You've been hacked. What are you liable for?

'It won't happen to me...' but best be prepared


Hacking is big news and we’re all susceptible. In the UK, hackers could face jail time under the Computer Misuse Act, but the question on many businesses’ minds will be where the liability lies if they are hacked.

The list of successful mega breaches continues to grow; extra-marital affairs site Ashley Madison hit the headlines last summer when data was exposed about its 37 million users, although it appeared many of those were fake accounts. Earlier this year, Yahoo! revealed the numbers behind its 2014 data breach – 500 million user account credentials were stolen.

In 2016, the SWIFT financial payments system was hacked, and this came after another group using the same approach stole $81m from the Bangladesh central bank. Even the US central bank, the Federal Reserve, detected more than 50 cyber breaches between 2011 and 2015, according to cybersecurity reports obtained through a freedom of information request.

Regulator fine

Telecoms company TalkTalk has the dubious honour of having received the largest fine ever imposed by the Information Commissioner’s Office – £400,000 – for a cyber attack which allowed access to customer data “with ease”. The ICO’s investigation revealed that Talk Talk could have prevented the attack by taking simple basic steps to protect customer information.

The TalkTalk fine is far lighter than the £3m fine issued by the then-FSA to HSBC in 2009 for not having adequate systems and controls to protect customers’ confidential information.

But even that fine seems small compared to the new fines on the way under GDPR. In general, failing to take appropriate measures could lead to a fine the higher of €10m or 2 per cent of an undertaking’s total worldwide annual turnover. If coupled with other data breaches, these figures could be doubled to €20m and 4 per cent.

One of the difficulties facing organisations is that data protection legislation is vague when it comes to specifying the standards of protection required. The Data Protection Directive and the UK Data Protection Act both require the data controller to “implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access”.

This concept is carried over to the new EU General Data Protection Regulation, which will be enforced throughout the EU – yes, including the UK – from May 2018. In fact, it also requires the controller to build in data protection by design and by default.

What does this actually mean though? What measures are appropriate? Well, the ICO has not yet stipulated a particular minimum threshold for protection, but it generally penalises organisations that suffer the loss of unencrypted laptops and mobile devices. The GDPR itself suggests pseudonymisation and data minimisation as part of a data controller's approach to protection.

While the vagueness in the legislation might mean businesses aren’t clear on what they have to do, it also means the law doesn’t have to be constantly updated to specify the latest industry standards on data security. Besides, every CISO I’ve spoken to has a clear understanding of what measures are appropriate, and it’s just whether they can persuade the CFO to allocate the budget for it.

Espionage

In March of 2016, a Chinese businessman pleaded guilty to conspiracy to hack computer networks of US defence contractors holding information about the Stealth Bomber, which he was claimed to have passed to the Chinese government.

If you operate in the defence industry, you are likely to have made various promises to the government under the Official Secrets Act or the US and other national equivalents. You will probably have a fairly good idea of what is expected of you, so we need not go into detail here, save to reiterate that breaches could amount to jail time.

Next page: Business failure

Broader topics


Other stories you might like

  • Beijing probes security at academic journal database
    It's easy to see why – the question is, why now?

    China's internet regulator has launched an investigation into the security regime protecting academic journal database China National Knowledge Infrastructure (CNKI), citing national security concerns.

    In its announcement of the investigation, the China Cyberspace Administration (CAC) said:

    Continue reading
  • Israeli air raid sirens triggered in possible cyberattack
    Source remains unclear, plenty suspect Iran

    Air raid sirens sounded for over an hour in parts of Jerusalem and southern Israel on Sunday evening – but bombs never fell, leading some to blame Iran for compromising the alarms. 

    While the perpetrator remains unclear, Israel's National Cyber Directorate did say in a tweet that it suspected a cyberattack because the air raid sirens activated were municipality-owned public address systems, not Israel Defense Force alarms as originally believed. Sirens also sounded in the Red Sea port town of Eilat. 

    Netizens on social media and Israeli news sites pointed the finger at Iran, though a diplomatic source interviewed by the Jerusalem Post said there was no certainty Tehran was behind the attack. The source also said Israel faces cyberattacks regularly, and downplayed the significance of the incident. 

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Millions of people's info stolen from MGM Resorts dumped on Telegram for free
    Meanwhile, Twitter coughs up $150m after using account security contact details for advertising

    Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.

    The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they "assume at least 30 million people had some of their data leaked." MGM Resorts, a hotel and casino chain, did not respond to The Register's request for comment.

    The researchers reckon this information is linked to the theft of millions of guest records, which included the details of Twitter's Jack Dorsey and pop star Justin Bieber, from MGM Resorts in 2019 that was subsequently distributed via underground forums.

    Continue reading

Biting the hand that feeds IT © 1998–2022