainly a warning to take extreme care with electronic banking and online shopping. In the first half of this year a record £754 Million was stolen from UK bank accounts (up 30% from 2020). The UK’s super-fast payments infrastructure, relatively light policing of fraud-related crime, and the fact that it is the home of the world's most widely used language make it an ideal place for scams to be tested. Frauds are no longer linked to a “prince” who wants your help accessing their money. More recently they involve sophisticated, multi-phased and extremely convincing scenarios. For example creating a fake price comparison or shopping site which generate email “offers” which an unsuspecting user purchases only to be contacted by their bank fraud department and then an individual from the FCA. All of these interactions are fake and in one case a simple purchase of a discounted electric toothbrush ended up in £200,000 being removed from the individual’s accounts over the course of a few weeks.
Latest Phone Scam
This week I’ve had a new scam on the phone. After a raft of fake Hermes messages this week’s offer is from: “Customer welfare team”. Asking could you cope if you had a power cut, do you want help if the lights go off. Of course there is a link for a URL that will take you to their “priority services register. Here’s my advice on what to do if you get one:
Safely copy the phone number that sent it
Forward the whole message to 7726
When you receive a text asking for the phone number. Paste that in and send it back
Block the caller
Delete the message
The whole process takes about 2 minutes and you are helping the NCSC take down these scams which are targeting the most vulnerable in our community.
So…. will Facebook change its name?
There are reports this month that Facebook may be about to “rebrand” which could include changing its name. Any announcement is likely to be made by Mark Zuckerberg at the company's Connect conference on Oct. 28. It is thought the move would be similar to Alphabet (Google’s parent company) and would place Facebook, Instagram, WhatsApp and Oculus, under an umbrella company with a new name. Reports predict that this is a way in which the company can move into “the metaverse” (connecting people online through augmented and virtual reality).
ICO guidance on Identifiability
The term “identifiability” is about whether someone is “identified or identifiable” from the information you have. It isn’t just the obvious things like a name, photo or NI number it can also be something that distinguishes them from someone else (for example the only person of a certain gender or hair colour in an office). The ICO has added a chapter on identifiability in their Anonymisation guidance. https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/ico-call-for-views-anonymisation-pseudonymisation-and-privacy-enhancing-technologies-guidance/
Changes to UK GDPR
You can comment on the proposed changes to UK GDPR “Data: A new direction” until 11.45pm on 19th November. https://www.gov.uk/government/consultations/data-a-new-direction
Some advice for those who find a phone
Ever wondered how to get a phone back to its owner or the owner of a phone home safely? It could be as simple as getting Siri to “call Mum/Dad”.
Fines
This week there was one massive draft “decision” by the Irish DPA indicating that it proposes to fine Facebook between €28 and €36 million for including details on data processing in its terms of service rather than obtaining consent. Many critics believe that Facebook have used this loophole to avoid complying with the GDPR requirements on consent.
Norway
The Norwegian DPA fined Østre Toten municipality €412,000 following a cyberattack in January 2021 in which data including backups were deleted, encrypted and published on the dark web. Approximately 30,000 documents were involved which contained personal information such as ethnic, political, religious, union, sexual, and health information and banking data. The fine follows an investigation that highlighted deficiencies in the municipality’s security systems for personal data and the related internal controls (specifically the lack of two-factor authentication and appropriate backup systems).
Italy
The Italian Garante issued 2 fines this week:
Bocconi University - €200,000 for the use of a remote monitoring software “Respondus” to monitor students in exams during the pandemic. The DPA found that students had not been properly informed of how their personal data would be processed, how long the information would be retained nor that their personal data would be transferred to the United States. Any information that was provided was fragmented and disorganized, there was also insufficient legal basis and the processing agreement between the University and Respondus was based on the Privacy Shield even though this had been declared invalid by the Schrems II ruling.
Sky Italia - €3,296,326 for illegal telemarketing calls that were made without adequately informing the users where their details had been obtained from. Sky had also failed to remove any individuals who had objected to being contacted for advertising purposes before making the calls. The DPA considered the violations involved 'systemic' conduct by the company despite it’s knowledge and engagement with the authority on other data protection matters.
Vlogs and Blogs of the Week
Richard Merrygold (Data Protection Diaries) - How to do supplier assurance (and why it’s so important!)
Back after a bit of a break Richard discusses why, if you are thinking of outsourcing DBS checks, IT, finance or auditing, you need to understand what controls the organisations you get to do the work have in place and should check if they the same or complimentary to yours. Of course you’ll have a contract in place for what they will be doing but being compliant with UK GDPR requires you to know more about your suppliers and whether what you think they’re doing is actually what they are doing! Richard shares some top tips on what you should put in a supplier assurance questionnaire and what else you should look at for example their policies and procedures and their security measures. You may find that some suppliers are a far bigger risk than others and you may need to go deeper and conduct an audit. You can access this episode of the Data Protection Diaries here: https://www.youtube.com/watch?v=1UNq4TPHiZM.
Databasix UK Ltd - Data Rockstars Coffee PODcast on hybrid working
The rapid move to remote working during COVID lead to a number of individuals using their own devices. The move back to the office brings the challenge of hybrid-working for organisations. This week’s podcast from the Databasix team discusses the big risks for an organisation's data with the move to hybrid-working from a technical standpoint. The team and Andre Vaux, Managing Director, of claireLOGIC discuss why getting the right solution in place is important and what to do when you identify other risks. Discussing the use of individual’s own devices, shadow IT, poor practices and “work arounds” and how you can identify which devices connect to your network and how you can control their security even mandating password protection on an individual’s own device. Ideas both strategic (backing up office 365) and practical are discussed and advice is provided on how a business can manage the risk particularly in mobile device and mobile application management. You can access the podcast here: https://open.spotify.com/episode/5KsQCPtrs6LHoYk3iRQv4Y
Clare Paterson - How to manage data protection risks when buying software
This is a great blog providing some terrific advice on why it is important to check what is actually in a software contract rather that what the salesperson has told you. Recently Clare revealed that while reviewing a contract she found the terms were so bad for the purchaser in the indemnity and warranty sections that she was shocked. The contract in effect said that the supplier took no responsibility for the software being reliable, or available, or for doing its expected job, or for losing data. Clare’s blog has a checklist to help with those buying decisions and if all else fails follow her “golden rule of data protection - Take nothing for granted”. You will find the blog here: https://cpdataprotection.com/manage-data-protection-risks-when-buying-software/