Thursday Thoughts - 7th April 2022
This week’s Thursday thoughts. Building on last time’s blog on the most commonly used passwords I’ve got some tips for choosing your 3 random words. Mailchimp users and those who receive Mailchimp newsletters will want to know that the company suffered a data breach which has seen a spate of “phishing opt in” emails generated from customers’ accounts using genuine templates (all because a member of Mailchimp’s staff clicked a link).
The 2022 Cyber security breaches survey results have been released which show that phishing attempts such as the one Mailchimp suffered are by far the most common form of attack (83%) however the number of ransomware attacks has doubled in the last 12 months. I’ve included my top “take aways” from the survey results in this week’s blog and because 39% of businesses report that they have identified a cyber attack in the last 12 months I’ve included a link to the NCSC guidance on how to protect yourself from the impact of data breach and the ICO cyber guidance for small businesses and charities.
Last week I saw 2 examples of companies using shredding bags on the same day - one good and one bad and I thought I’d share the details. There was also an interesting article about Airbnb using algorithms to ban users from the site which caught my eye. Of course I also include the latest warnings about software vulnerabilities and data protection fines. Sadly no blogs of the week this week - not that there haven’t been any but because I haven’t had time to read them yet due to family commitments.
Passwords - Choosing those 3 random words
We are encouraged to use THREE RANDOM WORDS but I am often asked for examples of words to choose … so here are some ideas! It could be the colours of 3 files on your shelf, the equipment on your desk or the trees in the garden with numbers instead of letters (like 3=E or 0=O). But whatever you do don’t use "Blink182", qwerty and 123456 as they are super common and at the top of any hacker's list. With a little thought you will come up with something that means something to you, is easy to remember and difficult to hack.
MailChimp’s data breach could impact us all
Last Sunday MailChimp revealed that it had suffered a data breach in which customer accounts were compromised and that these accounts were now being used to launch phishing attacks on people on their client’s mailing lists. The breach (a result of a targeted social engineering attack on MailChimp employees) lead to staff credentials being used to access and export mailing lists from 319 MailChimp client accounts. One of the biggest companies to be compromised was cryptocurrency wallet company Trezor. The result of this was that one of their “opt-in” newsletters was altered and sent out to their mailing list claiming that Trezor had experienced a security incident and providing a link for users to click on to reset their password. The link took users to a fake site which transferred their currency out of their wallet. News of other companies being affected is likely to follow.
If you use MailChimp in your business then as a priority enable two-factor authentication to secure your account.
If you receive a MailChimp email that you are not expecting, even if it is from a company you know and trust DO NOT click on the link until you have checked that it is genuine.
Headlines from the 2022 Cyber security breaches Survey
The results of the UK 2022 Cyber Security Breaches Survey has been released and these are the highlights:
39% of businesses report they suffered a cyber-attack (the same as 2021)
Phishing was the most common attack (83% of attacks)
The average cost of a cyber-attack to the business was £4,200
50% of businesses have an insurance policy that covers cyber attacks
19% of businesses have a formal incident response plan
Ransomware attacks in the UK double
Since 2020 the number of ransomware attacks reported in the UK has more than doubled. The number of incidents reported to the ICO increased to 654 in 2021 with education, finance and insurance the most commonly targeted sectors. The NCSC guidance on ransomware attacks and how to mitigate them is a useful place to start. Any organisations that is worried about ransomware attacks and considering cyber insurance should look at the NCSC guidance on cyber insurance.
How to protect yourself from the impact of data breach
Many of us hear about the risk of data breaches in our business lives. What about if you are the victim of such a breach. What does a data breach look like from the data subject point of view. How would it affect YOU or your family, are there things you should look out for afterwards. It is extremely important to set up 2 Factor Authentication on all your accounts. Link to guidance on the NCSC website: https://www.ncsc.gov.uk/guidance/data-breaches
Cyber guidance for small businesses and charities
If you think that cyberattacks only happen to large corporations then you should think again. Small businesses, groups and charities are equally vulnerable and should take steps to protect their IT systems, too. The ICO have 2 blogs that giving guidance for small businesses “ Data protection when it’s just you: top three tips for sole traders and 11 practical ways to keep your IT systems safe and secure. The top tips centre around knowing what data you have, telling people you have it and keeping it safe. Things you should be thinking about:
Back-up data Be vigilant if you work remotely
Be wary of suspicious emails Don’t keep data for longer than you need it
Don’t leave paperwork or laptops unattended Keep on top of who has access to what
Lock your screen Make sure the Wi-Fi is secure
Use anti-virus protection Use malware protection
Use strong passwords (3 random words)
When you no longer need it dispose of old IT equipment and records securely. For those wanting more information on asset management there is a helpful guide on the NCSC website: https://www.ncsc.gov.uk/guidance/asset-management
A word on the use of shredding bags
Last week I saw 2 examples of companies using shredding bags on the same day - one good and one bad. Looking at the bad first. While out for my morning walk through the local village at about 0730 on a Tuesday morning I walked past a pile of shredding bags on the pavement outside the office of a professional services company. The bags were piled up against the building and none that I could see were sealed. The one that was most visible clearly had receipts and other such paperwork in it and could have easily been knocked over or the paperwork inside removed. The second company in took a somewhat different approach. The bag awaiting collection was stapled shut and stored inside the building until the shredding company arrived. What this told me was that the second company understood the potential impact of losing the data in the bags and had taken reasonable steps to keep it safe. What it told me about the first was as if they take so little care of physical copies of data then they are a potential data breach waiting to happen!
Can algorithms test your trustworthiness?
Many are becoming increasingly concerned at the use of algorithms to make decisions about “real people”. The latest example of this comes from reports in Australia alleging that Airbnb is using an algorithm to assess the trustworthiness of users. The algorithm assesses data that is in the public domain (aka social media profiles of the individual and their friends, their job, education level and any other online data it can find) to assess whether someone is “trustworthy”. Personality and behavioural traits are combined with details of any civil litigation or other behaviour and the data is combined to give a “score” on which the decision is made. This decision can result in users being blocked or even banned from the platform. People who have been banned from the platform report that their account is suspended with no explanation. You can read more here: https://www.choice.com.au/consumers-and-data/data-collection-and-use/how-your-data-is-used/articles/airbnb-banning-users
Java Spring Framework vulnerabilities
There are 2 new “remote code execution vulnerabilities” affecting the Java Spring Framework. The affected software is Spring Framework 5.3.0 to 5.3.17, 5.2.0 to 5.2.19 and older and Java Spring Cloud Functions versions 3.1.6, 3.2.2 and older. The NCSC recommends that affected users follow best practice advice and in this case install the latest versions as soon as practicable. You will find more information can be found at: https://tanzu.vmware.com/security/cve-2022-22965, https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement,
Data Protection Fines
We are only 7 days into month and already across Europe and the Data Protection
Authorities have already issued 7 fines
The Belgian DPA issued 3 fines in relation to the use of thermal imaging cameras to filter out people with body temperatures above 38 degrees. Those filtered out were then asked to answer questions about possible coronavirus symptoms
Ambuce Rescue Team were fined €20,000 for providing the questionnaires but there was no valid legal basis for processing this health data.
Brussels Airport Charleroi were fined €100,000 and Brussels Airport Zaventem were fined €200,000 for processing health data without a valid legal reason, deficiencies in the associated data protection impact assessment and failing to inform the data subjects about the processing.
The Danish DPA fined Danske Bank €1.3 million after it was informed that the bank had a problem with the deletion of personal data. The bank had failed to document the rules for deletion and storage of personal data in more than 400 systems and was therefore unable to prove that such rules existed
The Irish DPA fined the Bank of Ireland €463,000 after the bank reported 22 data breaches as a result of inadequate technical and organizational measures. The bank also failed to inform the data subjects and the DPA about the data breach in a timely manner.
The Romanian DPA fined a property owners' association €500 for failing to provide information requested by the DPA during an investigation.
The Dutch DPA fined the Dutch Foreign Ministry €565,000 because of significant security deficiencies in the National Visa Information System (NVIS) and for failing to inform individuals who applied for visas that their personal information would be shared with other parties. The affected data included fingerprints, name, address, place of residence, country of birth, purpose of travel and nationality. Even though the Foreign Ministry had been aware of the flaws in the system for some time they did not adjust the security measures in time. The Ministry was found to have acted with gross negligence.