Data breaches: Hackers, humans, and holes

The news may be filled with nothing but the dreaded ‘c’ word at the moment and because of this, you may have fallen into the false belief that cybercriminals have gathered up their ill-gotten gains and taken a holiday. As I’m writing this, I’m picturing the grim reaper laid out on a sun lounger, sipping a mojito whilst leisurely surfing the dark web on his iPad – a weird but somewhat amusing image to be conjuring up on a Monday morning. I may have been stuck inside for a little too long…

Albeit amusing, we know it’s far from the truth and the reality is the opposite of laughable.

Cyberthreats are no joke.

Note to my brain: stop picturing the grim reaper in a bikini.

Just as the baddies of the cyber world will never take a holiday, we can’t let ourselves either – even if you haven’t got dressed in a week and all you’ve eaten is a jar of Nutella.

The eagle-eyed among us will be fully aware that the past few months have been far from lacking in their share of data breaches. However, you may be surprised to hear that there have been varying reasons behind these and we have to be alert to more than just the work of sneaky hackers. Let’s dig deeper…

Virgin Media data breach affecting 900,000 people

Back in March, telecommunications provider, Virgin Media, admitted a database containing the personal details of almost one million people was left unsecured and accessible to prying eyes online for a ten-month period. This would have been bad enough in itself, but it was also confirmed that the information was accessed “on at least one occasion” by an unknown user and “the extent of the access or if any information was actually used” was also an unknown.

You know that sinking feeling you get when you realise you’ve left your house or car unlocked? Well, imagine how much worse the situation would be if you knew someone had managed to take advantage of that unfortunate human error, and you can start to understand the gravity of this situation.

The database in question was supposedly for marketing purposes and therefore contained personal details including phone numbers, home and email addresses; data which would also be classified as PII – personally identifiable information.

One positive I suppose we can draw from this is that the data supposedly did not include passwords or financial details. Nonetheless, PII can be used for what’s known as ‘phishing expeditions’ – when someone uses the personal information at their disposal to pose as a reputable establishment, who would have a legitimate reason for contact, in an attempt to extract financial information from a victim.

The interesting part of this unfortunate breach is that the root cause was not due to a hack or a criminal attack, but rather the database had been “incorrectly configured” by a member of staff not following the correct process. A vital hole that could have gone unnoticed for significantly longer if it had not been spotted by a researcher from a third-party cybersecurity company who raised the alarm.

However, there’s another point to this case that piques my interest even further…

Lutz Schüler, chief executive of Virgin Media said, “We recently became aware that one of our marketing databases was incorrectly configured which allowed unauthorised access. We immediately solved the issue by shutting down access.”

“Protecting our customers’ data is a top priority and we sincerely apologise,” he said.

“We immediately solved the issue by shutting down access” – but what about whoever accessed the data during the time it was available… should we just keep our fingers crossed that they’re ‘one of the good guys’ and pray nothing will come of it?

Yes, the highlighted phrase may have simply been a misplaced choice of words, and some may say I’m over-analysing here but, to me, this is not a case of ‘problem solved’. Businesses should not be so flippant in believing that a data breach with no monetary loss or significant visible harm can be considered ‘solved’ once the data source has been secured.

Yes, Virgin Media followed the correct process by informing the Information Commissioner’s Office (ICO) as required and an investigation has been launched, it also said all those affected would be emailed to warn them about the risks of phishing, nuisance calls and identity theft. I just hope they’re also taking action to ensure this doesn’t happen again.

What can we learn from the Virgin Media data breach?

I’m not in any way suggesting that the person at fault should be punished; quite the opposite, in fact. Yes, it shouldn’t have happened in the first place, but it is crucial that any business that finds itself in this position looks back to identify the issues, skill deficits and broken processes that led to the error being made. Investing in the necessary training to ensure mistakes are learnt from, and not just brushed under the carpet, will make the business more resilient in the long term and should stop the issue repeating itself in the future.

EasyJet cybersecurity incident sees data of 9 million hacked

Following on from the Virgin Media incident, airline giant EasyJet went public in May to announce it had fallen victim to a “highly sophisticated cyber-attack” involving the data of approximately 9 million customers. Ouch.

The company confirmed in a statement that information including email addresses and travel details had been stolen and that 2,208 customers’ credit and debit card details had been “accessed”.

Although the full story came out in May, the firm first became aware of the attack in January and was only able to notify a small group of customers in April whose credit card details were impacted.

What can we learn from the EasyJet cybersecurity incident?

Unfortunately, this isn’t a new scenario for the airline industry – we previously wrote about British Airways’ record fine due to a data breach reported in September 2018 which, at the very least, should have been a wake-up call to the rest of the sector. Yet, it seems lessons have not been learned.

We’ve seen it time and time again, so much so that cyber-attacks have become somewhat the ‘norm’ and no longer as shocking as they once were. The truth of the matter is, cybercriminals aren’t going to give up any time soon – it’s a lucrative business and as long as there are companies with gaps in their IT systems ready to target, there’ll be people poised and ready in the shadows, waiting to spring into action.

Customers whose data has been affected by the EasyJet breach have been warned to stay alert, keeping an eye out for phishing attempts which could see criminals sending spam communications with links to bogus websites set up to steal further personal data.

The coronavirus crisis has seen phishing attacks rise significantly and hackers could be likely to take advantage of people cancelling flights or amending bookings due to travel uncertainty.

The incident is still under investigation; however, if the company is found to have mishandled customer data, it could face eye-watering fines of up to 4% of its annual worldwide turnover in line with the General Data Protection Regulation (GDPR).

Babylon Health video appointment app exposes recordings of patient consultations

The latest data breach shocker is a little different to the aforementioned, as the ‘data’ in question comes in the form of video recordings…of confidential patient consultations…leaked to other patients…even bigger ouch.

Babylon Health is a health service provider offering its customers the ability to consult remotely with health professionals via text and video messaging on its dedicated mobile app. Unfortunately, this same GP appointment app suffered a data breach last week (9^th June) in which a “software error” presented three users with “dozens” of video clips of other patients’ consultations.

The company was alerted to the issue by one of these three users, although it was supposedly already aware of the issue, and took action to resolve the system malfunction in the following two hours, as well as notifying the ICO of the matter. A spokesperson for the business claimed the system error stemmed from a new app feature being released.

“People’s medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law,” said an ICO spokeswoman.

Undoubtedly, this will have raised concerns amongst users of the app and similar services who place their trust in the companies that deliver them.

Although it’s not clear exactly what caused the software malfunction which exposed the private files and whether this was preventable, it raises an important issue on compliance and governance where IT systems are involved.

What can we learn from the Babylon Health data breach?

Every business handles some form of personal data and has a responsibility to keep this secure, therefore consideration of data security is of the utmost importance when designing the infrastructure/environment that will host and process private information. This is not an area where you can cut corners and, if you don’t have the knowledge to ensure this is delivered effectively within your organisation, you should always be seeking the advice of external IT security experts. You can never be too careful to ensure your customers’ data is safe from harm.

For businesses like Babylon Health which operate in sectors including healthcare, childcare, national security and the likes, you’ll be handling highly sensitive data regularly and therefore the above is even more crucial. I’m not going to teach you how to suck eggs and there are many organisations who pride themselves in getting this right – you know who you are, and I salute you. Nonetheless, data breaches continue to happen and so, I can’t and won’t stop preaching the importance of IT security.

Cyber villains are fully aware that digital transformation and the move to cloud technology platforms is a new concept for many and some industries are still finding their feet. Old habits die hard and it can be as simple as a cybercriminal getting hold of valid login credentials before they’re able to access your entire business applications environment, compromising any data within it.

Please, if you take one thing away from this rant essay novel blog, let it be that you should not, under any circumstances, reuse passwords across accounts. This is the golden rule, but you can take it to the next level with our top password tips or, even better, implement multi-factor authentication (MFA) throughout your organisation.

MFA is currently the strongest method by which you can reduce the risk of unauthorised access to your systems and the data held within them – including your video conferencing platform.

Businesses of all sizes can’t lose sight of the fact that this is a real threat. There are only two camps – the victims and the prepared. Although, there are actions you can take to ensure you stay firmly in the latter.

Organisations that recognise the importance of security and privacy have already taken the first step to preventing data breaches, but they can’t stop there. Partnering with an experienced managed IT services provider to support their IT environment can significantly reduce the risk of cyber-attacks and data exposure, especially if you can take a ‘one-stop-shop’ approach and use the same provider to handle the majority of moving parts within your business IT environment.