Hackers accessed systems at the National Nuclear Security Administration, which maintains the U.S. nuclear weapons stockpile.

The post SolarWinds hackers breach US nuclear weapons agency appeared first on GDPR Register | Compliance tool for privacy experts.

Analysis reveals that out of the 4,179 businesses, 45% lost data to hackers in the past 12 months. IT and telecommunication companies saw breaches most often, with 53% of companies losing data. IT and telecommunication businesses often have customers’ financial information, in addition to other sensitive data, such as private conversations, social security numbers, and addresses.

Next up is the retail and wholesale industry, in which 52% of businesses experienced a data breach in the last year. Such cybersecurity incidents in retail businesses can damage the brand’s reputation, which leads to losing numerous customers, especially those who are privacy-conscious.

Third on the list is financial services, where exactly half of the respondents stated that their business lost sensitive data to fraudsters. Breaches in the financial industry are a huge concern since an unnoticed leak allows cybercriminals to drain the victims’ bank accounts.

Companies in the government sector are not an exception to the rule, as 46% of them had a data leak in the last 12 months. Attacks aimed at the government are more often than not supported by foreign authorities, whose aim is to obtain political and military information.

Finally, manufacturing and industrial companies experienced data breaches least often, but still a significant amount, at 43%. The danger is mostly to the businesses themselves, as competitors hire hackers to steal inside data which would destroy the competitive advantage the victim company had.

Most common threats overall

Shockingly, as many as 78% of surveyed businesses reported some kind of a cyber threat in their systems last year. On average, a cyber incident caused $312,117 in damages.

Besides data breaches, viruses and malware are the most common threats detected. Over 43% of companies experienced viruses and malware in their internal network in the last 12 months.

There is a wide variety of viruses and malware created by hackers. Nonetheless, the overwhelming majority of them are created to make money illegally.

Also, 39% of companies reported that bring-your-own-devices (BYOD) had been infected by malware as well. Some companies provide all the needed equipment for work, while others require employees to bring their own computers and mobile devices. Company-owned equipment usually has at-least some security measures in place as soon as the employee gets the device. However, that is not the case with BYOD equipment. There is no guarantee that employees update their computer software, which leaves vulnerabilities that hackers can abuse.

The fourth most common cyber threat in businesses globally is crypto-malware and ransomware. Crypto-malware is a type of ransomware that encrypts a user’s files and demands a ransom. Fraudsters can also steal the data, delete it from the company’s database, and request a ransom (usually in Bitcoin) to get back the data. Unfortunately, companies often choose to pay the ransom to avoid damaging their public reputation, hence further encouraging such attacks.

DDoS attacks are one of the most known types of cyberattacks, which affected 34% of companies globally in the last 12 months. DDoS is short for Distributed Denial of Service, and it is an attack used to crash a service or a website, making it temporarily inaccessible to its users. Although individuals suffering from DDoS attacks, typically, cybercriminals target services instead. They often attack services hosted on high-profile web servers, like banks or credit card payment gateways. Revenge, blackmail, and activism are the most common reasons behind the performed attacks.

Source: atlasvpn

Photo by Kevin Ku on Unsplash

The post Survey result: 45% of businesses faced a data breach in last 12 months appeared first on GDPR Register | Compliance tool for privacy experts.

Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.

The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number.

The precise number of people affected is unclear as there may have been multiple records for an individual guest. Seven million guest records related to people in the UK.

The ICO’s investigation found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation (GDPR).

Information Commissioner, Elizabeth Denham, said:

”Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

The ICO’s investigation traced the cyber-attack back to 2014, but the penalty only relates to the breach from 25 May 2018, when new rules under the GDPR came into effect.

Because the breach happened before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.

In July 2019, the ICO issued Marriott with a notice of intent to fine. As part of the regulatory process, the ICO considered representations from Marriott, the steps Marriott took to mitigate the effects of the incident and the economic impact of COVID-19 on their business before setting a final penalty.

Details of the cyber attack

In 2014, an unknown attacker installed a piece of code known as a `web shell’ onto a device in the Starwood system giving them the ability to access and edit the contents of this device remotely.

This access was exploited in order to install malware, enabling the attacker to have remote access to the system as a privileged user. As a result, the attacker would have had unrestricted access to the relevant device, and other devices on the network to which that account would have had access.

Further tools were installed by the attacker to gather login credentials for additional users within the Starwood network. With these credentials, the database storing reservation data for Starwood customers was accessed and exported by the attacker.

The ICO acknowledges that Marriott acted promptly to contact customers and the ICO. It also acted quickly to mitigate the risk of damage suffered by customers, and has since instigated a number of measures to improve the security of its systems.

Source: ICO

Photo by ActionVance on Unsplash

The post ICO fines Marriott International Inc £18.4million for failing to keep customers’ personal data secure appeared first on GDPR Register | Compliance tool for privacy experts.

An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.

ICO investigators found BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time.

Addressing these security issues would have prevented the 2018 cyber-attack being carried out in this way, investigators concluded.

Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.

“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”

Because the BA breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.

In June 2019 the ICO issued BA with a notice of intent to fine. As part of the regulatory process the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty.

Details of the cyber attack

The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.

Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.

Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.

Failure to prevent the attack

There were numerous measures BA could have used to mitigate or prevent the risk of an attacker being able to access the BA network. These include:

• limiting access to applications, data and tools to only that which are required to fulfil a user’s role
• undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems;
• protecting employee and third party accounts with multi-factor authentication.

Additional mitigating measures BA could have used are listed in the penalty notice.

None of these measures would have entailed excessive cost or technical barriers, with some available through the Microsoft Operating System used by BA.

Since the attack, BA has made considerable improvements to its IT security.

Lack of awareness of the attack

ICO investigators found that BA did not detect the attack on 22 June 2018 themselves but were alerted by a third party more than two months afterwards on 5 September. Once they became aware BA acted promptly and notified the ICO.

It is not clear whether or when BA would have identified the attack themselves. This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant.

Original article: ICO

The post ICO fines British Airways £20m for data breach affecting more than 400,000 customers appeared first on GDPR Register | Compliance tool for privacy experts.

When Morgan Stanley decommissioned two data centers related to the bank’s wealth management business in 2016, the company did not properly oversee the third-party company responsible for ensuring that all personal data was removed, according to the OCC, which is part of the U.S. Treasury Department.

“In connection with the decommissioning, the bank, among other things, failed to effectively assess or address the risks associated with the decommissioning of its hardware, failed to adequately assess the risk of using third-party vendors, including subcontractors, and failed to maintain an appropriate inventory of customer data stored on the devices,” according to an OCC report.

OCC also says Morgan Stanley neglected to exercise proper oversight while retiring certain network devices, such as computer servers, at a local branch in 2019.

A spokesperson for Morgan Stanley says that the company does not believe that any customer data has ever been accessed or misused, and the bank continues to monitor the situation.

“Moreover, we have instituted enhanced security procedures, including continuous fraud monitoring, and will continue to strengthen the controls that we have in place to protect our clients’ information,” the spokesperson says.

Lawsuit Filed as Well

The OCC fine come about a month after attorneys representing Morgan Stanley customers filed a lawsuit against the bank, claiming it failed to properly safeguard personally identifiable information when the company discarded equipment (see: Morgan Stanley Hit With $5 Million Data Breach Suit ).

Morgan Stanley confirmed these incidents in data breach notification letters sent to the California attorney general and other states’ attorneys general in July. The letter notes the data exposed may have included account names and numbers (at Morgan Stanley and any linked bank accounts), Social Security number, passport number, contact information, date of birth, asset value and holdings data. It says it offered victims two years of prepaid credit monitoring services.

The lawsuit involves complaints from about 100 Morgan Stanley customers who claim they were affected by the company’s practices.

Protecting Data

One reason why the OCC likely fined Morgan Stanely is that the bank failed to properly assess the data it was protecting, says Mark Rasch, an attorney with the law firm of Kohrman, Jackson & Krantz, who is not involved in the case.

“The entities that are the custodians of the data don’t understand the value of the data they are protecting. If this were a bank vault, they would understand,” Rasch tells Information Security Media Group.

Morgan Stanley may not have had a complete checklist in place to help ensure it properly disposed of decommissioned computers, Rasch says.

Richard Santalesa, a technology and data privacy attorney at SmartEdgeLaw Group, a boutique law firm with offices in New York and Connecticut, notes that the size of the fine likely reflects that these similar incidents happened only three years apart and that the OCC wanted to make a point about how large financial institutions need to oversee personally identifiable information, even when it’s left to third parties to handle.

“I’m sure this latest action has made the desks of every CISO and chief privacy officer in the financial ecosphere,” Santalesa says. “I know that if I were sitting in that C-seat, I’d immediately add a ‘data destruction/deletion review’ agenda item to my next department meeting.”

Other Recent OCC Action

The fine that the OCC levied against Morgan Stanley is the second the agency has brought against a major financial intuition following a cyber incident.

In August, the OCC fined Capital One $80 million, citing numerous security shortfalls before the 2019 data breach that exposed the financial and personal information of over 100 million individuals in the U.S. and Canada (see: Capital One Fined $80 Million Over 2019 Breach ).

Original article: BANKINFOSECURITY

The post Morgan Stanley Fined $60 Million for Data Protection Mishaps appeared first on GDPR Register | Compliance tool for privacy experts.

The data protection expert, who exposed the breach, build a site called Have I Been Pwned, where internet users can check, whether if users account that has been compromised in a data breach.  In the same site, users can check, whether the password has previously appeared in a data breach and should never be used. 

LEARNING TIP: Firstly, it is important to change all the passwords from your email accounts and start using two-phase authentication. Secondly, it is crucial to make your passwords as secure as possible. Many use similar passwords to several different accounts with only minor variations.

Modern computers are able to break simple and short passwords within minutes, even if using capital letters, numbers and special characters. The safest passwords should contain at least 15 characters and could even form a sentence, sentence is also easier to remember compared to random letters and characters. Never store passwords at your own computer, as malware is able to collect them.

Consider using password management programs, where you can save your passwords or the program can create random passwords for you. Most commonly used programs: Dashlane, F-Secure Key, Keychain, Keepass, Password Safe, Lastpass and 1password.

Read more on cyber attacks and see the tips on how to avoid being attacked in the first place.

The post World’s Biggest Data Breach – Over 770 Million User Accounts and Passwords Leaked appeared first on GDPR Register | Compliance tool for privacy experts.

A few days later after announcing the incident, the possible mastermind of the attack was found. A 19-year-old guy is claimed to cause a huge data breach that affected hundreds of politicians and celebrities. While the German government takes this attack very seriously as the infringement of the of personal data protection, cybersecurity experts warn all the officials in higher power positions to be aware of the risks.

LEARNING TIP on prevention from being hacked:
1.  Keeping accounts secure with complex passwords that consist of a combination of numbers, upper- and lower-case letters, and special characters that is difficult to guess (ITPRO suggests that “The best passwords are the ones you can’t remember“).
2. Using a password manager that stores and auto-fills credentials for different sites, allowing to create a complex and unique password for each site and keeping the device much more secure.
3. NOT sharing the paswords. With the exception of some school services, never provide a site administrator with the password for them to access the account.
4. Changing passwords often, at least once per 6 months.
5. Setting a two-factor authentication which requires to enter a code sent, as an example, in a text message. This makes it more difficult for a hacker to access target’s information, even if they are able to crack the password.
6. Avoiding the use of the correct answer for security questions. Hackers can find out target mother’s maiden name or what street target grew up on easily. It is better to enter random answers, or to make them like passwords and not based on the questions at all.
7. Reading the privacy policies carefully. Any company that collects any personal data must have a privacy policy that details how they use that information and the extent to which they share it with others.
8. Logging out of accounts after the session is done.
9. Making sure that pasword is being entered to an official website. Phishing scams – instances in which a malicious page pretends to be a login page for a social media or bank account – are one of the easiest ways to hack someone. One way to spot phishing scams is to look at the site’s URL: if it closely resembles (but doesn’t exactly match) a reputable site’s URL, it’s a fake site.

The same as any person, any company, regardless of the size, can be attacked. Attackers are aware that receiving GDPR fine could be fatal to the smaller businesses. Read more on how to prevent cyber attacks in the companies. 

The post German Politicians in the Target of Cyber Attacks appeared first on GDPR Register | Compliance tool for privacy experts.