You are currently browsing the archives for the Uncategorised category.
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Oct | ||||||
| 1 | 2 | 3 | 4 | 5 | 6 | |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 | 31 | |||
29/10/2008 by gerry.
Privacy watchdog calls on CEOs to take responsibility
for data protection safeguards
The number of data breaches reported to the Information Commissioner’s Office (ICO) has soared to 277 since HMRC lost 25 million child benefit records nearly a year ago. New figures, released today by the ICO, include 80 reported breaches by the private sector, 75 within the NHS and other health bodies, 28 reported by central government, 26 by local authorities and 47 by the rest of the public sector. The ICO is investigating 30 of the most serious cases.
In a speech today Richard Thomas, the Information Commissioner, will highlight the risks associated with large databases, the need for tougher sanctions to deter data breaches and he will call on chief executives to take responsibility for the personal information their organisations hold. Arguing that information can be a toxic liability, he will challenge CEOs to ensure that the amount of data held is minimised and that robust governance arrangements are in place. Richard Thomas will argue that accountability rests at the top. CEOs must make sure that their organisations have the right policies and procedures in place, that privacy by design features are incorporated in the technology their organisations use and that staff are properly trained to counter the risks.
The Information Commissioner will say: ‘It is alarming that despite high profile data losses, the threat of enforcement action, a plethora of reports on data handling and clear ICO guidance, the flow of data breaches and sloppy information handling continues. We have already seen examples where data loss or abuse has led to fake credit card transactions, witnesses at risk of physical harm or intimidation, offenders at risk from vigilantes, fake applications for tax credits, falsified Land Registry records and mortgage fraud. Addresses of service personnel, police and prison officers and battered women have also been exposed. Sometimes lives may be at risk.
Richard Thomas continues: ‘The number of breaches brought to our attention is serious and worrying. I recognise that some breaches are being discovered because of improved checks and audits as a welcome result of taking data security more seriously. More laptops have now been encrypted and thousands of staff have been trained. But the number of breaches notified to us must still be well short of the total. How many PCs and laptops are junked with live data? How many staff do not tell their managers when they have lost a memory stick, laptop or disc? Many losses are probably simply undetected.
Richard Thomas continues: ‘Personal information is now the lifeblood of government and business. Used properly and intelligently, personal information can lead to better customer service, improved efficiency, more effective law enforcement and protection of the vulnerable and a better quality of life for everyone. But this means respecting and protecting people’s privacy and personal information - data protection - has never been more important. As government, public, private and third sectors harness new technology to collect vast amounts of personal information, the risks of information being abused increases. It is time for the penny to drop. The more databases that are set up and the more information exchanged from one place to another, the greater the risk of things going wrong. The more you centralise data collection, the greater the risk of multiple records going missing or wrong decisions about real people being made. The more you lose the trust and confidence of customers and the public, the more your prosperity and standing will suffer. Put simply, holding huge collections of personal data brings significant risks.’
The ICO has long argued that its powers, sanctions and resources - fixed in another era - are now wholly inadequate and that a stronger approach is required to help prevent unacceptable information handling. Earlier this year Parliament decided that the ICO should have the power to impose substantial penalties for deliberate or reckless breaches. The ICO is working with the government to ensure this measure is implemented as soon as possible. The threat and reality of substantial penalties will concentrate minds and act as a real deterrent. The data protection notification fee for the largest organisations needs to be increased to give the ICO the resources we need to do its job properly. The ICO is also looking forward to new powers to undertake inspections and audits of data controllers.
Richard Thomas is sceptical about placing a statutory duty on organisations to notify people directly whenever a breach occurs; it is doubtful that an appropriate law could satisfactorily distinguish in advance between situations where notification is needed and those where it is not. Each breach carries different levels of risk and, consequently, requires a different response.
Following serious data breaches in the past year, the Information Commissioner’s Office has taken enforcement action against Orange Personal Communications Services Ltd, HMRC, the Ministry of Defence, the Department of Health, Virgin Media Ltd, Skipton Financial Services, the Foreign and Commonwealth Office, Carphone Warehouse and Talk Talk.
Posted in Uncategorised | Print | 1 Comment »
01/05/2008 by gerry.
More than 600 staff at HM Revenue and Customs (HMRC) have been disciplined for accessing personal or sensitive data, it has been revealed.
In a Commons written reply, Treasury Financial Secretary Jane Kennedy said that in many cases the penalty for staff was dismissal.
There were 238 people disciplined in 2005, 180 in 2006, and 192 in 2007.
The secretary was responding to a question from shadow home affairs spokesman James Brokenshire.
Ms Kennedy said the figures showed “the strength of HMRC’s disciplinary procedures”.
The numbers represented less than 1% of HMRC staff, she added.
Ms Kennedy said HMRC has a “strict policy forbidding staff to access customer records unless they have a legitimate business need.
“Breaches of this policy are taken seriously and any breach will result in the commencement of disciplinary proceedings.
“Each case is treated on its merits but in many cases the disciplinary penalty for breach in dismissal.”
HMRC was formed in April 2005, when the Inland Revenue and HM Customs and Excise departments merged.
Gerry adds : There’s a good chance that some of these breaches were made easier by the plethora of non-production databases which had not been masked!
Posted in Uncategorised | Print | No Comments »
22/04/2008 by gerry.
Companies and public bodies are not doing enough to protect customers’ data, the UK’s privacy watchdog and a major survey of security have said.
The Information Commissioner said that the 94 security breaches reported to him last year was an “alarming” number. The survey of more than 1,000 firms suggested that almost 90% of them let staff leave offices with potentially confidential data stored on USB sticks.
Firms and public bodies were urged to make data protection a priority.
Information Commissioner Richard Thomas said of the 94 data breaches, two thirds were committed by government or other public sector bodies. Data had been recovered in only three of the 94 cases, he said.
Stolen computers
The material included personal details of UK citizens, including health records.
“The evidence shows that more must be done to eradicate inexcusable security breaches,” he said. Mr Thomas’ findings and the separate Information Security Breaches Survey will be detailed at the InfoSec show in London, the world’s largest event of its kind.
The survey was carried out by Price Waterhouse Coopers on behalf of the Department for Business Enterprise and Regulatory Reform. According to the survey, almost 80% of firms that had reported a stolen computer had not encrypted data on the hard drive.
Chris Potter, from PricewaterhouseCoopers, which compiled the survey, told BBC News that overall attitudes to security had improved in the last 12 months.
System failures
“Companies have focused on the areas which have caused them most damage in the past, such as viruses and system failures. “These tend to have caused the greatest cost in terms of business interruption.” But he said the “biggest concern is around the protection of customer data, which companies clearly want to be good at. “Sometimes that’s not translating into real action.”
He said particular threats were around the lack of encryption of data on laptops, the use of USB memory sticks and newer technologies like Voice over Internet Protocol.
“In all these areas the controls are not as strong as they are over traditional threats,” he said.
Mr Potter’s comments were echoed by those of the Information Commissioner.
Mr Thomas said: “The government, banks and other organisations need to regain the public’s trust by being far more careful with people’s personal information.
“Once again I urge business and public sector leaders to make data protection a priority in their organisation.”
Of the total reported to the commissioner, 62 security breaches were in the public sector, 28 were in the private sector and four in the charity or third sector.
Of those reported by public sector bodies, almost a third happened in central government and associated agencies, and a fifth in the NHS.
According to the PricewaterhouseCoopers report, fewer companies today are encrypting data on laptops than two years ago, despite a recent spate of high-profile instances of laptop losses with unencrypted information.
Mr Potter said: “We have seen in successive surveys that companies tend to be very good with preventing yesterday’s problems. Companies need to say on their toes to make sure they are addressing tomorrow’s problems.”
Risen dramatically
The report found that the number of attempts to hack into company networks had risen dramatically over the last two years. “What is a really big concern is the proportion of large businesses that say hackers have got into their networks,” said Mr Potter. Two years ago one percent of large businesses reported a hacker penetration compared to 13% in the current report. The survey also said that figure was likely to be under-reported because many large firms did not admit to successful hacks on their networks.
Security breaches cost UK business roughly several billions pounds a year, said the report.
Posted in Uncategorised | Print | 1 Comment »
02/10/2007 by gerry.
Some retailers have tried to mitigate the damage by using older customer data, on the belief that such data would have outdated information that might be less valuable if intercepted. But Mark Rasch, the former head of the U.S. Justice Department’s high-tech crimes unit and currently a security consultant in Washington, questions that premise.
ADVERTISEMENT
“The fallacy is that there is something called ‘old data,’” Rasch said, adding that most credit card information—including name, address and often the credit card number itself—does not change with any frequency. “What’s personal about me tends to remain personal even with the passage of time,” he said.
The credit card’s expiration date will periodically change, but Rasch said there’s such a small number of possible month/year combinations in the typical 2-year period that a thief could simply try them all until the right combination was discovered.
Rasch also has concerns about whether the use of such information for network testing violated “the implicit agreement between the merchant and the customer” that “you get my data for certain purposes, primarily to sell me the product and to validate payment.”
As for why test data hasn’t been created to safely test systems, Rasch said it’s a matter of money. To make it work, the test data would have to have a lot of numbers, with segments created to replicate various banks and other processors. It would do a retailer little good, for example, to test a Visa connection using a MasterCard number or even a card number from one major bank when testing a different bank’s card. “The question really is, ‘Who’s going to pay for it?’,” Rasch said.
Money is also behind the lack of security on the networks transmitting the test data, said the PCI Security Vendor Alliance’s Taylor. “These people are operating on a limited budget. What you secure first is the production environment and anything that is outwardly facing,” he said.
As for protecting the data itself, that’s a combination of laziness coupled with cheapness, Taylor said. There is a way to properly sanitize test data, he said, but it’s a lot of work.
He cited one insurance company that was testing with non-sanitized test data. “They didn’t have any way of generating test data on an enterprise basis. No tools, no procedures, not even a policy. They had no system-level prevention at all,” Taylor said. “They were using production data without masking, without encryption, without scrambling.”
Why? “Hey, it’s hard. Unless someone makes them do it, they’re not going to do it,” Taylor said. “You need policies. It’s so much easier to just copy production records.”
Is there a way out? Taylor said such numbers could be created by a group of card issuers coordinated by some overarching entity, such as Visa or some other industry group. Why has it not yet happened? Said Taylor: “I just assume it’s not their priority.”
Gerry adds: This is a great reason to have a look at tools like Data Masker. Making the process easy and repeatable as data is refreshed is what it’s all about!
Posted in Uncategorised | Print | 1 Comment »