Two weeks ago the ICO announced that it had fined a senior barrister £1000 for failing to keep clients’ sensitive personal information secure. The ICO explained that the barrister had kept sensitive information on 250 clients on a home computer without using any encryption. Then, during an update of software on the computer, files were automatically backed up on-line, where they were temporarily visible to search engines. There are clear lessons here for other small businesses, but it would appear that large organisations also have issues. A few days later the ICO announced that it had fined Norfolk County Council £60 000 for leaving social work case files in a cabinet that they disposed of – the files were discovered by a member of the public who bought the cabinet in a second-hand shop! Once again, this example highlights that information security is not just about electronic data.
Whilst a very useful resource, the Electrical Safety First website is not normally that entertaining. Typically there is a list of battery chargers that pose a fire risk and similar items, but today is different as a recall has just been announced of Anne Summers “Black Power Wands”. Not only that but the reason for the recall is described as “Risk of electric shock. Prolonged use may result in the wires in the cord at the base of the product becoming exposed.” So please do spread the word to friends and family. We may never see data from this particular recall, but typical success rates for electrical goods are only 10-20% so there could be quite a few faulty “Power Wands” out there for some time to come.
The Coop began recalling 3000 chocolate Easter bunnies earlier this week, after a battery was found in one. This in itself is not remarkable, we have blogged before about the rising number of food product recalls; but what makes this story remarkable is that only six weeks ago the Coop had to recall tens of thousands of chocolate Santas for the same reason. Product tampering, as opposed to contamination during the manufacturing process, is suspected in both cases. Beyond that, details are scarce, although it was stated after the December incident that there had been no blackmail or ransom demand. Maybe all we can say at this stage is that lightning really can strike twice.
On a positive note, the Coop appears to have implemented both recalls effectively, and in a timely fashion; although it is quite difficult to find the details of the recall on the Coop website.
It was announced last week that the Information Commissioner’s Office (ICO) had fined the insurance company Royal Sun Alliance £150 000 for the loss of a hard drive containing names, addresses and bank account details of 60 000 customers. The device was stolen from RSA’s offices in West Sussex but it is not known whether the theft was carried out by a member of staff or not, and it has never been recovered.
A statement from the ICO said:
“When we looked at this case we discovered an organisation that simply didn’t take adequate precautions to protect customer information. Its failure to do so has caused anxiety for its customers not to mention potential fraud issues….There are simple steps companies should take when using this type of equipment including using encryption, making sure the device is secure and routine monitoring of equipment. RSA did not do any of this and that’s why we’ve issued this fine.”
Once again, this incident emphasises that having appropriate policies and procedures in place, and understood by staff, if a critical part of information security management. For more information on information security and ISO 27001, go to our “What is Information Security” page.
The severe disruption to London Ambulance Service’s IT systems on New Year’s Eve has been widely reported in the media, although little is known at this stage about the root cause. Hopefully, in due course, any useful lessons identified will be shared throughout the NHS to minimise the chance of a recurrence. In the mean time I was struck by two thoughts…
Firstly, and as I have probably remarked previously in this blog; it is a reminder that very unlikely combinations of events do happen from time to time. Much of the reporting of the incident focused on people’s incredulity that such an outage could occur on the busiest night of the year; indeed if I presented an NHS client with something similar as an exercise scenario I suspect I would receive much negative feedback about the credibility of the scenario. Nevertheless it happened.
The second thought arose from the assumption that having a disruption at a busy time is, by definition, the worst case scenario. I know nothing about the workings of LAS but it seems at least plausible that they were actually better able to manage the disruption because they had increased staffing to cope with the expected demand and had already deployed large numbers of staff on the ground in treatment centres. I don’t wish to labour the point, but it just occurred to me that there are important implications for planning for ‘reasonable worst cases’: the most difficult disruption to manage may actually be one that occurs at a quiet time when resources are very limited?
October was a busy period for food product issues with eight recalls over the course of the month, as against a long-term average of about 35 per year (although it did hit 56 last year). The products affected were:
- Patchwork Pate – fifteen varieties of pâté
- Milegate Ltd – Mystry Dried Pangash fish
- Kopparberg – sparkling rose strawberry and sparkling rose raspberry cider
- HiPP – Organic Fruity O’s breakfast cereal
- Hilltop Honey – raw British creamed honey
- Suma – canned organic sweetcorn
- Biona – canned organic sweetcorn
- A G Barr – Rubicon sparkling mango
The recalls were made for a wide variety of reasons including: chemical contamination, lack of manufacturing controls, metal contamination and yeast fermentation! Regardless of the specific trigger event, each of these incidents presents a significant risk of financial and reputational damage if not handled appropriately. As well as the normal guidance on business continuity and crisis communications; the British Retail Consortium (www.brc.org.uk) includes a specific requirement to plan for product recalls and withdrawals in its certification scheme.
Some 40,000 Tesco bank accounts have been frozen following online fraud attacks, with money taken from some 20,000 customers. Social Media comments have been made since Saturday when the fraudulent activity was first spotted.
A statement has been released by the Chief Executive, Benny Higgins, explaining why action has been taken to temporarily stop online banking for current accounts, and explaining that the bank is working with the authorities and Regulators. He has further stated that ‘We can reassure customers that any financial loss as a result of this activity will be resolved fully by Tesco Bank, and we are working to refund accounts that have been subject to fraud as soon as possible.’ Whilst this will be of some solace to customers that have been impacted, there have been a significant number of complaints about the lack of information and long call centre delays. There have been reports of those who have managed to get though who have then been dissatisfied by the inability of the staff to deal with concerns.
From an information security perspective, this breach raises several questions. It is staggering that such a breach has been able to occur, tackling individual accounts in this way. At least it has not happened towards the end of the month, when many people are paid and have direct debits and standing orders due to go out, but there is a significant number of people who have been left without money to purchase food, fuel and pay bills..
Automated texts do appear to have been efficient at alerting customers to the fraudulent activity. However, Tesco Bank do not appear to have been particularly effective in responding to customer queries, and ensuring that calls from concerned customers could be handled promptly. Disruptions do increase call centre usage, and this should be noted within incident response plans.
The immediate focus is refunding the stolen monies. It is not clear how much has been stolen; sums appear to range from small to a couple of thousand. Longer term, it is will interesting to understand what data has been breached. Banks hold a significant amount of personal data, and I am curious to know whether customers will be advised to simply change passwords, or whether more fundamental account details will have to be updated.
It is often noted that information security breaches can take a significant length of time to be discovered. In this case, the fraud text alert system has certainly been effective. However, cyber crime has long been a concern in the banking industry, with the Bank of England highlighting “a tendency among [banking] firms to view cyber-threats as a technical problem rather than an issue which merits board-level attention given the evolving nature of cyber-threats and the key importance of cyber-resilience to continuity of financial services”.
There have been previous reports about Tesco Bank and privacy concerns, including during 2010, 2012, 2014, and February 2016. Given this trend, it would appear that Tesco Bank could do more to ensure the on-going maintenance, monitoring and continual improvement of their information security!
The Tesco Bank website states that the ‘security of your accounts is a priority for Tesco Bank’; customers will now be wondering how secure is secure?
Written by Helen Molyneux
The announcement yesterday that Merlin Entertainments had been fined £5m for the crash at Alton Towers last year in which 16 people were injured came as little surprise. What has been startling though is Merlin’s dramatic fall from grace over the last 12 months. In the immediate aftermath of the incident, the operator was being praised for the openness of their communications and for the compassion which they showed for the victims. However, five months later, when they issued a press release announcing the findings of an internal investigation; they bizarrely argued that “human error” was to blame for the accident.
We remarked at the time that this assertion ignores 40 years of research into accidents: whilst a human error may have been the immediate trigger for an event, there is almost always a trail of organisational lapses and errors leading up to that point. And so it has emerged in the course of Merlin’s prosecution by the HSE. Amongst other factors leading to the accident we now know that: engineers had not read the operating instructions for the Smiler; there was no documented system or process to follow to deal with a stranded carriage; staff were financially incentivised to keep the ride running; and the automated system that should have warned of dangerously high winds failed to operate on 2nd June.
To view the webinar click the play icon below and follow the instructions on screen. If you are having any difficulties viewing this webinar please contact us.