Cash Converters hack: Protecting your business against data breaches

Cash Converters is the latest well-known name to hit the headlines as the victim of a data breach. This closely follows an IT security breach for another big UK organisation, the well-publicised Heathrow USB data breach. Though we don’t have much information as to how the Cash Converters data breach actually occurred, it’s reported that the company’s old website which held customer information was accessed and customer data was compromised.

Passwords, addresses and other personal information including customers’ partial financial information was leaked from the Cash Converters database. It’s reported that only customers with an account on the company’s old website had their data compromised. The organisation informed those who may be affected and advised them to change their passwords whether they have or have had an account with the company.

Although this was not a Ransomware attack, there are reports that the high-street chain has been threatened with a data leak if a financial payment is not made.

This security breach was reported to the Information Commissioners Office (ICO) and it, along with Cash Converters, is investigating how the breach occurred.

What is a data breach?

Simply put, a data breach is when information is accessed by those without access permissions. The Information Commissioners Office (ICO) defines a personal data breach as:

“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”.

What should I do in the event of a data breach?

It’s stated in the ICO guidelines that service providers (e.g. telecoms providers etc.) should follow the below steps:

• Notify the ICO

• Consider whether to notify your customers

• Record details in your own breach log

You must notify the ICO within 24 hours of your organisation being aware of the vital facts of the breach. If your business suffers a cyber-attack such as Ransomware, organisations must also provide evidence to the ICO of what measures they have in place to protect their data. Cyber-attack reporting will be something for businesses to consider when the General Data Protection Regulation (GDPR) comes into force in May 2018.

Root cause analysis allows organisations to pinpoint where an attack originated within their IT environment. You can see the detail, down to the device that was infected and the email, for example, that could have caused the attack.

How can I prevent a data breach?

Update and patch your software

Updates and patches are a pivotal part of a secure IT environment; many of the larger Ransomware attacks that took place earlier this year could have been averted had systems been correctly updated. This is something TSG’s SystemCare does in the background, keeping your critical data safe.

The hacked Cash Converters website was actually its old website, which was reportedly not used from 22nd September onwards, as this was when the company launched its new corporate website. It has not been confirmed whether the hack took place before the 22nd September or not. However, if the breach occurred after this date, which is a more likely scenario, it would indicate that the old website was still technically live. If this was the case it would have been an easy target for cyber criminals if left in a vulnerable state, without the proper security patches and updates in place.

Train your staff

Employee awareness is where an IT security strategy can easily fall down. Many employees aren’t aware of cyber threats, Ransomware, viruses, or even the dangers of taking data off-site or moving it across devices. The IT security landscape is changing and with it must come the education of workforces across the UK.

The Heathrow USB data breach occurred because an employee moved critical and highly sensitive data (including the Queen’s movements when she visits the airport!) onto a USB stick and took it off-site and then dropped it – in the street. It was then picked up by a passer-by and handed back. A very lucky outcome for Heathrow.

Increasing awareness of the dangers that data breaches across the board can cause will strengthen your organisation against cyber-attacks. Sophos Phish Threat allows you to simulate email phishing attacks on your staff. This will not only allow you to see who opens potentially malicious emails but also diverts staff to online training to broaden their IT security knowledge.

Encrypt your data

Data encryption is a software that reads and changes the information within your documents into an unreadable code should a cyber criminal look to hack into your database. By encrypting your data documents can be moved across devices and into the cloud and still remain secure. You can define who has access to what documents.

To understand how your company can prevent attacks and data breaches, speak with our experts.