Spar forced to close stores following a Ransomware Cyber Attack

More than 300 Spar convenience stores have been affected by a significant cyber-attack on its company’s IT systems. Many of these stores have been forced to close until the true extent of the damage can be assessed. Any stores that have managed to stay open are operating on a cash-only basis, due to the damage caused to Spar’s till systems by the attack.

What caused the Spar’s Cyber Attack?

The exact details of exactly how Spar’s systems were compromised is yet to be discovered. However, it has already been disclosed that they had fallen victim to a Ransomware attack. This usually indicates that there has been a successful Phishing attack, or that someone in the network has downloaded a malicious file.

How does a Ransomware attack work?

Ransomware is a form of malware, and the key to its objective lies in the prefix, ‘ransom’. Ransomware infects organisation’s IT infrastructure in much the same way as most Malwares, e.g., through targeted phishing attacks or malicious downloads, and its purpose is to hold the owner to ransom. Users – and indeed entire organisations – are locked out of their systems and told to pay a ransom (usually in hard to trace cryptocurrency) in return for unlocking the device.

Once the ransomware has accessed an organisation’s system, it works to either encrypt the entire system or else targets individual files, depending on the type of Ransomware and the cybercriminal’s intent. Once the files are encrypted, the owner can then be locked out of their system until they either pay the fee or decode the attack. It is worth noting advice here not to pay the ransom, since there is no guarantee the hacker will return access to your system.

Image

What types of Ransomware are there?

The type of threat posed by Ransomware is entirely dependent on the type of Ransomware used to infect an IT system. The two main categories of ransomware are:

Within these categories sit the specific Ransomware methods used. For example, Bad Rabbit and the aptly named WannaCry.

Crypto Ransomware – what is it?

It is a type of malicious programme that encrypts files on a device, such as a phone or laptop, with the goal of extorting money from the owner.

There are 2 ways which crypto ransomware is usually delivered:

  1. Files and links sent via email, instant messaging services or other digital communication channels.
  2. Downloaded onto a device using fake alerts and threats while utilising exploit kits and trojan downloaders.

Email, instant messaging, and digital communications

Emails and messages are sent to the target recipients that contain links/attachments to documents. However, these are not documents, but instead executable programmes that once installed active the crypto ransomware.

These malicious files can look like Word, Excel, ZIP folders, or any other popular email attachment. The email itself does not trigger the infection but opening/downloading the attachments or links does.

Image

Exploit Kits and Trojan Downloaders

Exploit kits can be thought of as digital toolboxes that cyber criminals’ plant on websites. They automatically probe each website visitor for a vulnerability in their security defences. If there is a vulnerability found the exploit kit will automatically download and run the crypto ransomware on the device.

Locker ransomware – what is it?

Locker ransomware is less dangerous, but only if you know how to deal with it. It attacks when an individual visits a compromised website, and it usually only attacks a single device.

A pop-up screen then appears, pretending to be from a well know brand such as Apple, Microsoft, Norton etc, telling the user their system has a virus. It informs the user not to shut it down and provides a telephone number to call to access support. If the user tries to close the pop-up, it returns immediately, locking the user out of the device.

If a user falls for the pop-up and calls the service number a cyber criminal posing as a service technician establishes a remote connection to the device and ask for payment to fix the issue. They may also load other software onto the device as well as try and sell anti-virus software to the user.

In some circumstances users that are not tech savvy may not realise they are being defrauded.

The solution is simple…

The solution is as simple as shutting down the device as soon you get hit by Locker ransomware. Do not make the phone call, and do not pay any fees. Simply shut the device down and reboot it.

How to detect ransomware

The first step to protecting your IT systems is to ensure adequate preventative methods are put in place.

Prevention is made up of two components,: a watchful eye and market-leading security software.

How to build a watchful eye

While most businesses understand the need to be alert to the dangers of cyberattacks, some do not invest in the most basic of defences – knowledge. There is no better preventative measure than ensuring all staff across an organisation understand the types of cyber threats they may be exposed to, how to recognise each of these threats, and what their role is to combat them.

Image

Businesses should have an annually refreshed, mandatory cyber security training programme to ensure employees understand the basics of how to spot and combat cybercrime. This is not only helpful to an organisation’s cyber safety, but it can be applied at home by employees too.

There needs to be a culture of compliance created within the working environment to help develop a watchful eye in every employee within the organisation.

We offer a comprehensive range of Cyber Security and Information Security courses to help your business defend itself again cyber criminals.

Common Ransomware methods once a system infection has started

Once a system has been infected by a download or link click there are some tell-tale signs that individuals should look out for.

Illegal content claims:

  1. Cybercriminals pose as law enforcement or a regulatory body.
    They will claim to have found illegal content on the infected computer and will ask for a penalty fee to be paid.
  2. Unlicensed applications:
    Much like the above, the cybercriminal will ask for a fee to be paid due to an unlicensed programme.

Unfortunately, most of the time, once a system is infected, a cybercriminal will be less shy about ransoming an IT system than the above examples. Much like Spar’s example, businesses systems are shut down with no warning by the attacker. It is critical to use a comprehensive security software package, as well as training staff to be a businesses first line of defence against cyber-attacks.

How to use eLearning to Satisfy the 7 key Principles of GDPR in 2022.

General Data Protection Regulation (GDPR) has been around long enough for us all to understand it’s basic data protection principles. While the regulation itself may not be new to businesses anymore, there are still new businesses, processes and situations appearing every day across the world. These new businesses, processes and situations must still comply with GDPR.

This blog looks at the 7 key principles of GDPR, what they are and what businesses are expected to do to comply with them, and how to ensure GDPR compliance in 2022.

What are the 7 Key Principles of GDPR?

There are 7 principles of the General Data Protection Regulation which all businesses should be aware of. By creating a culture of compliance around these principles, organisations can rest assured they are well on their way to GDPR compliance.

Image

Setting the scene

To practically demonstrate how the 7 key principles of GDPR can affect business practices, we will follow a newly created company, NeltaDet, as they begin their journey to be GDPR compliant. NeltaDet is building a mailing list to receive a monthly compliance newsletter. They aim to capture website visitors’ details through their online newsletter sign up form or an opt-in tick box on their product enquiry form.

Lawful, fair and transparent

The first GDPR principle consists of 3 components:

1. Lawful – this refers to the gathering of people’s data. There must be a lawful reason for you to process personal data. There are 6 legal reasons deemed as lawful, these are:

  1. Consent
  2. Contract
  3. Legal Obligation
  4. Vital Interests
  5. Public task
  6. Legitimate interest

More information on these can be found here.

2. Fair –  this refers to the scope of personal data processing. This should be limited to what is expected by the person whose personal data is being processed.

3. Transparent – when dealing with an individual’s personal data, GDPR guidelines require you to communicate clearly and simply about how that person’s personal data is intended to be used.

For NeltaDet, using a voluntary form and tick box for website visitors to sign up to would be classed as lawful consent. Transparency is achieved by informing the visitor about the compliance newsletter and how their data will be handled by pointing towards NeltaDets privacy policy. When processing the data, NeltaDet would have to be careful to ensure they only used the data fairly, for example it would be a breach of GDPR to use this data to send Health and Safety training emails to.

Image

Purpose Limitation

Purpose limitation ensures that businesses only process data for it’s original purpose. Personal data should not be used for purposes that it wasn’t originally intended for – if it is used for another purpose then the individual, and business, responsible could be fined or have criminal charges pursued.

NeltaDet’s newsletter signup process automatically stores the IP address of the individual on sign up. At the time, this was so NeltaDet could keep a record of how and when NeltaDet gained consent to send the newsletter to this individual. However, someone in the marketing team now wants to repurpose this personal data and use it to send out geographically targeted email campaigns based on their IP addresses. This breaches GDPR and could result in a fine and or criminal charges against individuals and the business. Information should only be used for the purposes originally stated when collecting the data.

Data Minimisation

When collecting customer information, it can be tempting to collect as much data as possible to maximise the information you have on your customer database. However, the GDPR principle of data minimisation requires businesses to only collect the information they need. Long gone are the days of long sign up forms and endless questions. GDPR ensures that the collection of personal data collection is minimised to what is needed, not what is wanted.

For NeltaDet’s compliance newsletter sign up form they should only be asking for two pieces of information – the individual’s name and email address. This is the only information required to send their newsletter and no other information should be requested.

Image

Accuracy

Any businesses data should – at the very minimum – be accurate regardless of GDPR. However, under GDPR guidelines, personal data should be maintained and kept up to date. The data controller and/or data processor should take reasonable measures to ensure personal data remains up to date.

The ICO states that where a business uses it’s own sources to compile personal data, then it should ensure that the information is accurate. Despite this, sometimes, you may not be able to check the accuracy of the information that comes from a third party. In this case, you should:

  • accurately record the information provided;
  • accurately record the source of the information;
  • take reasonable steps in the circumstances to ensure the accuracy of the information;
  • and carefully consider any challenges to the accuracy of the information.

Regarding NeltaDet’s situation, they should ensure that their data controller/processor regularly cleans their data and ensures it is accurate. It would also be good practice to give all subscribers a preferences portal where they can manually edit their own personal data and unsubscribe if they want to, helping to ease the workload for NeltaDet and improve the quality of their data.

Storage limitations

Under GDPR, businesses should not store data for longer than they need it. They should also be able to justify why any data is stored. It is good practice to develop a data retention policy that stipulates how long personal data will stay on file – this helps to satisfy GDPR documentation requirements.

Much like the principle of data accuracy, businesses should review the personal data they hold regularly. Any data that is no longer needed should be erased regularly to meet storage limitation guidelines, and business data is kept clean.

Individuals also have the ‘right to erasure’ which allows them to request their data gets deleted. However, there are scenarios where businesses can still store personal data even if an individual has submitted an erasure request. To better understand the right to erasure, check out our Right to Erasure online training course.

For NeltaDet’s compliance newsletter, storage limitations are straightforward. The individual provided consent to use their data to receive newsletters, and NeltaDet has implemented a preferences management portal to help subscribers make their data more accurate. When an individual unsubscribes from the compliance mailing list, their data must be deleted from the system, if they are not subscribed to anything else and are not a customer. This is because their only purpose to hold their data was to provide them with the compliance newsletter. Once they unsubscribe, they no longer have a reason to store this data.

However, if the individual unsubscribing from the compliance newsletter is an existing customer with active subscriptions to their other newsletters, then NeltaDet can continue holding their data on the system, without sending the compliance newsletter to them.

Integrity and confidentiality

GDPR’s integrity and confidentiality principle derives from two sides of the CIA triad. This principle ensures any business dealing with personal data has appropriate security measures in place to protect it from both internal and external threats.

Integrity – refers to protecting personal data from manipulation, ensuring information stays correct.

Confidentiality - refers to protecting personal data from unauthorised access. Ensuring cyber criminals and other unauthorised people cannot access a business’ stored data, keeping it confidential.

NeltaDet needs to ensure it has proper systems in place to ensure its data is secure. Deploying a password-protected system like a CRM is a great place to start, but this is just a basic level to protect the personal data a company holds. Discover our range of data protection courses here.

Accountability

This is the final principle of GDPR, and it is concerned with taking accountability for GDPR compliance in a business. Accountability should involve more than just tick-box exercises. It requires organisations to take responsibility for their actions, and how they comply with the other GDPR principles. Organisations must demonstrate that they have appropriate measures and records in place to highlight their accountability.

Looking at NeltaDet’s compliance newsletter, NeltaDet must highlight the lawfulness principle/consent given by the individual, as well as documenting how they initially proposed to handle this data. Then ensuring they complied with the rest of the GDPR principles, documenting their compliance procedures and any potential risks or breaches of GDPR.

How to ensure GDPR compliance in 2022

Training. High quality, comprehensive training for all staff is the only way to ensure GDPR compliance in 2022. GDPR is a vast landscape that affects every person and every department within an organisation. High quality, thorough and regular training is essential to ensure GDPR compliance. Non-compliance can be significantly financially and reputationally damaging. Employees can also face potential personal liability in a court of law. Every individual in a business should understand their role to play in assuring GDPR compliance.

eLearning has evolved, and 2022 is looking to be the real post-Covid test businesses will face. Production is due to rise and employees are reluctant to return to the workplace full-time, bringing a new set of challenges. Traditional in-house training and compliance procedures no longer work, and a switch to digital training has already begun. Organisations must ensure they switch to online GDPR training or face potential compliance issues in the future. An organisation’s GDPR compliance is only as good as its weakest link.

We provide a comprehensive collection of online data protection courses which your business can use on our Astute eLearning platform (optional). Our courses are CPD accredited and have been developed alongside GDPR and Data Protection experts to ensure their content is accurate and engaging. By utilising our Astute platform you easily identify and close any skills or knowledge gaps, learn on the go with a tablet or smartphone with our cloud based support, easily report on GDPR training to assist GDPR compliance and much more.

For NeltaDet, using a voluntary form and tick box for website visitors to sign up to would be classed as lawful consent. Transparency is achieved by informing the visitor about the compliance newsletter and how their data will be handled by pointing towards NeltaDets privacy policy. When processing the data, NeltaDet would have to be careful to ensure they only used the data fairly, for example it would be a breach of GDPR to use this data to send Health and Safety training emails to.

Are GDPR Preferences still important three years on?

Are GDPR Preferences still important three years on?

GDPR Compliance – what’s going wrong?

Three years on from the biggest shake up to modern day data regulation, you would be forgiven for thinking businesses ‘get-it’ when it comes to GDPR. Unfortunately over 2020-2021 Google (twice…), Amazon, H&M, British Airways and Marriott among others, have all faced fines that add up to an eye-watering £100+ million.

Some of these fines come from data breaches and unsecure cyber security practices, while in the case of BBVA’s five million euro fine, it was due to a lack of clarity in their privacy policy, and their improper use of customer data preferences.

Three years from the launch of GDPR, American Express (Amex) has been fined for spamming its customers with over 4 million emails by the UK data protection regulator, ICO.

Listen to customer preferences.

It seems that Amex forgot one of life’s basic principles – ‘there is more to listening than not talking’. They gave their customers an accessible preference sheet and allowed them to choose what communications they would receive. However, they decided to keep talking to their customers, sending over 4 million marketing emails to customers who had chosen not to receive marketing communications. Amex argued that these emails were about ‘servicing’ and were not marketing emails. The ICO disagreed after receiving complaints from numerous customers, and fined Amex £90,000.

While this is a contender for the most expensive email marketing campaign ever, it is also a perfect representation of why business-wide understanding of GDPR is so important to an organisation’s overarching operations and reputation.

GDPR lessons:

There are many lessons to be learnt from Amex’s mishandling of customer data. The first being that it is vital to allow your customers to manage their data preferences. It creates a positive experience for the customer and removes the human error factor in data preference handling.

Secondly, have strictly defined preference parameters for all communication. Amex had the foundations in place to have good data handling procedures. They had customer-led preference management, and well categorised preferences for all to understand in the business.

Thirdly, educate your workforce. Amex’s downfall sits somewhere in between their workforce not understanding the difference between servicing communications and marketing communications, and decisions being made to use personal data in a way that it wasn’t supposed to be.

Achieve GDPR best practice with our Online Data Protection Courses

The single best way to guard against breaches of data protection is to educate your workforce. If all employees understand the basics of GDPR, and how they can help their organisation stay compliant, the risk of fines by governing bodies and the subsequent reputational damage is minimised.

We provide expert GDPR e-learning courses to help businesses stay ahead of the GDPR curve. Click here to discover how we can help with your GDPR and other data protection needs.