Where is this coming from?

As I said last week, the Data Protection Commission had issued a report for 2020. I’ve had a chance to read through it now in a bit more detail. I really love looking at the case studies that they include there because these are real life events that have occurred.

One of them struck me as something that could occur anywhere.

What? A data breach of bank details??? That’s serious!

It was Case Study 15: Bank details sent by WhatsApp. What had occurred was that a customer of a financial institution had gotten in contact with them wanting to get a copy of their BIC and IBAN details. The member of staff that was dealing with the enquiry knew this person. So, because of that, they took a picture of the details on their personal phone and sent them by WhatsApp to the customer.

WhatsApp is encrypted, so it must be safe. Right?

But it turns out the details that they took the photo of were for somebody else. So, when the customer reported this incident to the bank, they realised this was a data breach. That customer had seen somebody else’s personal details.

How does a business prevent this type of issue?

This is simply a staff training issue. Staff need to be aware that they should always follow proper protocols when dealing with people’s personal details. To make sure that they provide the correct details to the correct person.

As I say it could happen to anybody. So use that example with your staff today.

So that’s it for this week. Lets be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

Contact us for more information at info@L2CyberSecurity.com.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

© L2 Cyber Security Solutions

The post #WeekendWisdom 068 A Data Breach of Bank Details appeared first on L2 Cyber Security Solutions Ltd..

Yesterday the Data Protection Commission (DPC) in Ireland released their annual report for 2020 and I’ll just give a quick summary of its findings here.

What is the number 1 complaint that the DPC get?

The number one source of complaints for the third year in a row under the GDPR remains access requests. So, businesses out there are still having trouble giving people access to their data that they’re entitled to.

I always focus in the training to make sure that people get their access rights done properly. They have proper procedures in place to handle these requests from individuals.

Any figures for Data Breaches?

Over in regard to data breaches. The number of those reported to the Data Protection Commission has increased again by about 8% overall.

But the number one source of data breaches was unauthorised disclosures of personal data, which was up 12.5% over last year, to nearly 6,000 breaches, which is really, really significant.

Data Breaches caused by hacking were up about 40% and Ransomware incidents also doubled over last year. So, things are going the wrong way.

Is there any good news in the Data Protection Commission Report 2020?

Just to finish on a happy note. I was delighted to see that data breaches in regard to phishing have halved over last year. So that must mean people are getting really good training out there on how to spot dodgy emails.

So that’s it for this week. Lets be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

Contact us for more information at info@L2CyberSecurity.com.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

© L2 Cyber Security Solutions

The post #WeekendWisdom 067 Data Protection Commission Report 2020 appeared first on L2 Cyber Security Solutions Ltd..

Surely this isn’t the first annual report?

The office of the Data Protection Commissioner has been around for many many years and have issued many many annual reports. When the GDPR came along on 25th May, the office was renamed to be the Data Protection Commission. This report (which you can read here) is their first report covering the period 25th May – 31st December 2018.

Due to the fact that there are investigations still going on from before 25th May 2018, under the previous legislation, the report shows two sets of figures. This post will concentrate on the GDPR figures.

What are the highlights?

There were nearly 2,000 complaints made. The top 10 of these accounted for 94% of all complaints. They are:

Issues around access rights was also the number 1 complaint (39%) under the previous legislation, so this is the most important area that a business or organisation should get right. I’m a little surprised by the complaints under Right of Rectification. That is such a simple one to get correct, why were there 30 complaints? ?‍♂️

Data breaches are on the rise.

There were nearly 3,700 data breaches reported. 85% of them were in the category of unauthorised disclosure which wasn’t really surprising.

It’s interesting to note that there were 226 incidents (6%) which related to paper records. I actually think that figure should be a little bit higher, as I suspect people don’t consider losing or poorly disposing of paper records to be a proper data breach.

What about the Facebook problems reported last year?

They are in there too. There are 15 Statutory Inquiries into multinational technology companies. 10 of these inquiries relate to Facebook (7), or Facebook owned companies (WhatsApp 2 and Instagram 1). Of those 10 complaints 4 related to Legal Basis for processing and 3 relate to the data breach reported in September 2018.

The other companies that had inquiries ongoing are Apple with 2, Twitter 2 and LinkedIn 1.

Was there anything else interesting in the report?

Well yes there was. It’s to do with how the DPC acted when dealing with some of the complaints they came across. There were a few case studies provided (pages 24-26). The DPC handled these without the need to impose sanctions, by making the data controller aware of their failings and providing ways to rectify the situation.

What was also interesting was where complaints had come in about data controllers, who had been investigated previously by the Office of the Data Protection Commissioner. In these cases, the DPC prosecuted them in court and had financial penalties applied (pages 64-67). These cases were taken under previous legislation, so the sanctions were small enough. But this shows that if you, as a controller, come to the DPC’s attention multiple times, they will take a dim view of your behaviour.

Conclusion:

There was a lot more to this first annual report than what I covered above, but for most businesses, these are the items that matter.

If you would like to avail of a free 1 hour consultation to find out what you need to do to prepare your business for the GDPR, then please send an e-mail to info@l2cybersecurity.com and somebody will get back to you.

#GDPR #SimpleGDPR

#SecuritySimplified

The post First Annual Report from the DPC appeared first on L2 Cyber Security Solutions Ltd..

A dash cam and data protection.

Basically it states that if you use a dash cam and record a public area, you become a data controller. A data controller is required to have policies and procedures in place for how the data is processed, stored, shared, etc.

• You need to be transparent about the recording. So you need to have signage that indicates recording is taking place.
• You need to specify under what legal basis is the recording being made.
• You must also state how long you will retain the data.
• If someone is aware of the existence of your dash cam, then they are entitled to ask for a copy of footage of them from you. You have 30 days to respond to the request. You must also redact (blur/black out) any other identifiable individuals who may be also in that recording.
• The individuals have more rights available to them. You can find out what they are here.
• There is a need to ensure the data is properly secured and limit who has access to it.
• You should not share any footage online in a social media platform.
• Gardaí may request a copy of the footage, but you can only give it to them when they provide you with a written request under Section 41 of the Data Protection Act 2018.

But my insurer is giving me a discount.

Some insurance companies are incentivising people to install a dash cam. This makes things even more tricky. If any of the following are a requirement of an insurance policy:

• You are required to install and use the camera;
• You are required to provide footage to your insurer at their request or to upload it to their website;
• Your insurer monitors your use of the camera; and/or
• Your insurer instructs you as to which model of camera or application you must use.

then you are entering into a joint data controller relationship. This requires that a legal arrangement be put in place that sets out each parties respective responsibilities. So I would think twice about doing this.

If you want to get in touch and discuss this, then please either ring 087-436-2675 or drop an e-mail to info@L2CyberSecurity.com.

My story.

Earlier this year, I lost the two wing mirrors on my car in two separate incidents, within weeks of each other. The first one I lost my passenger side mirror, as I swerved to avoid an oncoming car that drifted in front of me. I lost my mirror and also destroyed the mirror of a new parked car. The drifting car did not stop. I had to pay for a new wing mirror for the parked car of €210.

The second incident, I lost my drivers side mirror to an idiot coming around a corner at speed on my side of the road. He tried to get back to his side of the road as I swerved towards the bushes, but no good. He didn’t stop either, but he lost his drivers mirror too. I’ve a ten year old car, so even getting second hand mirrors, the two cost me €250.

I was given a dash cam, so the next time that happened, I’d have something to show to the Gardaí. Of course nothing has happened to me since I got it. Anyway, because of the above, I have removed the dash cam and here it is about to be put away.

#SecuritySimplified #GDPR

The post Dash cam – Machina Non Grata. appeared first on L2 Cyber Security Solutions Ltd..

While the University is unclear on the contents of the portable device, it may have held a file containing names of approximately 5% of the student body, their student number and exam results.

It’s the uncertainty that is most worrying to me. Also their claim that they have strict policies in place relating to portable devices is a bit disingenuous. I’ve been through the policies and also looked at their data protection section and found some conflicting direction with regard to data handling and USB memory sticks.

The Data Handling Policy states the following about “NUI Galway Highly Restricted” data:

Storage of this data outside of the source system, for example on a laptop or memory stick; must be approved by the data owner. Where data is held outside the source system it must be encrypted.

That seems quite sensible, as approval would mean that somebody would know exactly what data is on there and it would then be encrypted. However their Encryption policy, has something else to say on USB memory sticks:

Portable storage capability such as DVD’s, CD’s and USB flash drives should not be utilised for classified data storage or transfer, even in an encrypted format.

So the handling policy says it’s fine, but the encryption policy says no. It’s obvious that the data handling policy wasn’t followed with this data breach.

I thought it interesting that they have plenty on their site for how to use USB memory sticks and the protections they have in place.

ISS have disabled Autorun on the all computers in the PC Suites as a precautionary measure to prevent the spread of viruses.  When autorun is disabled, a USB memory stick or software on a CD or DVD will no longer automatically start when inserted.

So that’s great … lots of protection there … or maybe not. What if the USB device impersonated a keyboard? It could inject keystrokes that open up a command line, execute a command to download dodgy software and execute it. I’m not making this up. The USB stick could also fry the electronics on your computer. Again this is something that happens.

These USB memory sticks are such a problem from a data breach perspective that I always recommend companies and organisations to either block them completely or put in place a solution that automatically encrypts all data on them.

I did dedicate an entire commandment to USB memory sticks. So you can get my deeply held views in there.

The NUI Galway data breach was an embarrassment for the University. I don’t think the exam results could be classified as sensitive personal data (special category). But I’m sure students wouldn’t like these been released publicly. As long as the powers that be learn a lesson from this sorry situation and implement more rigorous technical solutions, then it will hopefully prevent future, larger and more sanction-worthy breaches.

Lets be careful out there.

#SecuritySimplified #GDPR #SimpleGDPR

The post NUI Galway Data Breach – Lessons learned? appeared first on L2 Cyber Security Solutions Ltd..

“But where are the €20m or 4% of turnover fines for violating the GDPR?” you shout. As the underlying data breach incident occurred some years ago and surfaced before the #GDPR went into effect in May 2018, then they couldn’t be prosecuted under the Data Protection Act 2018, which implements the GDPR.

But this is still a significant judgement. The ICO has gone for the maximum possible penalty against Facebook, showing that what they were up to was completely unacceptable and rightly so. They found that Facebook had breached two of the principles of data protection:

1. Facebook had unfairly processed personal data.
2. And they didn’t put in place appropriate measures to prevent unauthorised or unlawful processing of personal data.

So while Facebook are only fined £500,000 this time, this is a clear indication that data protection authorities won’t be afraid of going after the maximum fines available to them for failures in respect to protecting peoples personal data.

Also don’t forget that the Irish Data Protection Commissioner is investigating Facebook for a GDPR era incident. That incident started with 50m people affected with another 40m possibly impacted. It dropped down to only ~30m affected … but that’s still ~30,000,000 people. Of those, 14m had the following personal data accessed:

Username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.

That is a massive amount of personal data to have been harvested, and could definitely be used against the victims. That particular investigation will be a big one and will probably run into some time in 2019.

In the meantime, lets be careful out there.

#SecuritySimplified

The post Facebook are only fined £500,000 appeared first on L2 Cyber Security Solutions Ltd..

The first GDPR fine has been issued

The first GDPR fine in Europe has just been issued in Austria. Their data protection authority (DSB) has fined the owner of a business €4,800 for having a CCTV camera that was monitoring too large an area of the public footpath outside the premises. Large scale monitoring of public places is not permitted for private individuals or businesses under GDPR. There was also inadequate signage for the camera. Anybody who comes to my training gets told that sign makers will be making fortunes out of the GDPR.

What was also notable in that report, is that there are 36 post-GDPR fine proceedings pending with the DSB. So to reiterate – The GDPR hasn’t gone away you know.

And the GDPR hasn’t gone away in Ireland either

We know that the Data Protection Commission (DPC) have a number of investigations underway. Most publicly is the Facebook data breach. That has only just happened, so don’t expect to hear much on that until sometime next year probably. But there are a number of other investigations with prosecutions pending with the DPC right now. Once these come to light, I think we shall see an increase in interest from businesses wanting to get compliant.

Quick update on a previous story

A quick update on a previous data breach story. This is the USB stick that got mislaid from Heathrow Airport in October 2017. The UK’s Information Commissioners Office (ICO) has just hit Heathrow Airport with a £120,000 fine for that breach. Now the amount of personal data on that stick was limited enough. However the ICO decided to hit harshly due to poor corporate standards and staff training which led to the breach. This fine was brought under the old legislation, pre-GDPR. The maximum fine available under that law was £500,000. As the GDPR puts much more responsibility on companies to protect personal data, if they were to have the same thing happen now, they would get a much larger fine.

If there’s one take away from all of this – the GDPR hasn’t gone away. ? If you want to find out the type of training that I deliver, I’ve got my normal GDPR Awareness training and my ***ALL NEW*** GDPR Practical training is now available. Get in touch on info@L2CyberSecurity.com or call 087-436-2675 to discuss further.

The post GDPR hasn’t gone away. appeared first on L2 Cyber Security Solutions Ltd..

As you should know by now, the General Data Protection Regulation (GDPR) requires a business to notify the regulatory authority for data protection within 72 hours of becoming aware of the breach, where there is a risk to the rights and freedoms of the affected individuals. They also must notify the affected individuals if there is a high risk to their rights and freedoms and must do so without undue delay.

Facebook notified both on Friday. They put out a public notice about the breach and the DPC were notified, as confirmed by them earlier this week. Here are some tweets from the Data Protection Commission:

The DPC talked very publicly about the Facebook breach, didn’t they?

And this is what I want to address in this post. This Facebook breach was addressed very publicly by the DPC. I would believe that this is because Facebook is such a huge source of personal data. Also the fact that this story has attracted massive worldwide attention. If they didn’t come out with those tweets, they would have been accused of all sorts of bad practice.

I don’t expect them to be publicly tweeting about a data breach in a small business, which accidentally sent a spreadsheet containing customer personal data to an incorrect e-mail recipient. It’s very important you realise this. I don’t want any business owner, who becomes aware of a data breach which needs to be reported, to decide not to notify the DPC in case they should start tweeting about it.

If you become aware of a notifiable breach, please report it. Unless you are a massive source of personal data, I don’t expect the DPC to tweet about it. It will be dealt with reasonably discreetly.

Want to find out more about data breaches?

I did a short (<2 minute) video on 6 examples of a data breach. If you head over to my YouTube channel you can see an entire video series with more discussion about the different examples of data breaches.

In the meantime, lets be careful out there.

#GDPR #SecuritySimplified

The post Facebook Breach – The DPC was very public about it. appeared first on L2 Cyber Security Solutions Ltd..

This has actually been going on, quietly in the background, for some 9 years at this stage and is certainly the first I have heard about it … and it concerns me greatly.

The CSO state that the reason for gathering the data is such that it “may significantly enhance our statistics on tourism and international travel”. How does knowing when a visitor to our country makes a phone call enhance tourism statistics? I don’t know. 

Gathering such call details would require them to also capture some unique identifier for that handset, as otherwise they would have no way of identifying whether a call was a single call made by one tourist or whether it was one of twenty calls made by that same tourist. Guess what? Every mobile phone has a unique identifier. The International Mobile Equipment Identity (IMEI) and this ties back to a person, and so is personal data.

Also noted in the article was

… the Court of Justice of the European Union held that traffic and location data was liable to allow ‘very precise conclusions’ to be drawn about the private lives of individuals.

in other words knowing where somebody is at all times is effectively spying on somebody … state sponsored surveillance even.

The CSO had even gone as far as having a Statutory Instrument drafted by the Attorney General’s office (another state agency), which would have enabled the government to sign off on it, thereby compelling the mobile operators to hand over the personal data on visiting tourists, without their knowledge or permission. Fortunately the DPC raised concerns

The “extraordinary” project would, in effect, “track the movements of visitors to this country and will in turn, affect tourists’ privacy rights, in that their entire holiday will have been recorded and analysed, albeit anonymously”.

The CSO still appear to be continuing with this “project” as stated at the end of the article, but Helen Dixon, the current Commissioner with the DPC, has stated her office would expect to be consulted before any Statutory Instrument is signed off.

In this, the era of the General Data Protection Regulation (GDPR), I would expect that state agencies have to follow the same rules that apply to all other businesses in the EU. I cannot for the life of me think of a single legal justification for the CSO to gather such granular data on private citizens (no matter what country the come from).

This could be the thin end of the wedge … what’s next … if they can do it to tourists, will Irish residents be next?

<googles “tinfoil hat creation”> 

The post State agency wants to track tourists. appeared first on L2 Cyber Security Solutions Ltd..