Category: IT Security

The Information Commissioner’s Office (ICO) has issued Glasgow City Council with a penalty of £150,000 following the loss of two unencrypted laptops, one of which contained the personal information of over 20,000 people.

The serious breach of the Data Protection Act comes after the council was previously issued with an enforcement notice three years ago, following a similar breach where an unencrypted memory stick containing personal data was lost.

In the latest incident, two unencrypted laptops were stolen from the council’s offices on 28 May last year. The laptops were stolen from premises which were being refurbished and where complaints of theft and a lack of security had been made. One laptop had been locked away in its storage drawer and the key placed in the drawer where the second laptop was kept, but the second drawer was subsequently left unlocked overnight, allowing the thief access to both laptops.

One of the laptops stolen contained the council’s creditor payment history file, listing the personal information of over 20,000 people, including 6,069 individuals’ bank account details.

The ICO’s investigation found that, despite the ICO’s previous warning and in breach of its own policy, the council had issued a number of its staff with unencrypted laptops after encountering problems with the encryption software. While most of these devices were later encrypted, the ICO also discovered that a further 74 unencrypted laptops remain unaccounted for, with at least six of these known to have been stolen.

The ICO has also served the council with an enforcement notice requiring it to carry out a full audit of its IT assets used to process personal data and arrange for all of its managers to receive asset management training. The council must also carry out a full check of all of its devices each year so that the asset register can be kept up to date.

Ken Macdonald, the ICO’s Assistant Commissioner for Scotland, said:

How an organisation can fail to notice that 74 unencrypted laptops have gone missing beggars belief. The fact that these laptops have never been recovered, and no record was made of the information stored on them, means that we will probably never know the true extent of this breach, or how many people’s details have been compromised.

Consider IT offer encryption services to all clients, so get in touch today if you’d like to discuss the various options available. Alternatively, click here to visit our encryption services page.

As if Apple weren’t embarrassed enough…

Some smart person has found a bug in iOS 6.1 which effectively renders the lock screen entirely useless. By doing a bit of this and a bit of that, applying for iPhone repair in San Diego maybe, whilst the phone is in a locked state, any person that knows the simple process can make use of the bug in iOS to unlock the iPhone 5 in a matter of seconds.

As IT Consultants, we’re not going to give you the process for doing it. We want to make users of the iPhone 5 aware of this serious security flaw so that you can be extra vigilant with your iPhone until Apple get around to releasing a fix for this mess.

By sliding to unlock, doing a few other things, then pushing the sleep/wake button, the phone will unlock as if you’ve entered the pin code (and no, you don’t enter the pin code!).

Apple are currently working on 6.1.3 which is in Beta just now, this should hopefully fix this gaping hole in their security.

(Edit: that’s Unlock as in unlock the phone using the 4 digit pin code, as opposed to unlocking it from the specific network operator).

The Information Commissioner’s Office has urged organisations to review their policies on how personal data is handled, after the Nursing and Midwifery Council was issued a £150,000 civil monetary penalty for breaching the Data Protection Act.

The council arranged for the DVDs, which contained confidential video files relating to alleged offences by a nurse as well information about two vulnerable children, to be couriered to a hearing in October 2011. Upon arrival it was found that the package didn’t contain the DVDs.

The council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. An ICO investigation found the information was not encrypted. The DVDs are yet to be found.

David Smith, Deputy Commissioner and Director of Data Protection, said:

“It would be nice to think that data breaches of this type are rare, but we’re seeing incidents of personal data being mishandled again and again.
While many organisations are aware of the need to keep sensitive paper records secure, they forget that personal data comes in many forms, including audio and video images, all of which must be adequately protected.”

Further details about today’s case can be found on the ICO’s civil monetary penalty notice page.

There is currently a massive increase in complaints from Skype users in relation to viruses. The newest and the one that seems to be infecting a lot of users at the moment is one that sends a message  to the users with the text:

lol is this your new profile pic?

The users are asked to then click a link and are taken to a downloadable .ZIP file which will infect your computer.

Skype advise that all users update their Skype application and make sure they have up to date anti virus running at all times. More importantly, we advise users to be cautious. When you see links from friends, always be careful and check that they are genuine.

Emails that claim to be “Urgent” are highly likely to contain malware as attachments a new report reveals. FireEye released a report (view it here) that details a list of top words used in phishing emails (those are emails that pertain to be from various legitimate sources with the intent of infecting the machine or conning the user to give out important information).

The attackers mainly use zip files to hide their malware, ultimately aimed at gaining access to valuable corporate and intellectual data. It appears very few corporate establishments block these kinds of executables, which FireEye’s research confirms.

The report also shows a decrease in the use of ZIP files from last year (2011), a decrease in the use of standalone EXE executables, but an increase in PDF files. Adobe Reader, FoxIT Reader and other widely available PDF readers come with the ability to enable a Safe Reading Mode, which in theory, should prevent malicious code within PDF files from executing. In Adobe, Edit -> Preferences -> JavaScript  -> uncheck Enable Acrobat JavaScript checkbox to do this today.

 

Now, .ZIP files represent the vast majority, 76.91%, of advanced malicious files. The complexity of
these attachments, which can contain many distinct files and file types, coupled with a lack of
user awareness of the danger of these file extensions, has made them a highly effective means for
distributing malware and effectively exploiting systems.
PDFs also pose a significant threat. These file types are ubiquitous and familiar to just about every
computer user. Further, many users are unaware of the fact that malware can be distributed through
PDF files, and malware embedded in these file types is proving to be difficult for conventional defenses
to detect. For all these reasons, PDFs provide cybercriminals with a very effective means of attack.

http://www.fireeye.com/resources/pdfs/fireeye-top-spear-phishing-words.pdf

Hackers have managed to install malware on to brand new factory built and sealed PCs. This brings a whole new meaning to the old term “All Your PCs are belong to us!”

Microsoft is warning that cybercriminal gangs have managed to get the Nitol bug and other dangerous malware software installed to one in five laptops and PCs checked by their investigators. To avoid any confusion, it should be noted that reputable vendors such as Dell, HP etc. are not affected by this.

The malware installed could give the criminals control of the computers, allowing them to watch every tap of the keyboard to steal personal information including your name, address, details of any holidays and credit card information – whether it’s going down an encrypted channel or not.

“We found malware capable of remotely turning on an infected computer’s microphone and video camera, potentially giving a criminal eyes and ears into a vicitm’s home or place of business,” reported Microsoft investigator Richard Dormingues Boscovich.

The Nitol bug has the potential for the most damage as it tries to link the PC to a botnet which criminals can use for hacking attacks, deliberately crashing servers or performing illegal activities under the IP Address of an unknowing user.

Microsoft discovered the bugs in laptop and desktop PCs purchased in cities around China. Four of the computers were infected with malware despite being new and factory sealed.

Investigations led them to a domain name which is alleged to have been involved in cybercrime since 2008. Microsoft have been granted permission to take over the domain name and close down the botnet.

“Cybercriminals have made it clear that anyone with a computer could become an unwitting mule for malware,” said Mr Boscovich.

So if you’re planning a trip to China then be safe and purchase your computer back home before travelling, and even then give it a good anti virus scan!

Article by Iain

A Hertfordshire police website has been hacked, leading to the publication of what appear to be login details and passwords for dozens of officers and part of the police force’s website has been taken down as a “precaution” while investigations continue. Hertfordshire Police said information stored on an externally hosted database had been published on the internet.

The information which includes phone numbers and IP addresses, relates to a number of officers in Safer Neighbourhood Teams.

The Police force said in a statement:

“Hertfordshire Constabulary is currently investigating following the publication on the internet of information stored on a database linked to the public Safer Neighbourhoods pages of the external Constabulary website.

“As a precaution these pages have been temporarily disabled whilst the circumstances as to how this information was obtained is investigated.

“There is absolutely no suggestion that any personal data relating to officers or members of the public has been, or could have been compromised.

“Nevertheless matters of IT security are extremely important to the Constabulary and an investigation is already under way.”

A laptop containing the personal information and bank account details of thousands of people and businesses has been stolen from Glasgow City Council.

The local authority is now contacting 37,835 affected customers, including suppliers and people receiving winter fuel payments and care grants.

Strathclyde Police and the Information Commissioner have been informed about the theft, which took place last month.

The laptop was password-protected but not encrypted.

It was one of two laptops stolen during a break-in at the council offices in Cochrane Street some time between Monday 28 and Tuesday 29 May.

The local authority said the full extent of the data loss did not become apparent until last Wednesday.

The information on the laptop relates to 17,692 companies and 20,143 individuals.

It includes names and addresses and, in the case of 16,451 customers, bank account details.

A full internal audit is being carried out.

A council spokesman said: “We are in the process of writing to the people affected by this theft to alert them to the data loss and offer them advice about what steps they might need to take.

“We’ve also provided them with a phone number they can use to contact us if they have any questions.

“We are sorry that this has happened and apologise for the inconvenience it has caused. Anyone with any information on the theft should contact Strathclyde Police.”

He added: “Customers should remember that no one from the council would ever call at their home or telephone them to ask for personal information, such as banking details.

“A bank will never ask for a customer’s PIN or for a whole security number or password.”

A Scottish charity – based in Glasgow – breached the Data Protection Act after two unencrypted memory sticks and papers containing the personal details of up to 101 individuals were stolen from an employee’s home.

The information included peoples’ names, addresses and dates of birth, as well as a limited amount of data relating to the individuals’ health. The charity – Enable Scotland (Leading the Way) – promptly reported the incident to the ICO in November 2011 and informed those individuals affected.

The ICO’s investigation found that the information should have been deleted from the memory sticks once it had been uploaded onto the charity’s server. The charity had no specific guidance for home workers on keeping personal data secure, and portable media devices used to store sensitive personal information were not routinely encrypted.

Ken Macdonald, Assistant Commissioner for Scotland said:

“Organisations that use memory sticks to store personal information must make sure the devices are properly protected. Encrypting the data means that the information will remain safe even if the device is later lost or stolen. It is also important that employers provide home workers with guidance on how to keep any personal data taken outside of the office secure, as this is potentially when the information is most vulnerable.

“We are pleased that Enable Scotland has taken action to keep people’s information safe, however this incident should act as a warning to all charities that they must ensure that personal information is handled correctly.”

Peter Scott, Chief Executive of Enable Scotland, has now signed an undertaking, committing the charity to improving its compliance with the Data Protection Act. This includes making sure laptops used to store sensitive personal data are encrypted. Hard copy files will only be removed from the office when absolutely necessary and will contain the minimum amount of personal data required. Guidance will also be provided to home workers, to ensure that any personal data taken outside of the office is kept secure.