Tackling the Threat of Cybercrime within the Legal Sector

Cybercrime is a widespread phenomenon across the world. It can affect firms and organisations of any size, belonging to any industry or sector. Through carefully coordinated attacks, cybercriminals tend to target vulnerabilities in technology or cause poorly trained staff to make mistakes – both approaches are designed to put businesses at risk.

This has shown to be true for the legal sector too. The National Cyber Security Centre’s Legal Threat Report found that 60% of law firms in the UK reported experiencing an attack in 2017; up from 42% in 2013. Cybersecurity concerns amongst legal sector firms are therefore significant and steadily rising.

Cyberattacks on Legal Firms

Recent research by Crowe UK into the cybersecurity risks impacting the top 200 UK law firms indicates that most of the firms surveyed have ‘significant unaddressed cyber risks’.

Legal firms tend to be an easy target due to the money and sensitive client data they hold. According to the Risk Outlook 2018/19 report by Solicitors Regulation Authority (SRA), the amount of money law firms are losing to cybercrime is on the rise – with £9.4 million of client money lost in 2016, increasing to £10.7 million in 2017.

With financial loss and reputational damage at risk, it is more important than ever for legal firms to consider and prepare for the threat of cyberattacks.

Key Areas of Concerns

Based on the reported cybercrimes and scams, some of the key areas of concerns that have been identified are:

Email fraud

The Risk Outlook report identifies email modification fraud as the most common type of cybercrime against legal sector firms. 91% of the firms surveyed by Crowe UK have had their website address ‘spoofed’ and used to send a fraudulent email to obtain confidential information, such as passwords and personal details. Email spoofing increases the risks of exposure to malware and ransomware, and phishing of employees and clients.

Vulnerable technology

The Crowe UK report states that 80.5% of the firms surveyed were running at least one service with a well-known vulnerability. Cybercriminals target these vulnerabilities which could result in data theft, loss of control of the website, and viruses and ransomware programs which encrypt files and demand a ransom in exchange for restoring access.

Data breaches

With many firms reporting a cyberattack in the last two years, firms are also concerned about how to respond to a cyberattack and ensure compliance with regulations. This is particularly true about data breaches and the General Data Protection Regulation (GDPR) which came into force on 25 May 2018. A data breach could cost a legal firm thousands of pounds in fines for failure to comply with the GDPR – before and after an attack.

Mitigating the Risks

Prevention is key to ensuring that firms are mitigating the risks and protecting their organisation and employees from the threat of cyberattacks. The two main areas to focus on are:

Securing Systems

Investing in technology and securing your firm’s IT systems will help you avoid heavy financial loss from the fallout of a cyberattack. Keeping your systems up to date is one of the most effective weapons against cyberattacks. Make sure you have robust and reliable security measures in place and develop information security policies to protect your firm from known and newly discovered vulnerabilities.

Raising Awareness

Human error is becoming a common factor in cyberattacks on firms and organisations. Whether it is from opening unsafe email attachments, clicking on suspicious website links to downloading unsafe files, employees are often responsible for enabling access to systems. It is down to lack of awareness which often puts employees at risk of making errors in judgement. Educate your workforce on the cybersecurity threats they face and the risks to look out for. By driving a culture of awareness and training employees on the risks they face and how to respond, firms can protect both their employees and their businesses from cyber threats.

Cyber Security Awareness Training

At DeltaNet International, we are firm believers in leveraging the power of awareness training to reduce the impact of cyberattacks. Find out how we can support your firm with a wide range of eLearning solutions dedicated to raising awareness on cybersecurity and information security risks. Visit our website for more information.

British Airways and Marriott Facing Record GDPR Fines

British Airways and Marriott Facing Record GDPR Fines

The ‘world’s favourite airline’ and the largest hotel chain both reported huge data breaches in recent times, affecting millions of records. After investigations by the Information Commissioner’s Office (ICO), British Airways and Marriott International are both facing record fines for data breaches under the General Data Protection Regulation (GDPR).

Marriott

In November 2018, the Marriott International group of hotels reported a massive breach to the ICO. It relates to a cyber incident involving the unauthorised access of the Starwood hotels group systems in 2014. Marriott subsequently acquired the Starwood Group, however, the breach wasn’t discovered or reported until 2018.

As a result, the personal data of approximately 339 million guests globally was compromised. Of which around 30 million related to residents of 31 countries in the European Economic Area (EEA); around seven million related to UK residents.

After an extensive investigation, on 9 July 2019, the ICO issued a notice of its intention to fine Marriott in excess of £99M under the GDPR. While Marriott International has co-operated with the ICO investigation and since the data breach was reported, have made improvements to its security arrangements. However, the ICO’s contention is that Marriott had failed to perform due diligence when it acquired the Starwood Group and should have made sufficient checks to ensure their IT systems were secure.

In a statement, Marriott have revealed that they intend to appeal the fine and defend their position.

British Airways

The ‘world’s favourite airline’, on the other hand, is facing a record fine of £183M for breaches of data protection law. The proposed fine relates to a cyber incident in June 2018 when 500,000 customers browsing the British Airways website and booking tickets online were being directed to a fraudulent website. Their personal data, including name, address, login, payment card and travel booking details, were then harvested by the cyber attackers.

As per the investigation by the ICO, personal data of approximately 500,000 customers were compromised in this cyber incident, including login, payment card, and travel booking details as well name and address information.

In a statement, British Airways apologised to customers, expressed disappointment and revealed the intention to appeal.

Fines Issued in 2018

The ICO are simply reaffirming their commitment to the GDPR by disclosing the details of its fines and investigations to the public. Since the GDPR came into effect on 25 May 2018, a number of high-profile data breaches have come to light. The ICO issued some of the biggest fines last year including fines for the Crown Prosecution Service (CPS), Equifax UK, Uber, Facebook and Bounty.

With the ICO adopting a tough stance and walking the talk, businesses must bear in mind the very expensive consequences as a result of data breaches.

Is Your Business Prepared?

What we have learnt from these recent breaches is that the GDPR goes beyond ‘consent’ and data privacy issues. Both the breaches at British Airways and Marriott were a result of IT or web systems failures and hackers gaining unauthorised access.

A quick recap of what any form of data breach under GDPR could cost your business: the ICO can issue a fine of up to 4% of a company’s global annual revenue for a breach under the GDPR. For British Airways, the ICO fine comes up to 1.5% of global turnover for the year, while for Marriott, it’s 3% of the company’s global revenue.

Mitigate the risks of a hefty fine and ensure that your business is prepared to combat the lapses in cyber security. Investing in cyber security and information security is key to keeping the hackers out. Keeping your systems secure and up to date is the first step and one of the most effective weapons against cyber-attacks.

Not forgetting the importance of awareness training for your workforce. Are your staff engaged to spot the signs of an intended cyber-attack and understand the implications? By training your employees on the various aspects of cyber security and GDPR, and the risks they face, businesses can keep the hackers out and prevent costly breaches under the GDPR.

How Can We Help

Our FREE download on Handling a Data Breach offers practical tips for reducing the risk of a breach, including a checklist for managing and reporting data breaches should your data be compromised.

We can also support your business with a wide range of eLearning solutions dedicated to cyber security and GDPR. Our eLearning can be delivered as off-the-shelf packages, or we can customise the content to suit your organisation. To find out more, check out our great value Compliance package.

Free Download: Handling a Data Breach

Could your organisation handle a data breach?

Whilst it’s imperative for organisations to do all they can to prevent a data breach and protect the rights of individuals, many are unprepared to manage a personal data breach should the worst happen. This can cause further damage to finances and reputation and even lead to further breaches.

To help get the conversation started, download our FREE eGuide, Handling a Data Breach.

As well practical tips for reducing the risk of a breach, this handy booklet also includes a checklist for managing and reporting data breaches should your data be compromised.

DOWNLOAD YOUR PDF COPY BY CLICKING THE LINK BELOW.

(For media enquiries or to share this eGuide on your website please contact [email protected])

Are You Taking Cyber Security Seriously Enough?

According to The Hiscox Cyber Readiness Report 2019, almost 55% of UK firms have reported a cyber-attack in 2019 – up 40% compared to last year.

With more than half of UK firms reporting a cyber-attack, and most businesses admitting that they were unprepared for breaches, it’s important to ask the question: are you doing enough to prevent a cyber-attack?

What does the Massive Marriott Data Breach mean for Data Security?

The Marriott hotel group recently reported a huge data breach, which they claim has been ongoing since 2014.

The company identified the breach after an internal security tool alerted them to an unauthorised access attempt. After investigating the breach, they discovered that an unknown agent had copied and encrypted information in one of their databases of guest information.

The Starwood group of hotels, which includes St Regis, Sheraton and Westin, was bought by Marriott International in 2015, making it the world’s largest hotel chain.

Their vast customer base seems to have been an attraction for hackers, who are believed to have accessed and copied 500 million records. 327 million of those records include names, phone numbers, email addresses, passport numbers and dates of birth.

This makes the Marriott breach the second largest in history, though it lags far behind the Yahoo breach which affected 3 billion users.

How did hackers breach Marriott security?

The New York Times reports that a US government investigation into the breach indicates that Chinese state hackers were responsible, though no details have been released regarding the tactics used.

Are you affected by the Marriott Starwood data breach?

If you have stayed at any of the Starwood group hotels, you are advised to change your passwords and understand that your data (name, payment details, address, phone numbers etc.) could be passed on to cybercriminals.

This kind of customer data is frequently used to facilitate fraud. For example, a fraudster might use the information they have to pretend to represent your bank, or your mobile phone provider, so that you hand over access codes, payment information – or simply validate the information they already have.

How can companies prevent customer data breaches?

When even the largest companies in the world – and the most tech savvy – seem incapable of protecting customer data, what can smaller companies and SMEs do to fight back against the constant threats from hackers?

Keep up. As quickly as companies deploy new security standards, hackers are working on a way to crack it. Just as companies ditch insecure technologies, hackers are engineering a back-door to the new solutions. And just as companies teach their employees about popular social engineering techniques, hackers are already moving on to new tactics.

It’s very difficult for large organisations, with their policies, teams and ways of doing business, to outfox cyber criminals who work alone (or in small groups), share information freely and have no compulsion to follow any rule or law.

In spite of this, it’s important that companies try to stay up to date with changing threats.

Prioritise security. One theory about the Marriott hack is that senior executives did not prioritise data security during the acquisition of the Starwood group, leading to weaknesses in the databases or connections between systems, which may have been exploited by hackers.

Data security should be a C-level issue. Security should be driven from the very top, and prioritised in all activities.

Test. When was the last time you tested your network and systems to ensure they can’t be accessed by third parties? Penetration testing might help you identify weaknesses in your security and prioritise fixes.

Raise awareness.As we’ve discussed on this blog before, digital security is a company-wide issue, and every employee is a gatekeeper to your customer data, networks, systems and intellectual property. Employees often provide the gateway for hackers, either deliberately or accidentally, so it makes sense to invest in employee training.

Is your company vulnerable to data breaches?

VinciWorks provides a suite of eLearning solutions, including courses on data protection, cyber security and GDPR. You can either choose our solutions as off-the-shelf courses, or you can adapt them to suit your organisation’s needs with our Adapt authoring tool (or we can manage this for you).

The Biggest Data Breaches in 2018 – and what they Teach us about Data Security

Every week we get news of another massive data breach. While some commentators are suggesting that this is the new normal, and that data leaks and hacks are an inevitable part of our connected world, it’s worth looking at the largest data breaches to see what they have in common – and what they can teach us about data security for 2019.

1: Aadhaar (1.1 billion)

Who?

India’s national personal identity card system contains information on Indian residents, including biometric data, names and information on connected services, such as bank accounts.

How?

A state-owned utility company called Indane was tapping into the Aadhaar database using an unsecured API. Hackers cracked the API and gained access to more than a billion records.

2: Marriott Starwood (500 million)

Who?

Marriott is the world’s largest hotel chain. Their Starwood brand operates a rewards scheme, and this database was accessed by hackers. While the breach was reported in 2018, it is believed to be a long-running data leak, stretching back to 2014.

How?

While details of the hack have not been released, the US government has laid the blame at the door of Chinese state hackers.

3: Exactis (340 million)

Who?

Exactis is a marketing and data aggregation firm. They hold comprehensive data on most US citizens, including information about preferences, interests and family connections.

How?

Exactis was storing more than 2 terabytes of personal data on a publicly accessible server. The exposed data was detected by a security researcher, who notified the FBI and Exactis, who have since protected the database. The researcher found the open database by using a scanning tool to find unshielded ElasticSearch instances.

4: MyFitnessPal (150 million)

Who?

MyFitnessPal is a fitness and diet-tracking app owned by Under Armour, the athletic clothing company.

How?

Details are lacking. The company has only said that an unauthorised person accessed data. While some user passwords were stolen in the hack, they were encrypted with a hashing function called bcrypt, which means the information is protected.

5: Quora (100 million)

Who?

Quora is a hugely popular question-and-answer site, with millions of active users.

How?

The company has not released details yet, and have only stated that an unauthorised person accessed user records. Quora also stated that they are engaging a forensic technologist to help them trace the cause of the breach and prevent future hacks.

6: MyHeritage (92 million)

Who?

MyHeritage is an online genealogy and DNA testing service.

How?

They don’t know. One of the firm’s security team found a trove of MyHeritage data on an external server. The database includes 92 million records, including names, email addresses and hashed passwords. MyHeritage has engaged an external security consultant to identify the source of the breach.

7: Cambridge Analytica (87 million)

Who?

A Facebook game called ThisIsYourDigitalLife passed user data to several third parties, including Cambridge Analytica, a data analytics company that worked with the Trump presidential campaign to target ads to swing voters.

How?

Because of Facebook permission settings at the time, the game allowed the developer to harvest information on their users, and their users’ friends and contacts. This meant that only 270,000 people installed the app, but the developer was able to pass data on millions of people to Cambridge Analytica.

8: Google+ (52 million)

Who?

Google+ is a social network. In March, Google announced that some Google+ app developers had accidentally been given access to user data. In December, Google announced that a second data breach, which they may have tried to hide, affected 52.5 million users.

How?

The Google+ hack seems to have been caused by a glitch that made user profile information available to app developers. Google is now planning to close their social network.

9: Chegg (40 million)

Who?

Chegg is an online store offering textbooks, tutors and online study support.

How?

An unauthorised third party was able to access a company database that included customer data for Chegg and some of their other brands.

10: Facebook (29 million)

Who?

The world’s largest social network was hacked, exposing sensitive user data including contact information, searches and usage history.

How?

Hackers exploited vulnerabilities in Facebook’s code to get access tokens, which then gave them full access to users’ details.

How can you avoid a data breach?

There are a few patterns in the top 10 data breaches of 2018:

Weak software. Many of these breaches were caused by vulnerabilities or weaknesses in the systems used.

Glitches. Hackers have a keen eye for glitches in software that have unintended consequences. These are ruthlessly exploited to access data that is usually hidden.

Mystery losses. A worrying trend from the top 10 is the number of ‘unknowns’. At the time of reporting, a number of companies have been unable to confirm how the hack was perpetrated.

The main lesson to learn from these examples is that hackers are creative and flexible, and that data leaks from organisations in many different ways.

Internal agents, external criminals, weak software, outdated software connections and APIs, weak passwords, clumsy security practices, social engineering – these are all common components of data breaches.

This suggests that organisations have a lot of work to do to protect every corner of their castle. Hackers look for weak spots in many different areas, and so organisations must address every aspect of their security: software, hardware, people, processes and culture.

NotPetya: The World’s Worst Cyber Attack

Last year was a bad time for data security, but a great time for digital criminals. In the midst of the thousands of hacks, leaks, exploits and phishing attempts, a group of Russian military hackers unleashed a virulent worm that would cause untold disruption and cost companies around the world billions in lost revenues and repair costs.

While nobody has claimed responsibility for the NotPetya virus, it has been traced back to a group of Russian military hackers who were trying to wreak havoc in the Ukraine – and send a warning to companies that dare to do business with Russia’s enemy.

The virus originated in the Ukraine, after Russian hackers gained access to the servers of Linkos Group, a company that produces a popular accounting program called MeDoc. Having gained access, the hacking group, known as Sandworm, was able to infect the MeDoc update server, which then allowed them access to the thousands of PCs around the world that have MeDoc installed.

NotPetya spread rapidly. It relied on two exploits working in partnership to sidestep defences, infect computers and spread to the next host. Eternal Blue, a tool created by the US National Security Agency, but stolen during a breach earlier in the year, was combined with Mimikatz, a script created by a French researcher to demonstrate that Windows was leaving users’ passwords in memory. Using these two exploits, the virus could leapfrog from machine to machine in a matter of hours.

Maersk goes dark

On 27 June, computer screens at Maersk headquarters began to go black. Some displayed messages asking for a ransom to be paid in bitcoin; others simply stated that the machine was being repaired, and should not be turned off. Whatever the message, the machine was frozen and unusable.

Maersk, a global shipping company, was completely stricken by the virus: so many computers were infected, so rapidly, that the company was unable to take new orders or manage their vast shipping fleet. Even the IT security team was unable to work. Servers, computers, routers and desk phones were all brought down by the virus.

Around the world, 17 of Maersk’s 76 freight terminals were disrupted by the virus. Without computers, nobody could do anything. Freight could not be received, loaded or dispatched. The contents of containers was unknown and new bookings could not be taken. Ports in Los Angeles, Rotterdam and Mumbai were reduced to parking garages. It was a catastrophic failure of shipping IT – and the costs are estimated to be astronomical.

Billions in lost earnings

Ultimately, NotPetya would cause an estimated $10 billion in damage, crippling multinational companies including TNT Express, Mondelez, Reckitt Benckiser, Rosneft and Merck.

At Maersk, recovering from the attack involved a frantic effort to restore core machines and then gradually wipe and restore individual machines. In just 10 days the company managed to rebuild its network of 4,000 servers and 45,000 PCs – though a complete recovery took many months.

While NotPetya was a fiendishly clever virus, it did rely on Maersk (and other victims) having unpatched machines – something that could have been avoided. Maersk has since changed its approach to digital security and is investing widely in security systems and processes. Employees report that requests for spending on digital security are being approved without delay; a contrast to their prior reticence to invest in digital protection.

Why do so many companies have to learn digital security lessons the hard way?

Find out more about Cyber Security eLearning.

Currys PC World Data Breach

Currys PC World is the latest in a long line of corporations to suffer a large-scale data breach, but the positive news to take from the story is the swiftness and clarity of their response. One of our colleagues, as a Currys PC World customer, received an email explaining the loss of data, what was involved, and what he should do to protect himself from fraud.

The message was comprehensive and apologetic – and suggests that British businesses are finally learning how to respond to these kinds of cyber crimes.

The recent news from Currys PC World came in two waves; at first, they believed that 1.2 million customers were affected, although no payment card information was involved. Several weeks later the electronics giant had to report that the scale of the problem was far larger. After an internal investigation they put the number of customers affected at 10 million.

Currys PC World reports that none of their customers has been directly defrauded in the immediate aftermath of the data breach. But we know from previous hacks that customer data is rarely used in isolation; instead, this kind of information is used as bait in phishing attacks. With customer data in their hands, fraudsters can dupe people into handing over more information which then gives them access to bank accounts, payment cards and online stores.

So, the true impact of this kind of data breach is unlikely to be immediately obvious – and people who are defrauded six or nine months from now may never know that their loss originated with lax security at Currys PC World.

Alex Neill of Which? commented on the incident: “Dixons Carphone customers will be alarmed to hear about this massive data breach and will be asking why it has taken so long for the company to uncover the extent of its security failure. It is now critical that the company moves quickly to ensure those affected get clear information about what has happened and what steps they should take to protect themselves.”

The letter from Currys PC World is commendably clear and direct: “Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017. This unauthorised access to data may include personal information such as name, address, phone number, date of birth and email address.”

Currys PC World also laid out clear guidance for their customers on how to minimise the risk of fraud:

  • If you receive an unsolicited email, letter, text or phone call asking for personal information, never reveal any full passwords, login details or account numbers until you are certain of the identity of the person making the request. Please do not click on any links you do not recognise.
  • If you think you have been a victim of fraud you should report it to Action Fraud, the UK’s national fraud and internet crime reporting centre, on 0300 123 2040*.
  • We also recommend that people are vigilant against any suspicious activity on their bank accounts and contact their financial provider if they have concerns.

Although the value of Currys PC World shares fell after news of the initial data breach was revealed, markets reacted less extremely to the second wave of news, with shares actually rising slightly. This may reflect a degree of breach fatigue – or a belief that the high street’s last electronics retailer has already paid the price for its security failure.

Are data breaches an inevitable part of a society that lives and trades online? Or will businesses eventually find systems and processes to outfox the data bandits?

Worried about data breaches? Find out more about Data Protection eLearning from VinciWorks.

Ticketmaster Data Breach: did they act quickly enough?

Data breaches are nothing new.

What has changed recently is the regulations surrounding personal data.

Under the General Data Protection Regulation (GDPR), companies must notify the Information Commissioner’s Office within 72 hours of becoming aware of a breach.

In the case of Ticketmaster’s recent breach, questions remain about whether they reported the loss of data affecting 40,000 customers quickly enough.

Ticketmaster lost the customer data because of a third-party application designed to help them manage customer support requests. The Inbenta software was infected with malware and was passing customer data to a third-party, who then used the information to help them make fraudulent payments.

Ticketmaster claims that up to 40,000 UK customers may have had their data stolen. Customers in the US were not affected in the incident. Ticketmaster is offering customers a 12-month identity monitoring service to help prevent further frauds from occurring.

One of the problems with a data breach of this kind is the avalanche of follow-up crimes that typically occur – not always relying on the actual data lost. This is because criminals use the confusion and concern caused by a major data loss incident to dupe customers into changing passwords – on dummy websites that they control. Ticketmaster is urging customers to only visit genuine Ticketmaster websites on recognised addresses.

Brooks Wallace, cyber-security specialist from Trusted Knight commented: “After an incident like this, criminals from around the world will jump at the chance to try and catch a few unsuspecting people out,” said Brooks Wallace from the cyber-security specialist Trusted Knight. “If you receive any emails purporting to be from Ticketmaster asking for any personal information, discard them. If you need to contact Ticketmaster, type the website address into your browser and log-in that way.”

Questions about the timing of Ticketmaster’s notification surfaced after Monzo, the online bank, reported that they had uncovered evidence that Ticketmaster may have been breached in early April – something they passed on to authorities and to Ticketmaster. Monzo’s discovery followed customer reports of fraudulent transactions. The security team at Monzo analysed the accounts of approximately 50 customers who had all been the victim of fraud and found a pattern: 70% of the affected customers had recently bought tickets from Ticketmaster. Only 0.8% of their entire customer base had used Ticketmaster.

The question that the ICO may want answered is why it took months for Ticketmaster to confirm that a breach had taken place? Was the breach carefully concealed by hackers? Or did Ticketmaster hope to limit the scope of scandal?

Read more about Information Security eLearning from VinciWoks.