• PPP Management

Thursday Thoughts - 22nd April 2021

This week’s Thursday Thoughts comes at the end of a week of interesting webinars. On Monday the Altrincham and Sale Chamber Of Commerce Patron & local MP Sir Graham Brady joined us on Zoom for questions on vaccines, lockdown, recovery and furlough payments. Tuesday started bright and early with an awesome laughter Yoga session by Sara Kay and then today was Kirsty James’ Club 90 where we networked and listened to the inspirational Alex Stainforth.

In this week’s blog a warning about “free” templates on the internet, an update on the effects of the ransomware attack on schools in Gloucestershire and a warning that using someone’s name can be a breach of GDPR. Details of the investigation into Facebook’s processes, a case in the high court against TikTok and a warning about CCTV and Video Doorbells and of course the latest “tech” news and updates that I think you should be aware of. So much choice of blogs this week but I finally settled on these two.


Blogs and Videos of the Week

  • Kirsty James - 12 networking mistakes

  • The DPO Centre - Is ISO 27001 a silver bullet for GDPR compliance?

Watch Out When Downloading A Free Template

There are reports this week that the internet is being flooded with “free” templates from cybercriminals that install a Remote Access Trojan (RAT). You should be exceptionally careful if you are searching for free forms such as invoices, templates, questionnaires, and receipts. As when you try to download the document templates you could be redirected to a malicious website that hosts malware. Once the trojan is on the victim's computer and activated it can be used to upload more malware (ransomware, a credential stealer, a banking trojan) or just be used as a stepping stone into your network.


Update On The Ransomware Attack In South Gloucestershire

So many organisations seem to be aware that cyber criminals are out there but decline to put suitable mechanisms in place to combat their activities. It is not just your organisation that could be affected. The ransomware attack in South Gloucestershire is a timely and easily understandable illustration of the resulting chaos that follows a ransomware attack:

• 24 Schools were affected (that’s approximately 24000 students affected)

• 16 servers had to be rebuilt

• More than 1,000 devices had to be rebuilt

• Server folders containing years of topic lesson and intervention plans were lost

• Online registers, payment assessments, coursework, children’s reports, teacher appraisals were inaccessible for a month

• “Live lessons” had to be cancelled

• Teachers started the term without laptops, whiteboards and other key resources

• Parents’ evenings had to be postponed (because the MIS system that has their tracking and reports on it couldn’t be accessed)

• The video lessons prepared for the last 12 months of remote learning were lost

• Teachers were unable to use the technology they’ve spent the last year fully integrating into their teaching.


The only plus was that resources that were kept in the Cloud were unaffected. According to recent statements from the council “no ransom has been paid and from the information received from the police and CSET they believe that no personal data has been impacted”. Given that the functionality returned to schools included access to management information I am not sure that I’d agree with that assessment.


Using Someone’s Name In Advertising Without Their Knowledge Breaches GDPR

This week I saw that an "Agency" was offering the current Information Commissioner as a speaker for events. But on further investigation while you get Ms Denham’s profile details (which are freely available in the public domain) you also see in the small print a note that "each speaker on the website may not have necessarily worked with [us] in the past but are known to perform such engagements within the industry." It makes you question if she is indeed a “speaker for hire”. If she is not just because the data is in the public domain, doesn't mean it's OK to exploit it. The company should be careful because use of someone’s data in this way would in no way class as fair processing. In fact using her data without transparency or a lawful basis and not informing her that you were doing so would be a clear breach of UK GDPR. That any organisation would do this to the person charged with ensuring the rules are complied with beggars belief!


Inquiry Into Facebook Data Breach

The Irish data protection authority has launched an inquiry into the 2019 Facebook data breach which affected approx. 533 million users. As a result of the answers from Facebook to questions about the breach, the DPC has stated that "one or more of the provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook users' personal data."


Tik Tok Taken To The High Court For Misusing Children's Data

A claim being brought in the high court on behalf of ALL children (in the UK and EU) who have used TikTok since GDPR came in to force. The former children’s commissioner for England (Anne Longfield) alleges that it illegally collects the personal information of its child users. Ofcom revealed last year that 42% of UK eight to 12-year-olds used TikTok (the minimum age for social media platforms is 13). Longfield says “We’re not trying to say that it’s not fun. Families like it. It’s been something that’s been really important over lockdown”. Her point is that the price that individuals have to pay (allowing their personal information to be collected en masse, and passed on to others without their knowledge) shouldn’t be there. The concern is the excessive nature of the data collection and the types of information they’re collecting which is inappropriate. Do we really need this sort of video app to provide exact location or face recognition and then not be clear about who the data will be shared with.


“Ring” Style Doorbells Count as CCTV

Many people use CCTV as a deterrent in the fight against crime and are also installing video doorbells such as the “ring” one but may not have considered that this too could be classed as CCTV. With increased concern about individual’s rights around excessive monitoring many are unclear on just where they stand. It’s not a breach of the law for people to have CCTV but they need to respect the data protection rights of those whose images they capture and abide by the law.

In essence the need to comply with Data Protection Law will depend on what the camera can see. If it captures images of people outside the boundary of a private domestic property (such as the road, neighbours’ homes or gardens or shared spaces) then it needs to comply with the law. This means CCTV signs need to be put up and you need to register it with the ICO. Otherwise make sure cameras only cover the user’s private property and don’t capture images beyond your boundaries.


News


Rules similar to GDPR proposed for AI

The EU is discussing proposals to introducing new rules to restrict the use of AI. There is potential for any fines for violations to be the same as those for GDPR (a maximum of 4% of global revenue). This is to prevent AI being used for mass surveillance, ranking social behaviour or manipulating human behaviour. Something to watch particularly if you plan to use AI in your business.


NHS Covid app update

There is potential that the NHS Covid app update may be banned from the Apple and Google App stores because it violates privacy rules to decentralise date. This is because it planned to add functionality that asked users who tested positive for permission to upload their venue history to a centralised database, thus contravening Apple and Google's rules of use.


FIN7 threat actor Sentenced to 10 years in prison

A Ukrainian national who was part of a team that compromised tens of millions of debit and credit cards in the US the UK, Australia, and France has been sentenced to 10 years in prison in the US. The FIN7 organization had more than 70 people (hackers, malware developers and malicious email writers) and the defendant was a manager of their activities. The organisation targeted banks, as well as the restaurant, gaming, and hospitality industries with spear-phishing emails which contained decoy documents that enabled them to steal customer payment card data, which was then used or sold on.


EU/UK Adequacy Decision A Step Closer

The much waited for adequacy decision moved a step closer last week with news that the European Data Protection Board (EDPB) has adopted two opinions on the draft UK adequacy decisions (published back in Feb 21). In essence this is them recommending the decision is accepted – the next hurdle will be getting agreement from the leaders of the member states. As the EDPB has said the UK regime is in "strong alignment" with the EU one but the UK exception for immigration data; onward transfers; and the powers of national security services remain areas of concern.


Updates


SonicWall

Sonic Wall has designed, tested and published patches to correct three critical security vulnerabilities in its hosted and on-premises email security (ES). If you have had a message from them don’t delay with updating your software.


One-click vulnerabilities discovered on popular software Apps

If you use apps like Telegram, Nextcloud, VLC, LibreOffice, OpenOffice, Bitcoin/Dogecoin Wallets, Wireshark, and Mumble you should download the latest patch. There is “nasty code” that can pass onto the user’s desktop when a URL in the affected app points to a specially-crafted link containing a piece of attack code.


Blogs and Videos of the Week


Kirsty James - 12 networking mistakes

Kirsty latest blog is a timely reminder of the common networking mistakes and gives some ideas of alternative ways to approach it. As we all look to embrace our new normal and the hybrid situation over the next few months there are some super nuggets in there for us to think about. Key take away - not all networking events and groups are the same and not everyone is looking for the same thing as you from it. But most importantly it is about the quality of your interactions with others and mutual respect (whether this is in business or in your personal life. You can read her blog here: https://www.colonynetworking.co.uk/business-news/%e2%9d%8c-dont-be-fooled-by-these-12-networking-mistakes/


The DPO Centre - Is ISO 27001 a silver bullet for GDPR compliance?

This really helpful blog from the DPO Centre is a great start for those who want to understand the differences between the GDPR and ISO 27001. Security is just one (important though it may be) element of GDPR so in essence the message is “GDPR is about more than just security, whereas ISO 27001 starts and ends with just that”. Other matters such as international transfers, consent and having a lawful bases for processing are equally important. But the most significant distinction between the two is that ISO 27001 is voluntary but compliance with GDPR is compulsory and can attract significant penalties for non-compliance. You can read the blog here: https://www.dpocentre.com/blog/


2 views0 comments

Recent Posts

See All