• PPP Management

Thursday Thoughts - 28 October 2021

Thursday Thoughts – 28th October 2021


This week scam central. Did you think it was just you? News in the month that the UK chip and pin limit went up to £100 that the UK is the “Bank Scam Capital of the world”! No longer is it just a “prince” wanting your help in moving his money now bank fraud is sophisticated and takes place over a number of days and involves fake websites, phone numbers and a number of real sounding officials.

The latest phone scam this week came from “a Customer Welfare team” wanting to put us on their non-existent priority services register. Don’t fall for it and warn your vulnerable family members particularly those who are likely to look for the “help” they are offering.

There is some new guidance from the ICO on identifiability too. I often say it is not just the obvious forms of identification that you have to worry about. Sometimes a person can be identified because they are the only one with access to that information!

One to watch will be whether Facebook will change its name or not and whether this will help it move into the metaverse more easily.

Two massive fines this week, one potential for Facebook of €28 - €36 million, and one for Sky Italia of €3,296,326. But also a local municipality for failures which resulted in a successful cyber attack and a university for the use of remote monitoring software “Respondus” during this summer’s exams.


Vlogs and Blogs of the Week


Data Protection Diaries - How to do supplier assurance (and why it’s so important!)


Databasix UK Ltd - Data Rockstars Coffee PODcast on hybrid working


Clare Paterson - How to manage data protection risks when buying software


Scam calls- it’s not just you there are more of them


Scam calls are affecting millions of or people in the UK (45 million to be precise). A survey by Ofcom in the summer showed that it is the over 75s who get the most suspicious phone calls on their landline number (about 60% of the scams) while the 16-34 age group are targeted most by text messages. The survey also found that 80% of those targeted did not know how to report their suspicious call/text so here are the details:

Suspicious text messages - forward the message to 7726

Scam call - report it to Action Fraud.

Suspicious email - forward it to the Suspicious Email Reporting Service (SERS) report@phishing.gov.uk.

You will also find advice and guidance on the NCSC website if you think you have become a victim of a scam (for example because you have responded to a scam message or given access to your computer). You will find it here: https://www.ncsc.gov.uk/guidance/suspicious-email-actions


US survey highlights impact of ransomware attacks


Nearly two-thirds (64%) of organisations said they had been victims of ransomware attacks in the past 12 months, according to a new report which also found 4 in 5 victims (83%) felt they had no choice but to pay the ransom.


The survey, carried out by cyber security company ThycoticCentrify, features insights from 300 US-based IT decision makers.


It found that half of respondents said they had experienced loss of revenue and reputational damage following a ransomware attack, with 42% indicating they had lost customers.


Ransomware is a growing problem globally and the most immediate threat that UK businesses face.


The NCSC has published guidance to help organisations mitigate the threat from malware and ransomware attacks, offering steps to help prevent infection and actions to take if already infected.


As a first step, we recommend organisations make offline backups of their most important data to help prevent attackers trying to blackmail them.

Latest Phone Scam

This week I’ve had a new scam on the phone. After a raft of fake Hermes messages this week’s offer is from: “Customer welfare team”. Asking could you cope if you had a power cut, do you want help if the lights go off. Of course there is a link for a URL that will take you to their “priority services register. Here’s my advice on what to do if you get one:

Safely copy the phone number that sent it

Forward the whole message to 7726

When you receive a text asking for the phone number. Paste that in and send it back

Block the caller

Delete the message


The whole process takes about 2 minutes and you are helping the NCSC take down these scams which are targeting the most vulnerable in our community.


So…. will Facebook change its name?


There are reports this month that Facebook may be about to “rebrand” which could include changing its name. Any announcement is likely to be made by Mark Zuckerberg at the company's Connect conference on Oct. 28. It is thought the move would be similar to Alphabet (Google’s parent company) and would place Facebook, Instagram, WhatsApp and Oculus, under an umbrella company with a new name. Reports predict that this is a way in which the company can move into “the metaverse” (connecting people online through augmented and virtual reality).


ICO guidance on Identifiability


The term “identifiability” is about whether someone is “identified or identifiable” from the information you have. It isn’t just the obvious things like a name, photo or NI number it can also be something that distinguishes them from someone else (for example the only person of a certain gender or hair colour in an office). The ICO has added a chapter on identifiability in their Anonymisation guidance. https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/ico-call-for-views-anonymisation-pseudonymisation-and-privacy-enhancing-technologies-guidance/


Changes to UK GDPR


You can comment on the proposed changes to UK GDPR “Data: A new direction” until 11.45pm on 19th November. https://www.gov.uk/government/consultations/data-a-new-direction


Some advice for those who find a phone


Ever wondered how to get a phone back to its owner or the owner of a phone home safely? It could be as simple as getting Siri to “call Mum/Dad”.


Fines


This week there was one massive draft “decision” by the Irish DPA indicating that it proposes to fine Facebook between €28 and €36 million for including details on data processing in its terms of service rather than obtaining consent. Many critics believe that Facebook have used this loophole to avoid complying with the GDPR requirements on consent.


Norway


The Norwegian DPA fined Østre Toten municipality €412,000 following a cyberattack in January 2021 in which data including backups were deleted, encrypted and published on the dark web. Approximately 30,000 documents were involved which contained personal information such as ethnic, political, religious, union, sexual, and health information and banking data. The fine follows an investigation that highlighted deficiencies in the municipality’s security systems for personal data and the related internal controls (specifically the lack of two-factor authentication and appropriate backup systems).


Italy


The Italian Garante issued 2 fines this week:

  • Bocconi University - €200,000 for the use of a remote monitoring software “Respondus” to monitor students in exams during the pandemic. The DPA found that students had not been properly informed of how their personal data would be processed, how long the information would be retained nor that their personal data would be transferred to the United States. Any information that was provided was fragmented and disorganized, there was also insufficient legal basis and the processing agreement between the University and Respondus was based on the Privacy Shield even though this had been declared invalid by the Schrems II ruling.


  • Sky Italia - €3,296,326 for illegal telemarketing calls that were made without adequately informing the users where their details had been obtained from. Sky had also failed to remove any individuals who had objected to being contacted for advertising purposes before making the calls. The DPA considered the violations involved 'systemic' conduct by the company despite it’s knowledge and engagement with the authority on other data protection matters.


Vlogs and Blogs of the Week


Richard Merrygold (Data Protection Diaries) - How to do supplier assurance (and why it’s so important!)


Back after a bit of a break Richard discusses why, if you are thinking of outsourcing DBS checks, IT, finance or auditing, you need to understand what controls the organisations you get to do the work have in place and should check if they the same or complimentary to yours. Of course you’ll have a contract in place for what they will be doing but being compliant with UK GDPR requires you to know more about your suppliers and whether what you think they’re doing is actually what they are doing! Richard shares some top tips on what you should put in a supplier assurance questionnaire and what else you should look at for example their policies and procedures and their security measures. You may find that some suppliers are a far bigger risk than others and you may need to go deeper and conduct an audit. You can access this episode of the Data Protection Diaries here: https://www.youtube.com/watch?v=1UNq4TPHiZM.


Databasix UK Ltd - Data Rockstars Coffee PODcast on hybrid working


The rapid move to remote working during COVID lead to a number of individuals using their own devices. The move back to the office brings the challenge of hybrid-working for organisations. This week’s podcast from the Databasix team discusses the big risks for an organisation's data with the move to hybrid-working from a technical standpoint. The team and Andre Vaux, Managing Director, of claireLOGIC discuss why getting the right solution in place is important and what to do when you identify other risks. Discussing the use of individual’s own devices, shadow IT, poor practices and “work arounds” and how you can identify which devices connect to your network and how you can control their security even mandating password protection on an individual’s own device. Ideas both strategic (backing up office 365) and practical are discussed and advice is provided on how a business can manage the risk particularly in mobile device and mobile application management. You can access the podcast here: https://open.spotify.com/episode/5KsQCPtrs6LHoYk3iRQv4Y


Clare Paterson - How to manage data protection risks when buying software


This is a great blog providing some terrific advice on why it is important to check what is actually in a software contract rather that what the salesperson has told you. Recently Clare revealed that while reviewing a contract she found the terms were so bad for the purchaser in the indemnity and warranty sections that she was shocked. The contract in effect said that the supplier took no responsibility for the software being reliable, or available, or for doing its expected job, or for losing data. Clare’s blog has a checklist to help with those buying decisions and if all else fails follow her “golden rule of data protection - Take nothing for granted”. You will find the blog here: https://cpdataprotection.com/manage-data-protection-risks-when-buying-software/


0 views0 comments

Recent Posts

See All