now browsing by tag
The UK’s Information Commissioner’s Office (ICO) said on Wednesday that it’s fined Cathay Pacific Airways £500,000 (USD $647,015, €576,992) for failing to secure passengers’ personal details, leading to malware being installed on its server that harvested millions of people’s names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information.
Cathay said at the time that the intruders also accessed 403 expired credit card numbers, as well as 27 credit card numbers that didn’t have a CVV attached.
This wasn’t a one-time security fail, the ICO said. All that data was at risk for over four years.
Cathay, which is based in Hong Kong, first realized in March 2018 that its database had been hit by a brute-force attack. As we’ve explained previously, you can think of such an attack like this:
→ Brute force is the way you open those cheap bicycle locks with wheels numbered 0 to 9 if you forget the code. You turn the dials to 0-0-0 and then click round systematically, counting up digit by digit, until the lock pops open.
Once it found that its database had been rifled through in 2018, Cathay Pacific hired a cybersecurity firm and subsequently reported the incident to the ICO.
Investigations found that the airline lacked appropriate security to secure customers’ data from October 2014 to May 2018. The data was exposed for longer than that, though: Cathay said in October 2018 that its system had been compromised at least seven months prior. As the New York Times reported, Cathay learned in May 2018 that passenger data had been exposed after first discovering suspicious activity on its network in March.
Why didn’t the company announce the breach earlier? It didn’t say.
The incident led to the exposure of a huge trove of personal data belonging to 111,578 people from the UK and about 9.4 million more worldwide.
The ICO says that Cathay Pacific’s systems were entered via a server connected to the internet. Enabled by what the office called a “catalog of errors,” crooks managed to install data-harvesting malware. The security sins turned up by the ICO’s investigation included some basic ones: for example, the ICO found back-up files that weren’t password-protected, unpatched internet-facing servers, use of operating systems that were no longer supported by the developer, and inadequate anti-virus protection.
Steve Eckersley, ICO Director of Investigations:
People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here.
This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected.
The fine imposed on the company would have caused a lot more hurt if the breach had been discovered after the General Data Protection Regulation (GDPR) went into effect.
In July 2019, the ICO flexed its new GDPR muscles for real, imposing record fines on Marriott and British Airways (BA) for their data breaches. It said it was looking to fine BA a record £183.39 million (US $229.34 million at the time) for a breach discovered in September 2018. By diverting user traffic to a bogus site, attackers managed to steal personal data from about 500,000 customers, including their names, addresses, logins, payment card and travel booking details.
Marriott’s breach was similar to Cathay Pacific’s, given that attackers got into the company’s Starwood guest reservation database and stayed there for years: the unauthorized access started in 2014, and the breach was discovered and reported to the ICO in November 2018.
Though it escaped the weight of the GDPR hammer, the ICO Says that Cathay Pacific’s breach was “a serious contravention” of Principle 7 of the 1998 Data Protection Act, which states that “appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data.”
For full details on the fine, check out the ICO’s Monetary Penalty Notice.
Latest Naked Security podcast
The post Cathay Pacific fined over crooks slurping its database for over 4 years – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans An American health services provider has agreed to pay a fine of $2.175m after refusing to properly notify Health and Human Services of a data breach. In April of 2017, a complaint regarding Sentara Hospitals was received by the Department of Health and Human Services (HHS). The complainant said […] View full post on AmIHackerProof.com
Companies in the UK are being fined by the government for not properly securing their data. Is this a model the U.S. and other countries should adopt?
News broke recently that there would be fines of up to £17m in the UK for companies that have poor or inadequate cyber security measures in place. Specifically, if a company fails to effectively protect themselves from a cyber security attack, they could be subject to a large fine from the government as a “last resort” according to Digital Minister Matt Hancock. The U.K. also placed industry-specific regulations on essential services. Essential services industries such as water, health, energy and transportation are expected to have stronger safeguards against cyber attacks.
Cyber Security Inspections to Take Place
In order to keep companies compliant with cyber security regulations, the UK government will now have regulators inspect cyber security efforts in place. Essential services (think water, healthcare, electricity, transportation, financial) will face more scrutiny than other companies. If a regulator finds a company does not have security safeguards in place, the company will have to come up with a plan for beefing up cyber security. Fines will be brought down on companies that continue to fail at implementing the proper securities.
Cyber Attacks Becoming More Dangerous
The essential services people use every day are being targeted by cyber attacks at an increasingly high rate. This can make for extremely dangerous situations, such as the WannaCry attack that hit several National Health Service (NHS) facilities and impacted several hospitals’ abilities to admit patients. It was later found that this attack could have been prevented with proper cyber security efforts in place. It also means that services people depend on every day — from electricity, to water, to industrial safety systems — could all be at risk.
This makes it clear why the UK government has chosen to regulate cyber security, particularly among companies who provide services they deem essential to the public. It also begs the question as to if the United States should follow suit. U.S. companies have fallen victim to their fair share of cyber attacks. These attacks have disrupted the lives of Americans who depend on the services affected or who are having sensitive information accessed by the attackers.
What Safeguards are Currently in Place?
While it is obviously in a company’s best interest to have cyber security precautions in place rather than cleaning up the mess of an attack afterwards, that doesn’t mean everyone invests as much as they should in cyber security. In the U.S. there are a few federal regulations in place to establish a bare minimum for cyber security in certain essential industries.
HIPAA (1996): HIPPA introduced provisions for data privacy and data security of medical information. All companies and establishments dealing with medical information must have specific cyber security measures in place.
Gramm-Leach-Bliley Act (1999): The Gramm-Leach-Bliley Act states that financial institutions in the U.S. must share what they do with customer data and information and what protections they have in place to protect customer data. Noncompliance means hefty fines for financial institutions and could lead to customers taking their business elsewhere.
FISMA (2002): FISMA was introduced under the Homeland Security Act as an introduction to improving electronic government services and processes. This act ultimately established guidelines for federal agencies on security standards.
Critics state that these three regulations are good for establishing minimum security, but do not go far enough. Compliance with all of these regulations have not been robust enough to safeguard against advanced cyber attacks in recent years. There have been clear breaches of cyber security measures that have occured in the medical, financial and government sectors over the past years. While some state governments have put additional regulations in place, the general consensus is that individual companies should be responsible for beefing up cyber security as they see fit.
Cyber Security Investments Should be Increased
At the end of the day, U.S. companies will need to make the decisions that are best for their businesses and customers about what level of cyber security protection is necessary. Marcus Turner, Chief Architect at Enola Labs Software, often discusses cyber security measures with his clients, stating:
“Ultimately, high levels of cyber security are a necessary and worthwhile investment for businesses that care about protecting their customers and safeguarding their businesses. I often tell businesses that they can pay an upfront cost now to protect their data, or wait until a cyber security attack and pay an even bigger price later to clean up the mess. Waiting may very well cost you your business”.
This year we are expecting a much higher investment in cyber security, so it will be interesting to see if this is enough to hinder government intervention or if additional U.S. government regulation of cyber security becomes necessary.
The post Should #Companies be #Fined for Poor #Cyber Security? appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
When the Trump Hotels chain suffered its second data breach last year, the group was rather slow to issue a public warning. The State of New York is not all too happy about this lackluster approach and fined Trump Hotels
The post Trump Hotels Fined Over Credit Card Data Breach, Victims Left In The Cold appeared first on National Cyber Security.
View full post on National Cyber Security
The Bangko Sentral ng Pilipinas (BSP), Philippines’ central bank, has issued a PHP 1 billion ($21 million) fine to Rizal Commercial Banking Corp (RCBC) for cybersecurity failings. RCBC was used by cyber criminals to channel $81 million stolen from Bangladesh’s central bank earlier this year. According to BSP, the fine was “the largest amount it […]
The post Rizal Commercial Banking Corp fined $21m over cybersecurity failings appeared first on National Cyber Security.
View full post on National Cyber Security
The driver in a video depicting a donut and burnout on Coastal Highway that went viral and became symbolic of some of the complaints associated with the spring Cruisin’ event pleaded guilty last week to negligent driving and a handful of other violations and was fined a total of $640.
Last May 16, a blue Chevrolet Corvette was caught on video pulling out onto Coastal Highway and doing a donut in the middle of the street before screeching down Coastal Highway at a high rate of speed with a plume of white smoke trailing behind in the midst of heavy traffic and numerous pedestrians and spectators lining the roadway.
View full post on Parent Security Online