For years data protection watchdog the Information Commissioner’s Office (ICO) was regarded as a toothless tiger.
It sounded big and scary and delivered stern warnings about the importance of data protection, but it could do very little about any data breaches, except perhaps wag its finger.
Then in 2010 everything changed. It was given fining powers to the tune of £500,000 and since then it has levied over £4m against organisations. But some may now consider it something of a heartless hound.
The latest to fall foul of the ICO’s desire for justice is the British Pregnancy Advisory Service (BPAS). The charity provides help and guidance for women with an unplanned pregnancy, from abortions to counselling and more besides.
For some its work is contentious and in March 2012 an anti-abortion hacker used his computing skills to wreak havoc on its website, defacing it and stealing details about those who had contacted the charity for help.
The hacker – James Jeffrey – got almost three years in prison as a result of the incident.
As the hack affected personal details of members of the public, the ICO got involved and its investigation found several technical lapses at the BPAS that made the incident worse than it should have been.
The long and short of it is that the BPAS now faces a fine of £200,000 for an incident which, as its CEO Ann Furedi understandably points out, was caused by a hacker who is now almost seeing his actions rewarded.
“We accept that no hacker should have been able to steal our data, but we are horrified by the scale of the fine, which does not reflect the fact that BPAS was a victim of a serious crime by someone opposed to what we do,” she said.
“It is appalling that a hacker who acted on the basis of his opposition to abortion should see his actions rewarded in this way."
Furedi also said the fine was “out of proportion” when compared with others the ICO has handed out, especially when those organisations’ breaches were not caused by criminal behavior.
- Glasgow City Council fined £150,000 after losing 74 unencrypted laptops, including one containing more than 6,000 people's bank records.
- Aberdeen City Council fined £100,000 after a member of staff inadvertently posted data relating to the care of vulnerable children online.
- Islington Council fined £70,000 after details of over 2,000 residents were released online due to a basic misuse of Excel by a staff member.
Even if the BPAS pays its fine early – by the end of March – it still faces paying £160,000, more than any of those listed above.
None of this is to say the ICO has acted unreasonably though: it has to enforce the law and if it encounters incidences of poor data protection – as in this case – it must take a stand so others sit up and take notice. If other firms and charities up their game after seeing a fine being levied, the public are better protected.
Conversely, if it does not issue a fine, it will be seen as weak and unwilling to take a stand, while any organisation that is fined can make a claim to being harmed. A council delivers vital frontline services and a fine will hamper its efforts to do this, it could be argued.
Clearly, this is a controversial case, driven by the scale of the fine. The fact this money will end up in government coffers – having been given to charity – is also questionable, as noted by Stewart Room, partner at law firm Field Fisher Waterhouse.
“The users of the BPAS charity services have high expectations of privacy and any security weakness that could expose them is bound to trouble the regulator,” he said.
“But the financial penalty regime here is moving money from the collection jar direct to The Treasury. Perhaps the cash could be better spent on improving security and data protection at the charity?"
The BPAS is now appealing the fine in what could prove a fascinating case to see if the ICO's desire to fine can be tamed.
By V3's Dan Worth
As noted by myself and numerous big-name figures in the public and private sector, the damage the PRISM spying scandal could inflict on the global economy and key industries, such as the cloud, is catastrophic. By being caught snooping not only on foreign firms, but also a number of political figures in countries that are supposedly allied with the US, the NSA seriously damaged international trust.
This was showcased to great effect in 2013 when Deutsche Telekom said it was considering re-routing all user information through German data centres and servers, in a bid to protect its customers from NSA snooping.
For this reason, I was overjoyed last week when president Barack Obama promised he was going to explain what new measures and safeguards he planned to put in place to ensure a scandal like PRISM does not reoccur.
However, come the big day when he took the stage and began outlining the new measures, my feelings towards his proposed reforms were at best mixed.
On the one hand Obama got a lot right. The US president said he would work to change the way PRISM requests could be handed to companies and increase the amount of information that the businesses involved can disclose to the public.
Specifically Obama pledged to put in place a series of fresh measures created by the attorney general, on how requests using the US Foreign Intelligence Surveillance Act (FISA) and National Security Letters can be made.
FISA and National Security Letters were used by the NSA to force numerous companies, including Google, Yahoo, Apple and Microsoft, to hand over vast amounts of customer data. The nature of the requests means the companies are not allowed to disclose what information was handed over without risk of arrests. The secret nature of the requests is one of the key reasons many people and businesses are still concerned about the safety and sovereignty of their data.
Even better, Obama also promised to make sure the public sector and general public would be represented in the approval process of data-gathering campaigns. He pledged to create a new independent, non-governmental panel of advocates to appear at the secret courts, which will approve or deny operations such as PRISM. Candidates for the new panel of advocates will be approved by congress.
All this sounds great, right? Well on one level it was...until Obama went on the offensive against PRISM critics, boldly saying the US would not apologise to groups or countries affected by PRISM.
"Many countries, including those that feigned surprise following the Snowden revelations, are trying to penetrate our networks. Our agencies will continue to gather intelligence on foreign governments' intentions. We will not apologise for doing it better," he said.
Worse still, in a move all too familiar to those that lived through the Bush era, Obama resorted to constantly mentioning 9/11 as a justification for operations such as PRISM. For me, this is serious cause for concern.
After all, Obama failed to disclose key details, such as what information, or how soon after receiving FISA requests companies will be able to reveal to their customers that they handed information to the NSA. Additionally, by vetting candidates for the new independent, non-governmental panel of advocates through congress – a body full of individuals that serve the US – it's unlikely that European businesses' concerns will be high a high priority.
As a consequence, while the new reforms have the potential to help ensure scandals such as PRISM don't reoccur, they also have the potential to be completely ineffectual; the outcome will be determined by how the US government choses to implement them. As a result, for now at least I can't see Obama's reforms winning back the trust of any concerned European business or governments.
By V3's Alastair Stevenson
Building the UK's cyber security skill base and economy has been an ongoing goal of the UK government and its Cyber Security Strategy.
As such, many were no doubt pleased when Russian advanced persistent threat-buster and protector of all things nuclear, Kaspersky Labs opened a new 200-person office in London, promising that it will play a pivotal role in its crusade to "save the world from hackers".
Company founder and cyber-doomsday prophet, Eugene Kaspersky was on hand at the London launch – attended by V3 and all the other security movers and shakers – and went so far as to list the office as one of the firm's new command centres.
"Our mission is [to] save the world - it's really simple and easy to remember," he said. "This office space will be responsible not just for Great Britain's operations, but also for Europe and a little bit of global. We're recognising London as a great place, as an international city, where its easier to find the right people for our business that can help us to protect our customers and to save the world."
However, despite his bold statement, speaking to V3, Kaspersky said it wouldn't be superhero white hats that would lead the fight in the London office, but some of the UK's "best and brightest" pencil pushers and salesmen.
"This office will mainly be responsible for the sales and marketing team. Here it will be for Britain and Europe. This is a great city as it's global and its easier to find people that can work internationally than it is in places like Moscow, Germany and France. This is one of the main reasons we moved the command centre of our European operation to London," Kaspersky said.
Confused? So were we. How can salesmen save the world? However, the UK's going through a pretty big cyber skills drought at the moment, and pretty much every company and government agency is reporting difficulty finding cyber-savvy recruits. Even the newly launched National Crime Agency recently had to recruit unskilled people for its cyber team on specialist "training" scheme contracts late last year.
As a consequence it's actually probably a good thing Kaspersky's going to stick with its tried-and-tested Russian security gurus when it comes to actually taking on the malware-makers, as Mr Kaspersky explained.
"Most of our research and development is still based in Russia because the Russian engineers are the best. We're happy with Russian engineers and we know many British companies are happy with Russian engineers as well. It's the same in Silicon Valley and Israel. Everybody wants the best and that's them," he said.
Luckily, for any aspirational British white hat, Kaspersky did confirm he's on the hunt for a new member to his elite Global Research and Analysis Team (Great), so all is not lost for wannabe UK cyber experts.
"We have our security experts team and that's very international, we have people from everywhere in there. So we are looking for UK security experts as well, but only the best of the best," he told V3.
However, to any budding cyber expert looking to get into the team, be warned, you'll have some pretty big shoes to fill. For those who don't remember Great is an award-winning team responsible for finding and dissecting numerous bits of top-end malware, including the notorious Flame, Red October and Icefog campaigns.
Jobs will be needed, though, especially if 2013 is anything to go by. Last year saw an influx of advanced threats and if current forecasts are anything to go by, things are only going to get worse in 2014.
With this in mind – while we're still a little disappointed the London office won't be doing research and development – we can't help but wish the London marketers and any Brit lucky enough to get onto Kaspersky's elite team the best of luck.
By V3's Alastair Stevenson
The New Year is barely a few days old but already the headlines are dominated by security stories of hacks and data thefts from major companies in the form of Skype and Snapchat.
For Skype, this saw its Twitter account and blogs targeted, while Snapchat had data on 4.6 million users released online in a warning to the firm about the need to take security seriously.
For firms of all shapes and sizes the fact security incidents are so immediately in the headlines for the start of the year should serve as a warning. 2013 was full of similar incidents and prove that no firm can rest on its laurels.
Indeed, while the PRISM spying scandal dominated the majority of the security agenda, it is important not to overlook stories such as the hacking of the Lakeland website as proof firms of all types face threats from cyber criminals.
The incidents prove that security is not a static area, but one where criminals and good-hearted ethical hackers are in a constant arms race to try and out do one another and find vulnerabilities to exploit them.
Firms cannot just assume that a single solution will cover everything or that a staff seminar on the things to be aware of such as phishing emails that is delivered in January will be relevant by next December, or even February for that matter.
Perhaps there is a silver lining for the industry from the incidents at Skype and Snapchat, though.
IT chiefs and those with security in their remit can use these incidents at the start of 2014 to make sure all those in charge at the company, especially those holding the purse strings, take security seriously and ensure that adequate resources are provided to help protect the firm from the risks that are present and growing all the time.
Otherwise, it could well be your firm in the headlines for all the wrong reasons.
MUNICH: Afraid of the dark? Perhaps you should be afraid of the lights. That's the twisted future envisioned by light bulb-wielding Fujitsu chief technology officer Joseph Reger.
Patrolling the floors of the Fujitsu Forum in Germany, Dr Reger explained to onlookers how one of the most innocuous objects in your house could become part of a global attack.
The Internet of Things, perhaps one of the most highly-talked about technologies nobody in the real world actually uses, is expected to take hold within the next decade, and with it will inevitably come cyber threats, as with any new technology. Reger chose to use intelligent light bulbs as an example:
"I'm not concerned about someone hacking into your home and turning off your lights," he said. We at V3 are very concerned about that, for the record. "What I'm talking about is that someone hacking into your home and looking at the usage pattern of your light bulbs and determining whether you're on vacation. And when it might be a good time to break in."
Such concerns have been voiced before with Philips' Hue lightbulb singled out as a cause for concern by security researchers. Reger went further, though, to envision a world of slave lightbulbs run by some sort of domestic super villain.
"If this light bulb is a little bit more intelligent, if they're intelligent enough, you can inject malicious code into the bulb itself if it's not protected properly. What's the problem with that? All of a sudden I have an army of attackers I've just programmed and I can launch a denial of service attack on anybody using billions of soldiers."
We've heard this described before in the form of toaster armies mining the currency Bitcoin - and perhaps the metaphors are getting out of hand - we're sure Reger knows this, and we have to say we enjoyed his demonstration.
The real point here is that we haven't moved on from this novelty, this funny notion of light bulbs stealing your lunch money and laughing at you. In the world of business and industry, machine-to-machine communication is commonplace. That's not to say it isn't serious either - a recent UK government report highlighted the notion of a need for a ramping up of security among connected machines.
So, who to believe? It's very difficult to know exactly how much of a threat these things are, especially because the amount of people with intelligent light bulbs in there home is so low crooks probably couldn't even DDoS your mum's laptop.
Until there's more of this stuff out there, we can't know for sure what possibilities - positive or negative - IoT can offer.
By V3's Michael Passingham, whose army of fridges is coming along nicely
HELSINKI: The humble toaster could become a security threat in the future due to the virtual currency Bitcoin.
For the uninitiated, Bitcoins are a cryptography-based digital currency, which allows users to send and receive money with a degree of anonymity without using traditional commerce networks, in effect cutting out middlemen such as banks. Many governments are also wary of their use as Bitcoin value is determined separately from them. Their uptake has rocketed over the past few years.
While hanging out in Helsinki with F-Secure, the firm's chief research officer Mikko Hypponen, never one to mince his words, said that the increasing value of Bitcoins is enticing criminal gangs to rework traditional malware targeting businesses to turn infected machines into Bitcoin mines.
Bitcoin mining refers to the way Bitcoins are actually earned. In a normal situation, a user runs an algorithm on their computer to authenticate transactions on the Bitcoin platform. This is legal and the person running the process is rewarded with Bitcoins for their trouble. However, turning hoards of machines into your own army to generate huge numbers of Bitcoins is not. As such the crooks love it, as Hypponen explained.
"Bitcoins have been skyrocketing in value. At the moment the value per Bitcoin is currently $134. As this started happening and people started realising there's actual money in Bitcoin, people started mining them pretty seriously," he said.
"A big deal about crypto currency [such as Bitcoin] is the mining part. You can actually use other computers to mine and because of this, botnet-based mining is becoming a real problem. About a year ago we spotted a botnet not spreading malware or phishing, it was just mining bitcoins."
Hypponen went on to explain that Bitcoins' financial allure has already made established cyber criminals rethink their strategies and adapt some of the biggest, most dangerous botnets in the world to mine Bitcoins.
"ZeroAccess used to monetise itself with click fraud. They got on the machine and made it click on adverts to earn money. They changed their tactic in spring and went fully into Bitcoin mining. Some of our estimates suggest it is earning $58,000 a day. That's real money and something they will want to move to the real world," he said.
This is where the toaster idea comes in. Hypponen added that many of the gangs are so enthralled by Bitcoin's potential they've started experimenting with the idea of turning non-traditional devices into mines.
"[When mining Bitcoins] the user is irrelevant, it's the GPU, the computer and the network connection they need. This is especially interesting when you look at automation. I have a pebble watch, it has a GPU, it could mine Bitcoins, so does my fridge and my toaster – these are going to be used to mine Bitcoins," he said.
"We accepted toasters would eventually have computers, but didn't think it would be a problem – who would want to write malware for a toaster right? Well now they have a reason."
This may be a far-fetched example of how far the threat could go, but as recent hacks of IP-based lightbulbs have shown, the home of the future could be open to all kinds of attacks, even burnt toast.
By V3's Alastair Stevenson
Yahoo chief executive and generally smart person Marissa Mayer has made a rare slip-up, publicly admitting she doesn't have a passcode on her smartphone due to being too busy.
Mayer made the revelation during an interview at the TechCrunch Dispute conference, gleefully admitting her security no-no when asked for her thoughts on the new Apple iPhone 5S fingerprint scanner.
"It's funny because you mocked me once at TechCrunch, maybe it was at LeWeb, because Mike was making fun of me because I don't have a passcode on my phone," she said.
"And Mike was like ‘Are you crazy?', and I was like 'Look, I just can't do this passcode thing, like 15 times a day,' and then when I saw the fingerprint thing I thought now I don't have to. I was excited about that and think building some of these smart sensors into the phone is really exciting."
Following the admission the security community is up in arms, with many bemoaning the ex-Google vice president's apparent ignorance about even the most basic smartphone security. Independent security expert Graham Cluley went so far as to call the Yahoo chief a "twerp".
"Colour me unimpressed. There's really not any excuse for having even the weakest four-digit passcode on your iPhone (longer, more complex passwords are better and surprisingly easy to remember), and yet lots of people have none in place," he wrote.
"What's alarming is that Mayer is the CEO of a major internet company, who have a responsibility for protecting the privacy of hundreds of millions of net users. What kind of example is she setting by not having any form of login security on her smartphone? What a twerp."
However, the accusation may be slightly over the top. As Tim Cook noted during the iPhone launch event on Tuesday, many iPhone users follow Mayer's example in not bothering to turn on the passcode, hence Apple adding the fingerprint scanner.
F-Secure's security advisor Sean Sullivan also took a more lenient approach to Mayer's admission. "It seems to me that the 'blame the user' tech crowd is a bit too eager to pile on the abuse for her habits. Perhaps they just don’t want to admit their advice is a failure, which doesn’t really meet everybody’s real-world needs," he said.
"Context matters. Regular people are careless with their phones, so regular people should really consider using a password. Internet company CEOs who live in the penthouse of the Four Seasons aren’t regular folks, so the same advice just doesn’t apply."
We think if polled, most chief executives around the world would give the exact same – albeit slightly less gleeful – answer. As such, while it's fair to bemoan Mayer's security mishap, we should avoid reverting to finger pointing and instead take it as a sign we need to do more to educate people about the importance of robust cyber security, as the UK government is doing with its ongoing Cyber Strategy.
You can watch the whole interview with Mayer in the YouTube video below.
By V3's Alastair Stevenson
11 May 2013
Apple's iPhone has proven a hit with the general public, but the company's strong security protections are making the device less than popular with law enforcement agencies.
It seems that the encryption on the handset is proving to be so hard for authorities to crack that they have to petition Apple to manually unlock the handset by manually overriding the security controls and decrypting data needed for criminal prosecution.
Unfortunately, there are so many police asking for iPhone decryption that Apple has found itself with a backlog of requests. According to Cnet, law enforcement officials are being told that they must wait as long as two months to gain access to iPhone units that are connected to criminal investigations.
This is not the first time Apple's security protections have caught the eye of law enforcement agencies. Earlier this year the US Drug Enforcement Administration issued a warning to agents that messages delivered over Apple's Messages App – which sends data over secured HTTP connections – was all but impossible to eavesdrop in the course of investigations.
The issue rehashes an ongoing battle that has erupted between the need for law enforcement agencies to access data and the right for users to have their data protected from intrusion. Apple is not alone in being caught up in the crossfire. Blackberry has found itself in the crosshairs of government authorities over its strong security protections that can prevent government eavesdropping.