The revelations emerging about a major cyber attack on telecoms and broadband supplier TalkTalk are every CIO’s worst nightmare. But hard-working companies that are doing their best to stay ahead of the hackers shouldn’t be criticised, should they?
Well, in fact they can be.
The UK regulator, the ICO, recently took enforcement action against an online holiday insurance company, issuing a fine of £175,000 after what the ICO described as “IT security failings” allowed hackers access customer records. More than 5,000 customers had their credit cards used by fraudsters after the attack, with over 100,000 customers at risk. The hackers gained access to live credit card details including CVV numbers, and individuals’ medical details.
The hackers were able to a vulnerability in the JBoss Application Server on which the company’s website server was based. A software update to fix the issue had been first published in 2010, and again in 2013, but the company did not have a formal process for reviewing and applying software updates and so did not make use of them.
The watchdog accepted that the fact that the breach had resulted from criminal activity was a mitigating factor, and this reduced the amount of the fine, but the company was still found to be at fault.
What standards must businesses reach?
One of the eight key principles in the Data Protection Act requires that:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data…”
The challenge for data-rich businesses is to assess at any point in time what is “appropriate”. Hackers are a moving target and the threats of today will not be the same tomorrow. Constant renewal and updating is necessary, but this has to be balanced with the need for proportionality so that the business can still make money.
Can you pass on the responsibility to suppliers?
Businesses will usually try to pass on the requirement for “appropriate technical and organisational measures” to their IT suppliers by including appropriate clauses in their agreements. This makes sense, in many cases, because an outsourced IT supplier will have a better knowledge of current threats and the technology needed to keep abreast of them than its client has. But some IT suppliers resist this, and will only agree to put in place what the client says is appropriate.
In any event, including contractual protection of this type gives the business a right to sue where things go wrong, but does not remove the exposure to adverse publicity and enforcement action.
A tough challenge for CIOs
The challenge for CIOs is neatly summarised in the ICO’s guidance:
“The Act does not require you to have state-of-the-art security technology to protect the personal data you hold, but you should regularly review your security arrangements as technology advances. As we have said, there is no “one size fits all” solution to information security, and the level of security you choose should depend on the risks to your organisation.”