Our aim is to give our customers much more as a package for a very competitive price whilst continuing to meet the UK GDPR requirements for treatment of data.

Click link to download brochure JMS Secure Data_Brochure – Final

Information belonging to up to 250 people, including vulnerable adults and children, was uploaded to the internet when the barrister’s husband updated software on the couple’s home computer.

Some 725 unencrypted documents, which were created and stored on the computer, were temporarily uploaded to an internet directory as a backup during the software upgrade.

They were visible to an internet search engine and some of the documents could be easily accessed through a simple search.

Six of those files contained confidential and highly sensitive information relating to people who were involved in proceedings in the Court of Protection and the Family Court.

Steve Eckersley, Head of Enforcement at the ICO said:

“People put their trust in lawyers to look after their data – that trust is hard won and easily lost. This barrister, for no good reason, overlooked her responsibility to protect her clients’ confidential and highly sensitive information. It is hard to imagine the distress this could have caused to the people involved – even if the worst never happened, this barrister exposed her clients to unnecessary worry and upset.”

The breach by Norfolk County Council came to light after social work case files were discovered in a cabinet purchased by a member of the public from a second-hand shop. The case files included information relating to seven children.

Steve Eckersley, ICO Head of Enforcement, said:

“The council had disposed of some furniture as part of an office move but had failed to ensure that the cabinets were empty before disposal. Councils have a duty to look after any personal information they hold, all the more so when highly sensitive information is concerned – in particular about adults and children in vulnerable circumstances.
“For no good reason Norfolk County Council appears to have overlooked the need to ensure it had robust measures in place to protect this information. It should have had a written procedure in place which made it clear that any storage items removed from the office which may have contained personal were thoroughly checked before disposal.”

Having the appropriate staff and procedures in place is key to ensuring councils look after personal information properly.

This will be crucial when a new data protection law called the General Data Protection Regulation (GDPR) – setting high standards for organisations when it comes to the privacy of personal data – comes into force from May 2018.

ICO investigations found many of the charities secretly screened millions of donors so they could target them for additional funds. Some charities traced and targeted new or lapsed donors by piecing together personal information obtained from other sources. And some traded personal details with other charities creating a large pool of donor data for sale.

The action follows penalties issued to two charities in December 2016.

The charities fined were:

•The International Fund for Animal Welfare – £18,000
•Cancer Support UK (formerly Cancer Recovery Foundation UK) – £16,000
•Cancer Research UK – £16,000
•The Guide Dogs for the Blind Association – £15,000
•Macmillan Cancer Support – £14,000
•The Royal British Legion – £12,000
•The National Society for the Prevention of Cruelty to Children – £12,000
•Great Ormond Street Hospital Children’s Charity – £11,000
•WWF-UK – £9,000
•Battersea Dogs’ and Cats’ Home – £9,000
•Oxfam – £6,000

The Information Commissioner has exercised her discretion in significantly reducing the level of today’s fines, taking into account the risk of adding to any distress caused to donors by the charities’ actions. The same approach was taken to fines issued to the Royal Society for the Prevention of Cruelty to Animals (£25,000) and British Heart Foundation (£18,000) in December.

Information Commissioner Elizabeth Denham said:
“Millions of people will have been affected by these charities’ contravention of the law. They will be upset to learn the way their personal information has been analysed and shared by charities they trusted with their details and their donations. No charity wants to alienate their donors. And we acknowledge the role charities play in the fabric of British society. But charities must follow the law.”

The charities were investigated by the ICO as part of a wider operation sparked by reports in the media about repeated and significant pressure on supporters to contribute. There are no other outstanding investigations into charities as part of that operation.

Elizabeth Denham added:
“These fines draw a line under what has been a complex investigation into the way some charities have handled personal information. While we will continue to educate and support charities, we have been clear that what we now want, and expect, is for charities to follow the law.”

Amber Rudd took to the Andrew Marr Show on Sunday to criticize firms like WhatsApp and Facebook, which use encryption to secure messages for their users, as aiding terrorists.

“We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don’t provide a secret place for terrorists to communicate with each other,” she said, branding it “completely unacceptable” that the authorities can’t access messages on these services in emergencies.

It emerged that Westminster attacker Khalid Masood may have used WhatsApp moments before he killed four people outside the Houses of Parliament last week.

However, experts have been quick to dismiss Rudd’s calls.

The Ministry of Defence’s former cybersecurity boss, major general Jonathan Shaw, accused her of using the tragedy to impose her political will on others. He argued that terrorists will simply move on to other more secure methods of communication.

“The problem will mutate and move on. We are aiming at a very fluid environment here. We are in real trouble if we apply blunt weapons to this, absolutist solutions,” he told BBC Radio 4’s Today program.

Liberal Democrat home affairs spokesperson, Brian Paddick – a former deputy assistant commissioner at the Met – argued that what Rudd is calling for is “neither a proportionate nor an effective response”.

Meanwhile, Open Rights Group executive director, Jim Killock, branded Rudd’s words nothing more than “cheap rhetoric”.

The Investigatory Powers Act already provides the home secretary with the theoretical ability to enforce a “Technical Capability Notice” – which could be used to persuade tech firms to create backdoors, he claimed.

“The striking thing is that if she was genuinely serious about her suggestion, she would not be making public demands; she would be signing legal orders to force companies to change their products. She would not be telling us about this,” Killock added.

“We should use Amber Rudd’s cheap rhetoric as a launch pad to ask ourselves why she has such sweeping powers, and what the constraints really amount to.”

As explained in a statement on the company’s website, it is believed that those behind the attack (which occurred on February 27) gained access to about 1000 files which may include personal identity information on customers of ABTA Members, the majority of which are email addresses and encrypted passwords, relating to complaints made about ABTA staff.

ABTA CEO, Mark Tanzer, said: “We recently became aware of unauthorised access to the web server supporting abta.com by an external infiltrator exploiting a vulnerability. The web server is managed for ABTA through a third party web developer and hosting company. The infiltrator exploited that vulnerability to access data provided by some customers of ABTA Members and by ABTA Members themselves via the website.

“We immediately notified the third-party suppliers of the abta.com website who immediately fixed the vulnerability. ABTA immediately engaged security risk consultants to assess the potential extent of the incident. Specialist technical consultants subsequently confirmed that the web server had been accessed.”

ABTA said it is not aware of any information being shared beyond the infiltrator, and the firm is actively monitoring the situation. It pointed out that there was “a very low exposure risk to identity theft or online fraud” with the kind of data that has been accessed However, as a precautionary measure, ABTA is taking steps to warn both customers of ABTA Members and ABTA Members who could potentially be impacted.

“We are today contacting these people and providing them with information and guidance to help keep them safe from identity theft or online fraud. We have also alerted the relevant authorities, including the Information Commissioner and the Police”, Tanzer said.

In a brief statement to InfoSecurity, an ICO spokesperson said: “We are aware of this incident and will be making enquiries.”

ABTA advised anyone who has registered with abta.com to immediately change their password as a precaution, and should that password be used for any other services or accounts, to change it for those too.

“You should remain vigilant regarding online and identity fraud,” ABTA also said. “Actively monitor your bank accounts and any social media or email accounts you may have. We are also making available free of charge an identity theft protection service to members of the public who had registered on abta.com and may have been affected.”

Commenting on the incident, Jes Breslaw, director of strategy, EMEA at Delphix said that time and time again we have seen that even the most basic breach of personal identifiable information puts consumers at risk.

“Names, addresses and contact information all hold money-making potential for opportunistic cyber-criminals on the dark web,” she explained. “The latest ABTA breach once again reinforces why organisations need to prioritise the development of multi-layered security measures.”

David Mount, director of security solutions consulting EMEA, Micro Focus, added:

“As with most data breaches, news of this latest hack from ABTA is likely to raise questions around how large organisations are protecting our personal data and keeping passwords safe. In this case, the passwords of those affected are encrypted, meaning they will be difficult for an attacker to decipher, but that’s not always the case.

“In future, we need a more effective way to securely prove who we are without relying solely on passwords as they are no longer useful as a single factor of authentication. The answer could be biometrics, tokens, smartphones, behavioral indicators, or a blend of these measures – pinpointing the appropriate method always depends on the sensitivity of the information or service being secured”, he argued.

US Department of Justice (DoJ) officials charged two Russian spies and two criminal hackers in relation to the 2014 breach, which exposed around 500 million Yahoo accounts.

According to the BBC, Russian officials have formally denied any involvement in the hack. “As we have said repeatedly, there can be absolutely no question of any official involvement by any Russian agency, including the FSB, in any illegal actions in cyberspace,” said spokesman Dmitry Peskov.

Reuters added that Russian officials also said they had received no official word from their American counterparts about the charges. All their information had been taken from media reports, Peskov said.

Two of those charged, Dmitry Dokuchaev and Igor Sushchin, work for the FSB, Russia’s intelligence agency and successor to the KGB. The other two, Karim Baratov and Alexsey Belan, are considered career hackers. Belan is on the FBI’s Cyber Most Wanted list after two previous indictments on hacking charges.

The DoJ’s charges allege that the FSB agents worked closely with Belan and Baratov and passed them information that would help them avoid detection by US authorities. They hacked into Yahoo’s database to target accounts belonging to Russian journalists, Russian and US government officials and employees of a Russian cybersecurity company.

The charges included conspiracy, computer fraud and abuse and economic espionage.

In total, around 500 million accounts were compromised. It is further alleged that Belan used this access to steal credit card details and other financial details. It is also claimed that he sold details of 30 million accounts which were subsequently targeted by a spam campaign.

According to Reuters, Canadian citizen Baratov has been arrested. The whereabouts of the other three is currently unknown, but reports suggest they are in Russia. There is currently no extradition treaty between Russia and the US, which could make bringing the suspects to trial difficult.

At a press conference held to announce the charges, acting assistant attorney general Mary McCord said she was hopeful Russia would cooperate in bringing to criminals to justice, Reuters said.

The ICO have published its GDPR consent guidance document for consultation, which recommends that organisations which process data should review their consent mechanisms to make them more “specific, granular, clear, prominent, opt-in, documented and easily withdrawn”.

Organisations will also need to keep records of evidence for consent at every step of the process and have been advised by the ICO to “build regular consent reviews into your business processes”.

GDPR will also ban the usage of “pre-ticked opt-in boxes” as a valid means of gaining an individual’s consent. The ICO also said that, while “GDPR does not specifically ban opt-out boxes,” that method of communication is “essentially the same as pre-ticked boxes, which are banned”.

The document also points out that, when GDPR comes into force in May 2018, unlawful use of personal data would be subject to “the highest tier of administrative fines”. The ICO said that these could be as a high as “€20m (£17.2m) or 4 per cent of a company’s total worldwide annual turnover, whichever is higher”.

‘Key changes to make in practice’ as result of GDPR

The ICO said that organisations who process data will need to make seven “key changes” to their consent mechanisms to ensure they meet with GDPR requirements.

Consent must now be “unbundled” – as in being “separate from other terms and conditions”; an “active opt-in”; “granular” – different consent options for different types of processing; “named” – including both the name of the organisation processing the data and any third parties also relying on that consent; “documented”; “easy to withdraw” and not based on an “imbalance in the relationship”.

The ICO said that, while existing DPA consents would still be valid when GDPR comes into force, organisations will “need to be confident that your consent requests already meet the GDPR standard” if they are to be relied upon after May 2018.

The document also sets out a number of scenarios in which consent would be rendered invalid. Some of the most relevant include if an organisation doesn’t “have clear records to demonstrate” that a person consented in the first place, or if they have used “pre-ticked opt-in boxes or other methods of default consent”.

Keep records of clear consent

GDPR stipulates that consent “must be specific and informed” and, at a minimum, must be obtained by giving a certain amount of information. This includes the name of the organisation and any third parties who will rely on that consent, why an organisation wants that data and what it will do with that data, including any “processing activities”.

GDPR will mean that organisations relying on consent “must have an effective audit trail of how and when consent was given, so organisations can provide evidence if challenged” regardless of how that consent was given, including oral consent.

The ICO have also said specifically that organisations relying on consent “cannot rely on silence, inactivity, pre-ticked boxes, opt-out boxes, default settings or blanket acceptance of your terms and conditions” as evidence of consent.

Individuals will also be given a “specific right to withdraw their consent” under GDPR, and that right will be “at any time”. The ICO said that an individual’s consent “must also be as easy to withdraw as it was to give”.

The ICO have published the document as part of a period of wider consultation on GDPR which will run from 2 March through to the 31 March 2017. It can be viewed on the ICO’s website here.

Click here to view the ICO’s GDPR Consent Guidance Document for Consultation.

Of the 19 who use Twitter, 11 hadn’t set their security to prompt for the user to input their email address or phone number to start the password reset process. This means that anyone who tries to reset the password of someone who hasn’t take precautions is presented with a partially redacted representation of the email address associated with the account.

Buzzfeed quoted Mustafa Al-Bassam, a volunteer at Privacy International, who said: “If hackers can learn the email address that you use for Twitter, then it makes it easier to compromise your Twitter account.” He pointed out that if the email address can be worked out, a hacker could then target it with phishing attacks designed to harvest passwords.

As of last week, Theresa May, the Prime Minister, and Boris Johnson, the Foreign Secretary, still had not secured their Twitter accounts.

Two weeks ago, it was pointed out that US President Donald Trump also hadn’t secured his Twitter account, but when it was checked last Monday the setting had been changed.

It’s not only politicians who risk being compromised: you can check your Twitter account by going to your settings page and under the Security and Privacy tab, making sure you’ve ticked the option that says “Require personal information to reset my password”.

The historical society was fined £500 by the Information Commissioner’s Office (ICO), the independent authority set up to promote openness of public bodies and data privacy for individuals. The ICO said the amount of fine reflected the financial circumstances of the historical society. It warned that most organisations would receive a much larger fine for a similarly serious breach.

The stolen laptop contained the details of people who had donated artefacts to the society. The data was not encrypted.

An ICO investigation found that the organisation had no policies or procedures around home-working, encryption and mobile devices – which resulted in a breach of data protection law. The case highlights the importance of having developing detailed policies on agile and home-working.

ICO group manager Sally-Anne Poole, said: “Organisations are required by law to keep data secure and that includes when working away from the office. “The personal information in this case was so sensitive we can’t give out details of the breach. The historical society knew of the potential consequences of losing the sensitive information and should have taken measures to secure the data.”

The ICO website has advice for charities on complying with legal requirements to protect information.