Category Archives: Data policy

Equifax Breach Drives Home the Importance of Prompt Patching as GDPR Approaches

by Bharat Mistry

No organisation is breach-proof: we all know that the odds are stacked too high in the attackers’ favour. However, by following industry best practices we can make it as difficult as possible for hackers, and discourage all but the most determined and well resourced. That’s why it will dismay many in the industry to learn that Equifax knew about the vulnerability that it claims led to a massive breach at the firm this year, all the way back in March. However, it was apparently only fully patched months later once the damage had been done.

Given the scale of the breach, and the fact the firm could have been hit with fines of over $60m under the forthcoming GDPR regime, this should serve as yet another cautionary tale to IT leaders. Best practice security, including effective patch management, is called “best practice” for a reason. Continue reading

CLOUDSEC 2017: Game of Thrones Hack Tells Us IP Theft is Still a Major Risk

by Ross Dyer

It’s difficult to even discuss data breaches today without referencing the European General Data Protection Regulation (GDPR). With less than a year to go, it is a major area of focus for UK IT leaders keen to avoid mandatory breach notifications and potentially astronomical fines. Yet breaches aren’t all about the customer data governed by the GDPR, as HBO found out this week. Hackers have reportedly made off with 1.5TB of data from the US TV network, uploading a script from an upcoming Game of Thrones episode and two full episodes.

It’s a good example of why IP theft-related risk should be just as big a driver of improving cybersecurity as attacks targeting customer data. Fortunately, attendees at this year’s much anticipated CLOUDSEC event will have some great learning opportunities designed to help them bolster defences against just such attacks. Continue reading

Brexit or No Brexit, CISOs Must Plan Now for New European Data Laws

by Bharat Mistry

The enforcement date for the long-awaited European General Data Protection Regulation (GDPR) was announced this week: 25 May 2018. Now there are many reasons why UK CISOS might want to look the other way when they hear that news. Two years, after all, seems like a very long time away. It’s also very tempting to delay any compliance efforts until after the EU referendum, which could very well go the way of Brexit. The received logic is that this would let IT departments up and down the country off the hook for GDPR compliance.

But that’s a dangerous game to play. It’s likely that even in the event of a ‘Leave’ vote, the UK would be forced to align its data protection laws with the EU. So the message is still very much: “Brexit or no Brexit, IT leaders must start planning now for the GDPR.” Continue reading

Qatar Bank Breach Lifts the Veil on Targeted Attack Strategies

by Simon Edwards

News emerged this week of an alleged data breach at the Qatar National Bank. On the face of it, it’s yet another large multi-national with inadequate security getting hacked and exposing the details of its customers. But on closer inspection the details revealed in the data dump tell us more – that the hacker was using the breached bank data to build up profiles on specific individuals in order to launch follow-on attacks.

It’s another fascinating insight into the shadowy world of cybercrime which should remind us all, businesses and individuals, that personal information is a valuable online commodity that should be protected at all times. Continue reading