Where is this coming from?

As I said last week, the Data Protection Commission had issued a report for 2020. I’ve had a chance to read through it now in a bit more detail. I really love looking at the case studies that they include there because these are real life events that have occurred.

One of them struck me as something that could occur anywhere.

What? A data breach of bank details??? That’s serious!

It was Case Study 15: Bank details sent by WhatsApp. What had occurred was that a customer of a financial institution had gotten in contact with them wanting to get a copy of their BIC and IBAN details. The member of staff that was dealing with the enquiry knew this person. So, because of that, they took a picture of the details on their personal phone and sent them by WhatsApp to the customer.

WhatsApp is encrypted, so it must be safe. Right?

But it turns out the details that they took the photo of were for somebody else. So, when the customer reported this incident to the bank, they realised this was a data breach. That customer had seen somebody else’s personal details.

How does a business prevent this type of issue?

This is simply a staff training issue. Staff need to be aware that they should always follow proper protocols when dealing with people’s personal details. To make sure that they provide the correct details to the correct person.

As I say it could happen to anybody. So use that example with your staff today.

So that’s it for this week. Lets be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

Contact us for more information at info@L2CyberSecurity.com.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

© L2 Cyber Security Solutions

The post #WeekendWisdom 068 A Data Breach of Bank Details appeared first on L2 Cyber Security Solutions Ltd..

Yesterday the Data Protection Commission (DPC) in Ireland released their annual report for 2020 and I’ll just give a quick summary of its findings here.

What is the number 1 complaint that the DPC get?

The number one source of complaints for the third year in a row under the GDPR remains access requests. So, businesses out there are still having trouble giving people access to their data that they’re entitled to.

I always focus in the training to make sure that people get their access rights done properly. They have proper procedures in place to handle these requests from individuals.

Any figures for Data Breaches?

Over in regard to data breaches. The number of those reported to the Data Protection Commission has increased again by about 8% overall.

But the number one source of data breaches was unauthorised disclosures of personal data, which was up 12.5% over last year, to nearly 6,000 breaches, which is really, really significant.

Data Breaches caused by hacking were up about 40% and Ransomware incidents also doubled over last year. So, things are going the wrong way.

Is there any good news in the Data Protection Commission Report 2020?

Just to finish on a happy note. I was delighted to see that data breaches in regard to phishing have halved over last year. So that must mean people are getting really good training out there on how to spot dodgy emails.

So that’s it for this week. Lets be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

Contact us for more information at info@L2CyberSecurity.com.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

© L2 Cyber Security Solutions

The post #WeekendWisdom 067 Data Protection Commission Report 2020 appeared first on L2 Cyber Security Solutions Ltd..

Where did this ransomware case study come from?

Earlier this week the data protection commission issued a report on the first two years of the GDPR and their regulatory activity within it.

It is quite an interesting report for privacy professionals and I read through it with a great deal of interest. And I came across a case study about a ransomware incident that a sports and leisure company had suffered. It was interesting in that data protection commission had gone back to the company after being told about the breach and they asked for quite a detailed list of items from that company. You can see this list here.

What did the Data Protection Commission want to know?

So you can see that they wanted to know:

• The chronology of the events that led up to the incident.
• They wanted a description of the hardware and software that the company used.
• What was the source and the attack vector of that ransomware
• What was the variant
• Was there some audit logs
• What was the demand notice for the ransomware
• Very important of course, whether there were backups available to recover from and
• finally what types of measures that company have put in place to try and prevent this from occurring in the first place

That seems like a lot for a ransomware incident.

That’s quite a detailed list of items and if you couldn’t answer those questions right now in your business, then you need some help. You need to have things like:

• A data breach handling procedure
• Need to have a asset registers for your hardware and software
• Your security setup and
• Your backups

All of these things you need to have those put in place in case this ever happens to you. So feel free to reach out if you need any assistance or advice on that.

So that’s it for this week. Let’s be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training.

We can also provide assistance on implementing mitigation measures to help protect your business from #Ransomware.

Contact us for more information at info@L2CyberSecurity.com.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

© L2 Cyber Security Solutions

The post #WeekendWisdom 034 Ransomware Case Study appeared first on L2 Cyber Security Solutions Ltd..

Surely this isn’t the first annual report?

The office of the Data Protection Commissioner has been around for many many years and have issued many many annual reports. When the GDPR came along on 25th May, the office was renamed to be the Data Protection Commission. This report (which you can read here) is their first report covering the period 25th May – 31st December 2018.

Due to the fact that there are investigations still going on from before 25th May 2018, under the previous legislation, the report shows two sets of figures. This post will concentrate on the GDPR figures.

What are the highlights?

There were nearly 2,000 complaints made. The top 10 of these accounted for 94% of all complaints. They are:

Issues around access rights was also the number 1 complaint (39%) under the previous legislation, so this is the most important area that a business or organisation should get right. I’m a little surprised by the complaints under Right of Rectification. That is such a simple one to get correct, why were there 30 complaints? ?‍♂️

Data breaches are on the rise.

There were nearly 3,700 data breaches reported. 85% of them were in the category of unauthorised disclosure which wasn’t really surprising.

It’s interesting to note that there were 226 incidents (6%) which related to paper records. I actually think that figure should be a little bit higher, as I suspect people don’t consider losing or poorly disposing of paper records to be a proper data breach.

What about the Facebook problems reported last year?

They are in there too. There are 15 Statutory Inquiries into multinational technology companies. 10 of these inquiries relate to Facebook (7), or Facebook owned companies (WhatsApp 2 and Instagram 1). Of those 10 complaints 4 related to Legal Basis for processing and 3 relate to the data breach reported in September 2018.

The other companies that had inquiries ongoing are Apple with 2, Twitter 2 and LinkedIn 1.

Was there anything else interesting in the report?

Well yes there was. It’s to do with how the DPC acted when dealing with some of the complaints they came across. There were a few case studies provided (pages 24-26). The DPC handled these without the need to impose sanctions, by making the data controller aware of their failings and providing ways to rectify the situation.

What was also interesting was where complaints had come in about data controllers, who had been investigated previously by the Office of the Data Protection Commissioner. In these cases, the DPC prosecuted them in court and had financial penalties applied (pages 64-67). These cases were taken under previous legislation, so the sanctions were small enough. But this shows that if you, as a controller, come to the DPC’s attention multiple times, they will take a dim view of your behaviour.

Conclusion:

There was a lot more to this first annual report than what I covered above, but for most businesses, these are the items that matter.

If you would like to avail of a free 1 hour consultation to find out what you need to do to prepare your business for the GDPR, then please send an e-mail to info@l2cybersecurity.com and somebody will get back to you.

#GDPR #SimpleGDPR

#SecuritySimplified

The post First Annual Report from the DPC appeared first on L2 Cyber Security Solutions Ltd..

A dash cam and data protection.

Basically it states that if you use a dash cam and record a public area, you become a data controller. A data controller is required to have policies and procedures in place for how the data is processed, stored, shared, etc.

• You need to be transparent about the recording. So you need to have signage that indicates recording is taking place.
• You need to specify under what legal basis is the recording being made.
• You must also state how long you will retain the data.
• If someone is aware of the existence of your dash cam, then they are entitled to ask for a copy of footage of them from you. You have 30 days to respond to the request. You must also redact (blur/black out) any other identifiable individuals who may be also in that recording.
• The individuals have more rights available to them. You can find out what they are here.
• There is a need to ensure the data is properly secured and limit who has access to it.
• You should not share any footage online in a social media platform.
• Gardaí may request a copy of the footage, but you can only give it to them when they provide you with a written request under Section 41 of the Data Protection Act 2018.

But my insurer is giving me a discount.

Some insurance companies are incentivising people to install a dash cam. This makes things even more tricky. If any of the following are a requirement of an insurance policy:

• You are required to install and use the camera;
• You are required to provide footage to your insurer at their request or to upload it to their website;
• Your insurer monitors your use of the camera; and/or
• Your insurer instructs you as to which model of camera or application you must use.

then you are entering into a joint data controller relationship. This requires that a legal arrangement be put in place that sets out each parties respective responsibilities. So I would think twice about doing this.

If you want to get in touch and discuss this, then please either ring 087-436-2675 or drop an e-mail to info@L2CyberSecurity.com.

My story.

Earlier this year, I lost the two wing mirrors on my car in two separate incidents, within weeks of each other. The first one I lost my passenger side mirror, as I swerved to avoid an oncoming car that drifted in front of me. I lost my mirror and also destroyed the mirror of a new parked car. The drifting car did not stop. I had to pay for a new wing mirror for the parked car of €210.

The second incident, I lost my drivers side mirror to an idiot coming around a corner at speed on my side of the road. He tried to get back to his side of the road as I swerved towards the bushes, but no good. He didn’t stop either, but he lost his drivers mirror too. I’ve a ten year old car, so even getting second hand mirrors, the two cost me €250.

I was given a dash cam, so the next time that happened, I’d have something to show to the Gardaí. Of course nothing has happened to me since I got it. Anyway, because of the above, I have removed the dash cam and here it is about to be put away.

#SecuritySimplified #GDPR

The post Dash cam – Machina Non Grata. appeared first on L2 Cyber Security Solutions Ltd..

As you should know by now, the General Data Protection Regulation (GDPR) requires a business to notify the regulatory authority for data protection within 72 hours of becoming aware of the breach, where there is a risk to the rights and freedoms of the affected individuals. They also must notify the affected individuals if there is a high risk to their rights and freedoms and must do so without undue delay.

Facebook notified both on Friday. They put out a public notice about the breach and the DPC were notified, as confirmed by them earlier this week. Here are some tweets from the Data Protection Commission:

The DPC talked very publicly about the Facebook breach, didn’t they?

And this is what I want to address in this post. This Facebook breach was addressed very publicly by the DPC. I would believe that this is because Facebook is such a huge source of personal data. Also the fact that this story has attracted massive worldwide attention. If they didn’t come out with those tweets, they would have been accused of all sorts of bad practice.

I don’t expect them to be publicly tweeting about a data breach in a small business, which accidentally sent a spreadsheet containing customer personal data to an incorrect e-mail recipient. It’s very important you realise this. I don’t want any business owner, who becomes aware of a data breach which needs to be reported, to decide not to notify the DPC in case they should start tweeting about it.

If you become aware of a notifiable breach, please report it. Unless you are a massive source of personal data, I don’t expect the DPC to tweet about it. It will be dealt with reasonably discreetly.

Want to find out more about data breaches?

I did a short (<2 minute) video on 6 examples of a data breach. If you head over to my YouTube channel you can see an entire video series with more discussion about the different examples of data breaches.

In the meantime, lets be careful out there.

#GDPR #SecuritySimplified

The post Facebook Breach – The DPC was very public about it. appeared first on L2 Cyber Security Solutions Ltd..