TSB customers are experiencing a fourth day of disruption, following the migration of TSB customer data from Lloyds’ IT systems over the weekend. The main impact on customers has been the inability to use internet and mobile banking but, more worryingly, there have been numerous reports of spurious transactions and, for a period on Sunday, at least 400 customers had visibility of other people’s data.
The scenario is reminiscent of the trouble at Tesco Bank in June 2011 when they migrated customer data from legacy RBS systems; on that occasion the disruption also lasted for four days. As in 2011, much of the criticism from customers has focused on the quality of communication; clearly this has not been helped in the case of TSB by boasts from Sabadell, TSB’s owner since 2015, about the success of its IT integration!
It has been reported this week that thousands of Calor Gas customers have experienced delays in receiving their gas supplies; in extreme cases this has led to customers running out of gas for heating, cooking and hot water (although the number of these is not known). Calor first announced the problem four weeks ago, blaming a combination of a national shortage of liquefied petroleum gas and the severe weather in early March. This resulted in a “perfect storm” where increased demand coincided with reduced supply, compounded by the problems of actually delivering to isolated rural communities.
Obviously one can debate how forseeable such an incident was, and whether Calor could have prepared better for such an eventuality by addressing their supply chain resilience. However, the angry response from customers on social media has focused on a lack of communication, in particular a lack of clarity on when they will receive gas supplies. Once again, the problem seems to lie as much with crisis communications as with the crisis response itself.
Our blog could sometimes be accused of being a little UK-centric so, in an attempt to redress any imbalance, we thought we would take a little look at some data from the US!
For some years now, Stericycle have produced detailed quarterly reports on product recalls in the US. Aggregating data from these reports over the last five years yields the following graph:
The (mostly) reassuring message from the graph seems to be that, just like in the UK, the numbers go up and down from year to year but there is no meaningful trend. Whilst it would be foolhardy to read too much into the slight downward slope; there is certainly nothing to suggest a significant growth in recalls over recent years. Nevertheless the scale of some of these recalls, particularly some of the recent high-profile automotive recalls, serves as a powerful reminder of the need to plan, train and exercise for these scenarios.
There have been widespread reports of the huge fire that broke out at Ray Mill in Stalybridge, Greater Manchester on Saturday night. At its height, five stories of the mill were on fire and over 50 firefighters were battling to contain the blaze. Miraculously there are no reports of any injuries.
Thanks to the efforts of the emergency services, life for much of the local community is now returning to normal, although there are still road closures in place around the mill. However, the Manchester Evening News reports that “It is believed several dozen businesses and other organisations were based in the mill”: it will clearly not be a normal week in the office for any of these. At the very least organisations who were based in the mill will need temporary work space for a period of time; but some may have suffered much more severe impacts, with one business owner quoted in the paper saying he has lost millions of pounds worth of stock. The effects may also spread wider than those organisations based in the mill, with potential knock-on effects on both their customers and suppliers.
Ironically, smaller organisations like these, who are most vulnerable to disruption, are also least likely to have undertaken any business continuity planning. Business continuity for small businesses need not be expensive or time-consuming, as this case study shows, and can be the difference between survival and failure in situations like these.
In the week that the publication of “Lessons Learned Review of the WannaCry Ransomware Cyber Attack” concluded that the impact on the NHS of last May’s attack was preventable; there is some good news on the cyber security front….
The number of organisations achieving certification under the UK Government’s Cyber Essentials and Cyber Essentials Plus schemes has continued to grow significantly. Based on information from the four recognised accreditation bodies (CREST, IASME, APMG and QG Management Systems); as of this week 6394 organisations had achieved certification, up from 4574 six months ago (a rise of 40%). A glance at the list of names suggests that all sizes of organisation and sectors of the economy are embracing the scheme.
Clearly though, there are still many organisations who have not recognised the need to improve information security: follow the link to find out how we can help your organisation.
Radware’s annual reports provide a very detailed analysis of the current state of the cyber security threat. Whilst the latest report, released earlier this month, confirms that cyber attacks are occurring with relentless frequency and continue to evolve and grow in sophistication; it also shows some subtle shifts in the targeting of these attacks. For instance the frequency of attacks amongst service providers appears to be increasing with 23% of firms reporting experiencing daily attacks (up from 15% in 2016); likewise the number of financial services firms reporting daily attacks was up from 14% to 17%. However, in the same period, the proportion of government agencies experiencing daily attacks fell from 27% to 24% and the number of organisations in the education sector fell from 15% to 5%.
Perhaps there is a danger here though of getting lost in all the detail: even within the education sector, 90% of organisations report experiencing at least one cyber attack a year so it is clearly a threat that cannot be ignored. Particularly as the average estimated cost of a cyber incident was reported at $1.3m.
Follow the link to see ho we can help with your information security management challenges.
2017 appears to have been a quiet year for product recalls in the UK. According to the FSA website there were only 45 recalls of food products (down from 76 in 2016); whilst recalls of electrical products were down from 61 to 32 (see Electrical Safety First). Before we get too excited though, looking at the longer term (see graph below) these would appear to be just part of the natural variation from year to year, rather than evidence of a breakthrough in quality management!
We would therefore still advise organisations to maintain and exercise their product recall plans, including the associated crisis communications plans.
The Information Commissioner’s Office (ICO) announced yesterday that it had fined Carphone Warehouse £400 000 over a cyber-attack in 2015. The company’s failure to secure the system allowed unauthorised access to the personal data of over three million customers and 1,000 employees, including: names, addresses, phone numbers, dates of birth, marital status and payment card details. The ICO considered that the personal data involved would significantly affect individuals’ privacy, leaving their data at risk of being misused; although it was acknowledged that there was no evidence that this had happened.
Using valid login credentials, intruders were able to access a Carphone Warehouse system via out-of-date WordPress software. The ICO identified multiple inadequacies in Carphone Warehouse’s approach to data security and determined that the company had failed to take adequate steps to protect the personal information. In particular their investigation highlighted that:
- Important elements of the software in use on the systems affected were out of date;
- The company failed to carry out routine security testing; and
- There were inadequate measures in place to identify and purge historic data.
In summary, the Information Commissioner said:
“A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.
“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
With just over four months to go before GDPR comes into force this is another reminder of the need to ensure information security management systems are fit for purpose. Follow the link to see how we can help.
There appears to have been a big rise in the number of organisations certifying to the Cyber Essentials standard over the last three months. Data from the four certifying bodies in August 2017 revealed that nearly 4600 organisations were certified at that stage, but this has now risen to over 5500; an increase of more than 20%. Backed by the UK Government, the Cyber Essentials standard focuses on the following five areas:
- Boundary Firewalls and Internet Gateways;
- Secure Configuration;
- Access Control;
- Malware Protection; and
- Patch Management.
By achieving certification, organisations can demonstrate to their customers and other stakeholders that they have achieved a basic level of cyber security. Follow the link for more information on how we can help you with all aspects of information security management.
At first glance the announcement of a data breach involving data from 57 million drivers and customers of Uber is a case of more of the same: there have been much bigger breaches over the last few years. However, the revelation that the company didn’t acknowledge the breach for a year, opting instead to pay a ransom to hackers, makes the story of real interest. Here in the UK, the Information Commissioner’s Office has expressed “huge concerns” about this lack of openness; and there has been an angry backlash from those who may have been affected by the breach and are now wondering what has happened to their personal data over the last 12 months. The decision to pay a ransom is particularly hard to fathom, and potentially the most damaging aspect, escalating the discussion beyond information security into a debate about the ethics and judgement of the firm’s senior management. We shall follow this story with interest…..