UK Fines Outsourcer For Failing To Stop Cyberattack (theguardian.com) 29
Bruce66423 writes: Britain's data watchdog has fined the construction group Interserve $4.9m after a cyber-attack that enabled hackers to steal the personal and financial information of up to 113,000 employees. The attack occurred when Interserve ran an outsourcing business and was designated a "strategic supplier to the government with clients including the Ministry of Defence." Bank account details, national insurance numbers, ethnic origin, sexual orientation and religion were among the personal information compromised. The Information Commissioner's Office (ICO) said Interserve Group broke data protection law because the company failed to put appropriate measures in place to prevent the cyber-attack, which happened two years ago. Interserve's system failed to stop a phishing email that an employee downloaded, while a subsequent anti-virus alert was not properly investigated.
The attack led to 283 systems and 16 accounts being compromised, uninstalled Interserve's anti-virus system and encrypted all current and former employees' information. The ICO said Interserve used outdated software systems and protocols, had a lack of adequate staff training and insufficient risk assessments. "This data breach had the potential to cause real harm to Interserve's staff, as it left them vulnerable to the possibility of identity theft and financial fraud," said John Edwards, the UK information commissioner. "Leaving the door open to cyber-attackers is never acceptable, especially when dealing with people's most sensitive information. The biggest cyber-risk businesses face is not from hackers outside of their company but from complacency within their company."
The attack led to 283 systems and 16 accounts being compromised, uninstalled Interserve's anti-virus system and encrypted all current and former employees' information. The ICO said Interserve used outdated software systems and protocols, had a lack of adequate staff training and insufficient risk assessments. "This data breach had the potential to cause real harm to Interserve's staff, as it left them vulnerable to the possibility of identity theft and financial fraud," said John Edwards, the UK information commissioner. "Leaving the door open to cyber-attackers is never acceptable, especially when dealing with people's most sensitive information. The biggest cyber-risk businesses face is not from hackers outside of their company but from complacency within their company."
The Unique Position of Government (Score:1)
If another private sector company had the same experience with that supplier they would probably be in court over it. But government is the one group that can penalize a company directly. Given this position, should it not also then be the task of the government to require proof of adherence through oversight in advance (and during) project execution?
Imagine if companies could simply declare each other to be "fined".
Re:The Unique Position of Government (Score:5)
The question will be enforcement and appeal, as per any other ICO case. There's nothing special here - the government didn't unilaterally decide to go "hah ha! Boo! FINE!"...an agency tasked with protecting information followed the law, determined a breach and then issued a fine using the powers granted to it by that same law. Courts will be involved should the recipient of the fine appeal, or refuse to pay. In other words - this is standard procedure.
ICO fine is appealable to a court (Score:2)
In effect the ICO isn't part of the government in this transaction, it's an independent regulator. Therefore it is legitimate to take a swipe at the organisation as long as it can justify its actions before a court.
Where you may be right is that this perhaps means is that companies working for the government will be a little more careful about cutting corners; this would be good. Even better if it encourages companies to be careful about everybody they work with!
Re: (Score:2)
PayPal claims it can do exactly what you say: https://reason.com/volokh/2022... [reason.com]
Other finance companies have similar mechanisms, including chargebacks for credit cards.
"strategic supplier to the government" (Score:4, Insightful)
Re: (Score:1)
If you think it's hard to sue somebody in your own country, trying remotely suing somebody in Timbuktu. Outsourcees know this.
WTF? (Score:3)
... ethnic origin, sexual orientation and religion were among the personal information compromised.
Why in hell had that information been collected in the first place? What business is it of anybody other than the individual employee and whomever he or she should decide to share it with? Why would an employer even ask those questions?
Re:WTF? (Score:5, Informative)
I don't know if it is true or not but I have been told by the RMP of a young person just out of college who checked yes to all the "terrorist" boxes in a fit of humor. The RMP were fairly sure they were not a terrorist, however they took the opportunity to engage in a full scale armed raid of the home this person was staying in. That being their parents house and they were all turfed out of bed at 1am by armed soldiers who broke into the house and questioned. The RMP figured it was good training at the least, and it might have been true.
So be warned, governments have no sense of humor with these things - after all can you imagine the problem if they ignored a declared threat which was actually real?
Re: (Score:2)
For an example that more people can relate to, think of the signs about joking at an airport security line. Sure, if someone laughingly says "yes, I have a bomb in my bag", a listener can probably guess whether they're just joking or whether they really might -- but the people who are responsible for performing the security checks need a higher level of certainty than "can probably guess", so they're going to take that statement very seriously and make sure it's false before letting the person go through.
Re: (Score:2)
If you're a "closet" homosexual, do they seriously expect them to answer "yes" in their questionnaire?
Then again, the immigration form for the US has a "are you a member of a terrorist organization" as a question...
Re: (Score:2)
Last time I went to the US (close to 20 years ago now) they had questions like, "Are you entering the US with the intention of committing a crime?" and one asking if you're a foreign espionage agent. You'd have to be really stupid to answer yes to any of them. I think all it really does is allow them to bring charges of signing a false declaration if they catch you for any of the things they asked about.
Re: (Score:2)
I heard, and I have no idea whether that's true but it would at least make sense, that they can't just deport you for committing a crime, but they can if you lie on your immigration form.
I can frankly only assume it has to be some sort of legalese technicality bullshit.
Re: WTF? (Score:2)
Why would an employer even ask those questions?
Equality and diversity statistics.
Re: (Score:3)
UK law has anti-discrimination requirements where you need to be able to identify and report on this information for your employees for statistical and compliance purposes.
It's pretty well a guaranteed requirement for any Govt etc contracts.
a phishing email (Score:2)
Re: (Score:2)
But then you choose the same flawed platform you get the same results.
Phishing emails don't give a fuck what platform you use. The comment you just made is the reason IT is still a security nightmare, a demonstration that even geeks who read news for nerds clearly don't have a clue about IT security.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
First off, Rishi is a nationalist. Nationalists, by definition, are racists themselves .. so they should be open to being racisted-upon at least moderately. I am saying that he is in bed with racists, so he ought to be okay with some racism so that he knows the consequences of providing them aid and comfort. Fair game, basically. Second, I declare my comment not racist, as I have always said I am a globalist. What did you expect me to do? Fawn over Rishi's rise from humble origins as an inherited billionair
Re: (Score:3)
Second, I declare my comment not racist
That's not how any of that works.
Re: (Score:2)
That's indeed bigly non-PC, but damn funny. Thanks for shining some sun on my dreary Monday.
Re: (Score:2)
Well, if they have no qualified people in the country that could do the job...
Yet again it's because of EMAIL!!!! (Score:5, Insightful)
Interserve's system failed to stop a phishing email that an employee downloaded, while a subsequent anti-virus alert was not properly investigated.
Okay ... how many bleeping times do we have to go over email policy? ENCRYPT, SIGN AND DIGITALLY VERIFY ALL EMAILS! Email is insecure to a comical level, the kind of comedy that is funny, stupid, terrifying and head shaking, and the vast majority of people in tech know that. If you know something is major flashing problem, and you have the ability, technology, and protocols to fix it, then why aren't you?
The real question that governments need to start asking is why wasn't the email system demanding encryption, signing and validation? If you just demand encryption, signing and validation you can stop 99.999% of attacks before they start, and yes I pulled that number out of my butt, but It's probably in the ball park of accurate.
Re: (Score:2)
Okay ... how many bleeping times do we have to go over email policy? ENCRYPT, SIGN AND DIGITALLY VERIFY ALL EMAILS!
You've solved maybe 5% of possible email related phishing attacks. What else do you got?
Good. Too low though (Score:2)
There really is no way but punishment for bad IT security. The market completely fails on this question.
So not encryption-at-rest, or any other GDPR crap. (Score:1)