Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label ICO. Show all posts

Hackers Exploit Security Flaws to Access Millions of UK Voters' Details

 


The UK's data privacy watchdog has found that the personal details of millions of UK voters were left exposed to hackers due to poor security practices at the Electoral Commission. The breach occurred because passwords were not changed regularly and software updates were not applied.

The cyber-attack began in August 2021 when hackers gained access to the Electoral Registers, containing details of millions of voters, including those not publicly available. The Information Commissioner's Office (ICO) has formally reprimanded the Electoral Commission for this security lapse. The Electoral Commission expressed regret over the insufficient protections and stated that they have since improved their security systems and processes.

No Evidence of Data Misuse

Although the investigation did not find any evidence of personal data misuse or direct harm caused by the attack, the ICO revealed that hackers had access to the Electoral Commission's systems for over a year. The breach was discovered only after an employee reported spam emails being sent from the commission's email server, and the hackers were eventually removed in 2022.

Accusations and Denials

The UK government has accused China of being behind the attack on the Electoral Commission. However, the Chinese embassy has dismissed these claims as "malicious slander."

Basic Security Failures

The ICO’s investigation surfaced that the Electoral Commission failed to implement adequate security measures to protect the personal information it held. Hackers exploited known security weaknesses in the commission's software, which had not been updated despite patches being available for months. Additionally, the commission did not have a policy to ensure employees used secure passwords, with 178 active email accounts still using default or easily guessable passwords set by the IT service desk.

Preventable Breach

ICO deputy commissioner Stephen Bonner emphasised that the data breach could likely have been prevented if the Electoral Commission had taken basic security steps. By not promptly installing the latest security updates, the commission's systems were left vulnerable to hackers.

This incident serves as a striking reminder of the importance of regular software updates and strong password policies to protect sensitive data from cyber-attacks.


PSNI Faces £750,000 Fine for Major Data Breach

 

The Police Service of Northern Ireland (PSNI) is set to receive a £750,000 fine from the UK Information Commissioner’s Office (ICO) due to a severe data breach that compromised the personal information of over 9,000 officers and staff. This incident, described as "industrial scale" by former Chief Constable Simon Byrne, included the accidental online release of surnames, initials, ranks, and roles of all PSNI personnel in response to a Freedom of Information request. 

This breach, which occurred last August, has been deemed highly sensitive, particularly for individuals in intelligence or covert operations. It has led to significant repercussions, including Chief Constable Byrne's resignation. Many affected individuals reported profound impacts on their lives, with some forced to relocate or sever family connections due to safety concerns. The ICO's investigation highlighted serious inadequacies in the PSNI's internal procedures and approval processes for information disclosure. 

John Edwards, the UK Information Commissioner, emphasized that the breach created a "perfect storm of risk and harm" due to the sensitive context of Northern Ireland. He noted that many affected individuals had to "completely alter their daily routines because of the tangible fear of threat to life." Edwards criticized the PSNI for not having simple and practical data security measures in place, which could have prevented this "potentially life-threatening incident." He stressed the need for all organizations to review and improve their data protection protocols to avoid similar breaches. 

The ICO's provisional fine of £750,000 reflects a public sector approach, intended to prevent the diversion of public funds from essential services while still addressing serious violations. Without this approach, the fine would have been £5.6 million. In response to the breach, the PSNI and the Northern Ireland Policing Board commissioned an independent review led by Pete O’Doherty of the City of London Police. The review made 37 recommendations for enhancing information security within the PSNI, underscoring the need for a comprehensive overhaul of data protection practices. 

Deputy Chief Constable Chris Todd acknowledged the fine and the findings, expressing regret over the financial implications given the PSNI's existing budget constraints. He confirmed that the PSNI would implement the recommended changes and engage with the ICO regarding the final fine amount. The Police Federation for Northern Ireland (PFNI), representing rank-and-file officers, criticized the severe data security failings highlighted by the ICO. 

PFNI chair Liam Kelly called for stringent measures to ensure such an error never recurs, emphasizing the need for robust data defenses and rigorous protocols. This incident serves as a stark reminder of the critical importance of data security, particularly within sensitive sectors like law enforcement. The PSNI's experience underscores the potentially severe consequences of inadequate data protection measures and the urgent need for organizations to prioritize cybersecurity to safeguard personal information.

ICO Publishes New Guidelines for Employee Surveillance at Work

 

The ICO issued its guidelines alongside research on employee monitoring that it commissioned. Before conducting any workplace tracking, companies should examine their legal obligations under the Data Protection Act as well as their employees' rights. 

According to its findings, 19% of respondents feel they have been tracked by their employers, with 70% believing it would be "intrusive" if their employers monitored them. Some employees told the ICO that working for a company that monitored them would put them off, with less than one in five stating they would feel confident taking a new job if they knew they would be monitored. 

The ICO claims that the guidance provides "clear direction" on how employee monitoring can be carried out ethically and legally. It is directed at both private and public sector companies. It outlines a company's legal obligations and offers best practises guidance. 

The ICO's research shows how concerned employees are regarding their privacy at home when it comes to employee monitoring, Emily Keaney, deputy commissioner for regulatory policy at the ICO stated.

“As the data protection regulator, we want to remind organisations that business interests must never be prioritised over the privacy of their workers,” she explained. “Transparency and fairness are key to building trust and it is crucial that organisations get this right from the start to create a positive environment where workers feel comfortable and respected.” 

Workers privacy at risk 

While data protection law does not forbid monitoring, the ICO urges businesses in across all sectors to recall their "legal obligations" to their employees' rights, stressing that such monitoring must be "proportionate" as stated in its guidance: If we think that people's privacy is in danger, we will act, Keaney warned.

The ICO defines monitoring in its guidelines as keeping track of calls, texts, and keystrokes as well as taking screenshots, webcam recordings, and audio recordings. Additionally, it states that using specific software to track activities and using biometric data to measure attendance and timekeeping are both examples of employee monitoring. 

It advises organisations to take a number of steps before introducing worker monitoring if they wish to do so. Employees must be informed of the "nature, extent, and reasons" of any monitoring, and employers must have a "lawful basis" (such as consent) for processing employee data. 

The regulator also makes reference to the requirement for data protection impact assessments for any monitoring activity, which is not always supported by the Data Protection and Digital Information Act, the UK's GDPR replacement bill that is now being debated in the House of Commons. 

More than 1,000 UK citizens were surveyed by the ICO regarding their views and experiences with employee monitoring. 78% of respondents thought that recording audio and video was the most intrusive action an employer could take, while 83% thought that monitoring personal devices was the most intrusive action. 

According to Antonio Fletcher, head of employment at the legal firm Whitehead Monckton, employees' privacy concerns are growing, especially in light of the widespread usage of webcams and other video. In addition, he mentioned that if employees are working remotely, audio recordings might be used for surveillance and might record private conversations with children and adults.

The UK Government Warns Against Using Excel Spreadsheets Due to Multiple Data Breaches


The UK government has issued a warning to people to stop using spreadsheet software such as Microsoft Excel due to multiple data breaches. The Information Commissioner’s Office (ICO) has identified spreadsheets as a major cause for concern in the safety of personal information.

Causes of Data Breaches

The warning comes in the wake of a surge in data breaches caused by Freedom of Information (FOI) requests, with incidents including the leaking of personal information pertaining to witnesses, suspects, and victims in several crimes. The ICO has advised public bodies to stop using spreadsheets when responding to requests made under the Freedom of Information Act 2000 (FoI). 

Personal information is exempt from release and should be redacted before the request is actioned. However, there have been numerous cases where employees have not received enough training to fully redact spreadsheets before release. Breaches such as these show that data is not just at risk from hackers but also from general incompetence and highlight the importance of cyber literacy within organizations.

Recommendations from ICO

The ICO has issued several recommendations to organizations, including immediately stopping uploading original source spreadsheets to online platforms used to respond to FOI requests, continually providing training to staff who are involved with disclosing information, and avoiding using spreadsheets with hundreds or thousands of rows and instead investing in data management systems which support data integrity. 

What next?

The recent personal data breaches are a reminder that data protection is, first and foremost, about people. Robust measures must be in place to protect personal information. The advice we have issued sets out the bare minimum that public authorities should be doing to protect personal data when responding to information access requests, and to reassure the people they serve, and their staff, that their information is in safe hands.

Neurotech: ICO Raises Alarms Over the Future of Brain-monitoring Technology


A recent study by the data watchdogs describes how organizations in future may as well use employee or potential employees’ brain-monitoring technology.

However, the Information Commissioner's Office warns that if "neurotech" is not created and applied correctly, there is a serious risk of discrimination.

Growing popularity of "neurotech" in the private sectors in UK has incited the ICO into issuing stern warnings of threat of data bias in collecting neurological data.

It is believed that use of technology to monitor neurodata will be seen on a large scale within the next decade. The initial steps of this ‘technological advancement’ could be seen in the recent times, where Elon Musk is introducing Neuralink that would help computers to connect to human brains.

Current Trends in Neurotechnology

The ICO published a report recently, highlighting concerns that, in the absence of adequate regulation, the surge in interest in neurotechnology and the collection of neurodata may be abused.

Apparently, there has been a rise of interest in the UK private sector, with around 34 companies focusing on the industry, according to the watchdog.

Currently, the medical industry, which is subject to tight restrictions, is the principal area for applying neurotechnology. With the use of more sophisticated invasive and non-invasive equipment, such as brain implants and wristband-based neural interfaces, scientists have been attempting to help patients overcome neurological problems.

The technology may predict, diagnose, and treat complicated physical and mental health problems, altering a patient’s response to illnesses like dementia and Parkinson’s disease. Recently, in May, a 40-year-old patient named Gert-Jan Oskam who was paralysed in a cycling accident was able to walk again, all thanks to electronic implants in his brain.

Companies in the private sector are also beginning to use the technology. The ability to "read and write" long-term memories directly from the brain is being developed by startups like Kernel, and Elon Musk's brain implant company Neuralink recently received regulatory approval to begin its first human clinical trials, which raised a few eyebrows due to claims of animal cruelty against the company during earlier research phases.

Not only the medical sector, sectors like recruitment have also begin to consider using neurodata in their field. This has further raised concerns of ICO, since there resides a possibility that the subjects of their monitored data may not have control over it, discriminating against the sector’s professional setting.  

Companies are at Risk From Remote Workers Losing Thier Laptops

 

Data thieves can steal a laptop from a coffee shop table, a lost property bin, an unlocked locker, your desk at work, or even your luggage on a crowded commuter train, and it's far away when you first realize it's gone. They are difficult to identify and trace, and because most individuals carry computers, it is simple to steal without anybody knowing. Many data theft events are simply crimes of opportunity rather than deliberate attacks, and stolen laptops make an excellent target.

Organizations are penalized a total of £26 million, according to data compiled by Cisco Systems, after employees misplaced company-owned laptops and phones.

The Information Commissioner's Office has collected over 3,000 reports of missing devices with user data during the past two years. Businesses are far more prone to be penalized than companies that have been the target of ransomware hackers if employees' misplaced laptops and phones consist of consumer information.

The majority of organizations are putting in place their cyber defenses, yet many do not consider their staff to be a threat to company data. But a major aspect of cyber security preparation is searching within the organization for potential insider threats. It might be challenging to tell whether a staff member has genuinely used company systems or if they are attempting to assault the company.
  
According to data protection legislation, the loss of a device containing or having access to the personal data of customers or suppliers must be reported to the ICO. As per Lindy Cameron, the CEO of the National Cyber Security Centre, ransomware is one of the most severe cybersecurity risks in the UK.

Martin Lee, technical lead for cybersecurity at Cisco, warned that office workers who are unable to resume their usual commute may see an increase in lost or stolen devices that carry important company data. Businesses in the UK have been investing heavily to ensure that their corporate networks are impenetrable because of the increased awareness of cyber threats brought on by rising data breaches. 



ICO Struck by 2650% Rise in Email Attacks in 2021

 

The UK's Information Commissioner's Office (ICO) reported a whopping 2650% spike in email attacks in 2021, as per official numbers acquired by the Parliament Street think tank following a Freedom of Information request, 

Email attacks on the UK's privacy and data protection regulator increased from 150,317 in January to 4,135,075 in December, according to the findings. For each month last year, the data refers to the volume of phishing emails discovered, malware detected and prevented, and spam detected and blocked by the ICO. 

The majority of the attacks were caused by spam emails, which increased by 2775 % from January to December. During this time, the number of phishing emails climbed by 20%, while malware increased by 423 percent. 

In December, the statistics revealed a significant increase in email attacks, with 4,125,992 spam messages, 7886 phishing emails, and 1197 malware cases. This increase is likely to be linked to the Omicron variant's rapid spread in the UK at the end of the year, with threat actors able to use issues like testing and immunizations as bait. This is in addition to the Christmas scams that proliferate in the build-up to the holidays. 

Edward Blake, area vice president EMEA of Absolute Software, commented: “Cyber-attacks are targeting organizations across the globe at an alarming rate, once again reminding businesses of the need to re-evaluate and revamp their security protection if it is not up to scratch. Cybersecurity is not just about protecting endpoints via anti-malware or email cybersecurity solutions. While these are important, there are now a variety of access points for cyber-criminals to capitalize on that IT leaders need to be aware of. These include vulnerable unpatched applications and network vulnerabilities, stolen or illegally purchased log-in credentials or even by hacking unprotected smart devices.” 

Barracuda Networks' manager, Steven Peake, expressed similar concerns, saying: “The pandemic continues to be a catalyst for opportunistic cyber-criminals to try and prey on unsuspecting, vulnerable people. Our recent research showed a 521% surge in COVID-19 test-related phishing attacks, so it is hardly surprising to see major organizations, such as the ICO, hit by such a high volume of threats as they represent lucrative targets. Phishing emails, malware, and spam, in particular, account for a large proportion of the threats these organizations face, so they need to implement measures to protect themselves. These cyber-attackers aren’t going anywhere anytime soon.” 

As part of its plans to reform the country's data sector, the UK government announced plans to revamp the ICO's structure last year.

AnyVan 4.1 Million Users Comprised with Data-Breach

 

Headquartered in Hammersmith, London (UK)- AnyVan is a European online platform for the patrons to access consignment, transport, and removal services from their chain network of transport partners. It focuses on European moves only. Also, it is one of the front runners of Europe in terms of moving services as it can easily compare the delivery path of the patron with that of the transport service provider and associate them to mitigate costs and eliminate CO2 emissions by optimizing storage space and haulage. However recently AnyVan affirmed its users about the unauthorized data break-in and embezzlement of personal details of its patrons by the hackers. 

The company informed its patrons by sending them a notice concerning a data breach that the company has become a victim of. AnyVan later disclosed that they discovered this incident on the 31st of December 2020 and they also mentioned the reason as to, “why they're being informed so late?” 

AnyVan in regards to the aforementioned incident stated that “This leaking of data came to our attention on the 31st December, but we understand the incident itself occurred at the end of September. As soon as the incident came to our attention, our specialist IT team investigated it and have since taken the following remedial action: all passwords have been changed."

According to the notice and statements given by the company, patrons' names, email and a cryptographic hash of their passwords have been accessed and probably displayed on the dark web by the actors. Seemingly, no other sensitive information was compromised. Further, they added that an investigation of the incident continues. however, all this came only after the actors had ample time to exploit user’s data and information. The estimate reflects that around 4.1 million users are being affected due to this data breach. AnyVan never even reached out to the ICO (Information Commissioner’s Office), which was an important step as its users' confidential data was compromised.

As a precautionary measure, the company advised its patrons to update their password and other personal details for the accounts, they use on AnyVan. They alarmed them not to share unwittingly any other piece of information or personal detail to anyone. Moreover, the company apologized for this data breach of the personal information suffered by its users and said that they are very sorry for the inconvenience caused.