Tag: breach

HIV records from NHS trust accidentally sold on the web

The Information Commissioner’s Office has come down hard on the Brighton and Sussex University Hospitals NHS Trust.

The watchdog has slapped the trust with a Civil Monetary Penalty (CMP) of £325,000 following a serious breach of the Data Protection Act (DPA).

And security experts have said they are not surprised at the fine, which is the highest the ICO has issued since it was granted the power to issue CMPs in April 2010.

It follows the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff, which was found on hard drives sold on an internet auction site in October and November 2010.

The ICO said some of the information was also related to HIV and Genito Urinary Medicine (GUM) patients as well as details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. It also included documents containing staff details such as National Insurance numbers, home addresses, ward and hospital IDs, as well as information referring to criminal convictions and suspected offences.

According to the ICO the data breach occurred when an individual was given the task of destroying the 1,000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010.

However, a data recovery company bought four hard drives from a seller on an internet auction site in December 2010, who had purchased them from the individual.

The ICO at the time was appeased with claims that these were the only four rogue disks. However, in April 2011 it was contacted by staff at a university, which advised them that one of their students had purchased hard drives via an internet auction site. An examination of the drives established that they contained data which belonged to the Trust.

The ICO said the trust had been unable to explain how the individual removed at least 252 of the approximate 1,000 hard drives they were supposed to destroy from the hospital during their five days on site.

It said they were not believed to have known the key code needed to access the room where the drives were stored, and were usually supervised by staff working for HIS. However, the Trust has acknowledged that the individual would have left the building for breaks, and that the hospital was publicly accessible.

Security and communications expert Chris McIntosh, CEO of ViaSat UK, told TechEye that the fine wasn’t a surprise.

“While previously focused against local government, the ICO’s penalty powers have come more and more to bear on the NHS in recent months,” McIntosh said.  “This isn’t too surprising: as one of the largest handlers of personal data in the UK, and given the sensitivity of much of that data, the NHS has had many more opportunities for such a catastrophic breach to occur.”

“At the same time,” McIntosh said, “a recent FOI request showed that the NHS was the most reported organisation in terms of lost data and hardware at 40 out of 108 cases nationwide in 2011 / 2012 and, more damningly, insecure disposal of data, responsible for more than twice as many cases as the entire private sector.” 

“With these statistics, a penalty of this magnitude was inevitable,” McIntosh continued. “Organisations need to learn from this and all of the ICO’s penalties: data must be encrypted and correctly destroyed, hardware must be kept under lock and key and contractors must be thoroughly vetted to ensure that standards are met.”

Last month the ICO issued a London Community Healthcare trust with a fine of £90,000 after it found it in serious breach of the Data Protection Act.

NHS Trust faxed patient data to the wrong number for three months

A London Community Healthcare trust has been slapped with a fine of £90,000 after the Information Commissioner’s Office found it in serious breach of the Data Protection Act.

The watchdog, which had its website hacked last week amid accusations that it didn’t protect citizen’s privacy enough,  first became aware of the NHS Trust’s wrong doings back in March 2011.

This was after after patient lists from the Pembridge Palliative Care Unit, intended for St John’s Hospice, were faxed to the wrong recipient.

The patient lists were said to contain sensitive personal data relating to 59 individuals. This including medical diagnoses and information relating to their domestic situations and resuscitation instructions.

The individual informed the Trust in June that they had been receiving the patient lists, which consisted of around 45 faxes over a three month period. However, they claimed that to protect privacy, they had shredded them.

The ICO conducted an investigation that found the trust had failed to have sufficient checks in place to ensure sensitive information sent by fax was delivered to the correct recipient. It also barked at the trust for failing to provide robust data protection guidance, and training to the members of staff that had accidentally sent the faxes.  

Stephen Eckersley, the ICO’s Head of Enforcement, said that the fact that this information was sent to the wrong recipient for three months without anyone noticing made the case “all the more worrying”.   

Top websites leaking our data to third party players

While cookie laws are hitting the UK and US, scientists have found that naughty websites are directly leaking our private information to third party trackers.  

Of the 120 “popular websites” studied by scientists at the Worcester Polytechnic Institute in the US, three-quarters were found to have leaked our information including email addresses, our home addresses and the IP address of our PCs.

Computer Science people at the institute said that despite law agencies trying to stop cookies and companies capturing our information, the  “problem of privacy has worsened significantly.”

He said that the scientist’s findings were “increasingly worrisome” and insisted that it was time the government looked at how “first-party sites” to protected the privacy of their users.

This is because third-party sites had a strong economic incentive to continue to collect and aggregate user information, meaning they wouldn’t give up doing this without a fight.

The scientists found that just over half of sites leaked private information, while this number rose to 75 percent if site user IDs were included.

Hypochondriacs surfing health sites, and travel bods were also more at risk with the study finding that  search strings sent to healthcare websites and travel itineraries on flight reservation sites were leaked the most.

This was a contradiction to previous thoughts that the bulk of information was leaked from popular social networking sites .

The boffins came to their new conclusions by focusing on sites that encourage users to register, since users often share personal and personally identifiable information, including their names, physical address, and email address, during the registration process.

They found that information is leaked through a number of routes to third-party sites that track users’ browsing behaviour for advertisers. In some cases, information was passed deliberately to the third-party sites. In others it was included, either deliberately or inadvertently, as part of routine information exchanges with these sites. Depending on the site, the leakage occurred as users were creating, viewing, editing, or logging into their accounts, or while navigating the websites.

And there was some advice for those of us concerned with our data, including blocking the setting of cookies and using an advertising blocking feature.  

Spammers capitalise on Ireland's unemployment rate

One of Ireland’s largest job websites, RecruitIreland.com, has been hacked and user details seized.

At 1.50pm yesterday afternoon the website managers of the recruitment site were alerted to the breach. They shut down the website and database ten minutes later and reported the incident to the Gardaí and the Data Protection Commissioner. It is also being investigated internally by RecruitIreland and externally by a security expert.

It was revealed that certain user details were compromised in the attack, including first and last names along with email addresses. It is not believed any other information was obtained, such as CVs, usernames or passwords.

However, the data that was obtained can easily be used for spam and there have already been reports of such. The spam messages use the full name of the individual and present a fake job opportunity. RecruitIreland has urged users to take extra care and not respond to such messages if they manage to escape the anti-spam filter. It is believed that acquiring data for spam was the sole purpose of the attack.

More and more people are using these kinds of websites in Ireland as the unemployment rate remains considerably high at 13.4 percent, according to recent figures for January by the Central Statistics Office. This is a sharp increase from the rate of 4.4 percent five years ago in the heart of Ireland’s Celtic Tiger economic boom.

This attack is the latest in a string of website hacks and data breaches in Ireland. The website of one of the main political parties, Fine Gael, was hacked by Anonymous, while a Northern Ireland political party website was hacked by an Irish language activist. Laptops have also been stolen from the Irish tax office and the Irish government is being investigated for sending unsolicited emails

With an election at the end of February, it doesn’t look like these problems will go away any time soon.

Nasdaq hack must serve as wake-up call

The Nasdaq Stock Market has confirmed that its network was hacked into over the weekend.

Although the FBI has not revealed details on who was behind the attacks, a security expert, speaking to TechEye, suggests the culprits could be those “looking at causing more damage for Wall Street.”

The hacking, according to the WSJ, was targeted specifically at a service that lets leaders of companies, including board members, securely share confidential documents. However head honchos added that there was no evidence that any of its customer information or trading was compromised.

“Through our normal security monitoring systems we detected suspicious files on the US servers unrelated to our trading systems and determined that our web-facing application Directors Desk was potentially affected,” Vince Palmiere, vice president of Nasdaq said in a statement.

Our source tells us that if the files had been obtained then the data could easily be used for financial gain or a lot worse.

“We’re not sure who could have hacked into these servers, but personally I believe that it was a malicious attack looking at causing more damage for Wall Street. The industry has just recovered from the  the “flash crash” last May, which sent U.S. indexes plunging.”

He added that the index had also faced several attacks over the past year, some of which had driven share prices down.

“It’s also not yet clear what data these hackers actually got their hands on so if they weren’t hacking for disruption they could have been able to gain data for fraud, terrorism or financial gain,” he added.  

“One thing is for sure however, hackers, whether they are employed by other countries or are doing it for personal financial gain, are getting smarter and smarter. Unless we find a way to build stronger defences we could be in real trouble in the future.”

The WSJ said investigators had been unable to follow the trail back to any specific individual or country, and were unsure of whether they had plugged all of the network’s potential security gaps.

“Cyber attacks against corporations and government occur constantly,” Nasdaq added in its statement. “Nasdaq remains vigilant against such attacks. We have been working in cooperation with the government’s ongoing investigations and have received their technical advice.”

Nasdaq was hoping to keep quiet about the hack until at least the 14 February. But it was forced to go public with the news after the WSJ ran with the story.

Marcus Ranum, CSO of Tenable Network Security comments to TechEye: “Cyber crime and cyber espionage are real problems, and, as we see, attackers are motivated to go to great lengths if they think they can make a lot of money.

“I think it’s safe to say that this attack is almost certainly financially motivated.
“Secure information sharing over open networks is, and always will be, a hard problem. Anyone who claims to have solved it with a web based application (or anything else for that matter) doesn’t understand security.

“As far as the hackers’ methods are concerned, it’s hard to read between the lines but the fact that a ‘web based service’ for sharing information was penetrated means that most likely there was some typical web-based flaw, such as an, SQL injection, server vulnerability, or scripting vulnerability. Additionally, if the service exists as a place where important information is going to reside, then it’s a pretty obvious target.
“To protect themselves effectively, organisations firstly need to make sure that web applications are developed under a secure software development process, and are maintained carefully.

“Secondly, there is always the problem of endpoint trust and transitive trust – if the endpoint that is accessing a ‘secure’ site is insecure then the data is still exposed at the endpoint. If an attacker is able to steal a users’ credentials on their endpoint they can masquerade as the user and, for all intents and purposes, the site has no way of telling the authorised user from the attacker.

“That’s why a sharing site is particularly problematic; if one user has a trojan horse on their system then any data that user can access or post is now a target for the attacker. For example, consider if someone gets a trojan horse on one company officer’s machine via, say, a spear-phishing attack and then uses that officer’s account to upload a PDF file containing malware, to the sharing site. Now, everyone on the sharing site who sees that file is going to assume it came from that executive and if they open it, they get taken over, too, etc.
“We don’t know if the hackers in this case used a transitive trust attack or if they just exploited a basic website security flaw. But either way, none of this should come as a surprise to anyone.”

Employees haven't a clue about USB data loss

Nearly two thirds of employees wrongly appraise the value of company data, believing that losing a USB device with sensitive material on it is less costly than breaking a laptop.

The unsettling trend was exposed by data security firm BlockMaster, which said it was “shocking but not surprising” that staff did not recognise the costs involved in company data breaches.

58 percent of workers believed that a broken laptop was a bigger financial worry than lost data, but the number was slightly lower, at 52 percent, for younger employees.

Being snowed in overnight was seen as a bigger cause of concern for workers, with 30 percent picking that over the 29 percent who picked losing a device with corporate data on it. 42 percent were more concerned about losing Christmas presents.

“Simply put, data is much more valuable than hardware,” said Anders Kjellander, Chief Security Officer of BlockMaster. “A broken laptop can be replaced but exposed data can never be retrieved, something that Wikileaks has made absolutely apparent – there is no retrieval of data once the breach has occurred. But hardware on the other hand can be replaced and repaired at a known and often very low cost.”

Kjellander pointed out that the ICO could fine organisations up to half a million pounds for data breaches, which makes the cost of repairing or replacing a broken computer tiny in comparison.

Obama administration working on online privacy changes

The Obama administration is to begin efforts to enhance online privacy, according to the Wall Street Journal.

A report is being prepared by the US Department of Commerce, which will reveal how the government can better police privacy breaches on the internet, including the advent of new laws and a new office responsible for the endeavour.

The news comes only a day after regulator the Federal Communications Commission began an investigation into Google’s Street View snooping, which has been the subject of multiple probes around the world, with little to no consequences.

The result of increasing privacy concerns, which are not limited to Google, as Facebook has been embroiled in privacy scares for many months now, is that while the breaches may mean no real repercussions now, the introduction of new laws could see harsher penalties for companies that don’t clean up their act in the future.

Another impact of the push, which is in strong contrast with many other countries’ policies on internet self-regulation, is the potential creation of a new post within the government, dealing entirely with privacy affairs. 

The US is “committed to promoting policies that will preserve consumer privacy online while ensuring the Web remains a platform for innovation, jobs, and economic growth,” said a spokesperson for the Department of Commerce. “These are complementary goals, because consumer trust in the Internet is essential for businesses to succeed online.”

The strategy is expected to be fully revealed within the next few weeks.

Google must be brought to book

Google needs to be held accountable for what is one of the worst and most pervasive invasions of privacy from a technology firm in the world – and yet it manages to consistently evade any kind of repercussions for its actions.

Today the Information Commissioner’s Office (ICO) in the UK announced the final outcome of its investigation into the Street View snooping fiasco, stating that Google’s behaviour constitutes a “significant breach” of the Data Protection Act, despite saying in July that there was no significant personal data captured and that no detrimental effect had been caused.

But what is the real effect of this U-turn by the ICO? Google’s UK branch will be audited and the company will be forced to sign a document promising not to breach privacy again, with the threat of legal action if it fails to comply. And that’s it. A quick browse around the Google offices and a signature on a piece of paper – hardly what one would expect for such a monumental privacy breach.

The ICO U-turn appears to have been made in the face of other international investigations, where it was proven that the data Google collected included emails, URLs, and even passwords. The ICO said that in light of this, and Google’s own admission that personal data had been collected, “formal action” was deemed necessary.

The problem is that in the case of stealing passwords anyone else would be prosecuted. Many people responsible for the infamous ZeuS keylogging trojan have been arrested or jailed already, while Google can collect people’s passwords and walk away scot-free. Obviously it’s not quite the same situation and Google has not used this information to illegally profit, but it still begs the question as to why there appears to be one rule for the big companies and another for everyone else.

The ICO rejected calls for a monetary penalty, despite it being an appropriate action to take, but it did not rule out this option if Google does not fully comply with its demands. We know, however, that Google will do all it can to escape any further negative reputation from this debacle, so the ICO’s statement really amounts to an empty threat.

The ICO also wants Google to delete all of the data it illegally acquired in the UK as soon as it is legally cleared to do so. It will hardly have to order Google to do that, as Google has been clamouring to get rid of the evidence for some time now and has already done so in countries it was permitted to delete the data, such as in Ireland.

“It is my view that the collection of this information was not fair or lawful and constitutes a significant breach of the first principle of the Data Protection Act,” said Christoper Graham, the Information Commissioner. “The most appropriate and proportionate regulatory action in these circumstances is to get written legal assurance from Google that this will not happen again – and to follow this up with an ICO audit.” 

According to the ICO, Google has agreed in principle to the following: 

“To continue and update orientation programs designed to provide Google employees with training on Google’s privacy principles andthe requirements of UK data protection law. 

“To institute a policy that requires Google employees to be trained on Google’s code of conduct, which includes sections on privacy and the protection of user data and the legal requirements applying to the protection of personal data in the UK. 

“To enhance the core training for engineers and other important groups with a particular focus on the responsible collection, use and handling of data. 

“To institute a security awareness program for Google employees, which will include clear guidance on both security and privacy.”

Is signing a document really enough though? Does this not send out a message to other potential breachers of privacy that they might just get away with it, and that, if they are indeed caught, there are no consequences for these actions? Money talks.

While Google may have not intended any of this, good intentions are meaningless in the face of inexcusable actions that go unchecked. Google needs more than a tame slap on the wrist, which may come from one of the many other investigations into Street View going on around the world.

An outcome like the class action lawsuit relating to Buzz may be much more appropriate.

Security software firm Omniquad reported for data breach

Security software firm Omniquad has been criticised and reported for a serious data breach that saw the publication of customer details online.

The company, which makes anti-malware and firewall software and is the “NetworkWorld ClearChoice Award winner” for its AntiSpy software, said a glitch in its helpdesk software resulted in the details of its customers broadcasted on the net.

Omniquad was keen to point out that the vulnerability was in a third-party software which Omniquad uses to manage helpdesk calls. The exploit published customer log-in details online, but Omniquad said that the information was taken down and the system put offline as soon as the situation was discovered.

“This is not a case of negligence on our part. We have acted quickly to fix the situation and notify any customers who may have been put at risk,” said Daniel Sobstel, managing director of Omniquad. “The software has been in place for a few years and this is the first time we have had any kind of problem like this with it.”

While Omniquad may not have been negligent, a security company facing a problem like this doesn’t instil much faith. If one piece of software has a vulnerability like this, then what potential problems are hidden within the other software? Security software should make customers feel more safe, not risk having their details put online. They’re always on about being on the safe side and best practice.

Sobstel tried to reassure customers that the majority of them would be unaffected. He said that it would take days to exploit the published data, meaning it was only really a problem for a small number of people. That will be little comfort to those affected.

Privacy International was strongly condemnatory of the affair. It reported the company to the Information Commissioner over the incident, while a spokesperson said: “Security and privacy should be at the core of everything they do and that includes carrying out security audits of all third-party software and services they offer.”

Employees consistently breach security policies, report finds

Employees always breach security policies and are less likely to take a job with strict security policies, according to a report by Cisco released today.

The report reveals that more than half of the over 500 IT security professionals polled in the survey were aware of their employees using unsupported applications, primarilly social networking, but collaborative, peer to peer, and cloud services also featured high on the list. Nineteen percent saw social networking as the biggest security risk.

Forty-one percent said that their employees were using unsupported network devices, such as smartphones, while a third of that number said there was a breach or loss of information due to these unsupported devices.

Despite this, 53 percent have planned to allow personal devices to be used within the company network, while seven percent already allow them.

The report also found that nearly three quarters discovered that overly strict security policies had a negative impact on hiring and retaining employees under the age of 30.

TechEye spoke to Maurizio Taffone, Borderless Network Technical Product Marketing Lead at Cisco Europe, about the findings.

He told us that traditionally security polices tended to be too strict, depending on the company, but that Cisco found that the majority of IT employers, particularly in India and China, found that hiring and retaining employees was negatively affected by such a limited approach.

He said that the intellectual property and business processes of a company need to be protected, but Cisco advices its customers to take a balanced and flexible approach to security. He gave an example of one business using a Second Life environment to train its employees on security.

Taffone said there is a definite negative impact from overly restrictive security policies and that security decision makers need to refine their company’s policies to adapt to changes within the work environment. He said that too leniant security policies are also a problem and that companies need to measure up the need and potential benefit against the acceptable risk. He mentioned that Cisco’s Validated Secure Borderless Network Systems is one way of doing this, which offers a secure fundation and simplified solution for routing, switching, security, and mobility.

He said that social networking, the biggest factor revealed in the report, is neither good nor bad and that Cisco has a strong social networking presence, which allows for an extremely powerful way to communicate with customers, partners, and employees, ultimately adding to productivity. He compared it to some companies using a large internal forum for discussion and advertising internal news and positions. 

He qualified these remarks by saying that it does provide additional challenges to security, such as in the example of details of a new product launch getting into the wrong hands due an an employee checking their smartphone in a public place. He said that common sense is needed here so that employees do not work on confidential material in an unsafe environment.

Enforcing security over multiple devices is adding complexity to the situation. Taffone told us that a multi-vendor approach is needed, such as Cisco’s VPN client Anyconnect or the recently announced Cisco Developer Network. Other systems that could be put in place include an ASA firewall and Ironport filtering solutions. 

He said in order to develop intelligence within a network so that it knows what devices to trust and what policy provisions to provide a system such as Trustsec needs to be in place. Static systems need to be replaced by dynamic ones that can adapt to the situation and allow for easy remote access while maintaining a highl level of security.

He said that when it comes to the fine balance between security and access in a workplace there is a vehicle of threat, but there is also a vehicle of defence.