The niner noteworthy stories of 2017 (week 33)

These are the noteworthy stories, in no particular order, that peaked my interest for this week.

Brit firms warned over hidden costs of wiping data squeaky clean before privacy rules hit

Yep, deleting data is hard, erasing it so it can’t be restored is even harder but actually finding it all is probably the biggest challenge companies will face.
Building new database structures is difficult, time-consuming and may take years. A good alternative is to make a data map and model which can show you which data is in which datastore so it is immediately clear.
Erasing data on request, specifically in a modern company, may be impossible. If the company relies on 3rd party processes and those processors are using virtual infrastructures for multiple clients, erasure will become impossible entirely. Deleting the data certainly will be possible.
The article suggest a cryptographic alternative for slatchhammering your harddrives, however that solution may also work extremely well in those database and virtual IT environments.
Although crypto key management will become a related cost and point of attention.
As for the mentioned shredder, there is a DIN (Deutsche Industry Norm) standard for destroying paper as well as electronic media to a size which makes restoration and recovery impossible. The norm is based on the number of millimeters of the pieces left after the machine is done.
source: The Register (external link)

Bank IT fella accused of masterminding multimillion-dollar insider-trading scam

So highly privilege access, no oversight and a smart guy who knows to avoid the scrutiny of digital channels and you have yourself an almost four years of insight information and profits.
However, if the people who benefited really had enough knowledge they also would have know how regulators are trying to find patterns of misuse. It’s probably their greediness that finally nailed this one.
So what can you learn from this story? Make sure your highly privileged accounts are constantly monitored, accounts are used that can be linked to only one individual and if possible make sure that sensitive data can’t be accessed by IT staff who have no reason to know about it in the first place.
The last point is pretty difficult, although you can also log and monitor who is accessing the data and when unauthorised access is detected take the necessary actions.
source: The Register (external link)

Southwest elite frequent-fliers hit by computer glitch will get bonus points

Computer problem are always annoying, specially if they concern your customers and even more so if you know about it and don’t communicate very well too.
On the other hand, we are so accustomed to our perks and privileges that if something goes wrong we immediately start to complain and hold the company to public scrutiny. Yes Southwest could have handled this better, but all those annoyed pax could have realised too that computer systems are never 100 percent foolproof but that’s something the modern day customer seems to have forgotten.
source: USA Today (external link)

NotPetya ransomware attack cost us $300m – shipping giant Maersk

And if that wasn’t possible anymore either? The fact that the CEO finally was taking IT serious and even joined in on IT meetings is impressive, all be it on the late side.
I believe that if he had done so long before this June’s ransomware attack, it could have been prevented. The attack started in Ukraine and obviously had to have a method to spread to the shipping terminals and offices worldwide. One of the methods most likely contributing here is the fact that no network segmentation was implemented to separate the locations and contain problems to one location or country.
Obviously I am speculating here, but I have seen those global flat architecture networks myself before.
Some would say that patching would be another preventative control here. For the office environments that would certainly have helped. Specifically because patches were available since march. However other equipment, more on the industrial parts, would have been more difficult or impossible to be patched, at least in reasonable timeframes.
In those cases alternative measures need to be implemented of which the aforementioned network segragation is a good starting point.
source: The Register (external link)

Cyber attacks on online retailers double in a year as hackers try to steal shoppers’ details

This is a trend that is probably continuing for the coming years as well and has been for the last decade or longer. A lot of the data breaches, in any sector, stay unnoticed for a long time which kind of makes the numbers published to be taken with somewhat of a grain of salt or seen as the tip of the preverbial iceberg.
The warning given though is certainly true and more attention needs to be given to secure customer data. Not just because the privacy laws will mandate so more then they already do come May 2018, but because it is your moral and ethical duty as a company to do so.
Data protection and information security are complementary fields and are both required to properly handle customer’s personal data.
source: The Telegraph (external link)

London council ‘failed to test’ parking ticket app, exposed personal info

The fact that your web application is leaking data, folders are misconfigured and data has apparently been accessed from a somewhat large number of IP addresses seems to be not out of the normal these days.
The fact however that “Islington appears to have overlooked the need to ensure that it had robust measures in place despite having the financial and staffing resources available.”, looks like the local government simply ignored all good measures that should have been taken is more worrying.
They must be extremely glad though this came to light when it did and not under the upcoming GDPR, the fine (even the reduced one) could and should have been much higher.
source: The Register (external link)

Hacker Releases Firmware Decryption Key for Apple’s Secure Enclave

Whatever reasons Apple has for keeping the code for this specific piece of firmware under wraps and therefore some of that using security through obscurity methods is anyone’s guess. That, specifically because of the recent security blunders by Apple, this may in the end strengthen the security of the Apple hardware and specifically the secure enclave may be the best news on Apple security over the 2nd half of 2017.
Time will tell what the real impact will be. Unless Apple has already replaced the newer versions of the firmware in iOS 11 using a new key which rolls back this specific leak for newer versions.
source: Mac Rumors (external link)

UK govt steams ahead with £5m facial recog system amid furore over innocents’ mugshots

It seems there is some sort of strategy with the UK’s home office, although not officially, and that’s to just keep everything they ever collected and use it for whatever reason they may come up with now and in the future.
The 2017 policies on the facial images database where you have to specifically ask to be deleted and it can be refused for very ambiguous reasons is testament to this reasoning.
Taking into account that biometric data will become a special category under the GDPR (pictures already are to some extend under the current data protection regime) and the fact that overriding data subjects’ rights (article 23.1) can only be done if and only if sufficient safeguards are in place and for well defined reasons (article 23.2), this entire story falls flat on it’s face almost immediately.
And no brexit won’t make them safe face either.
source: The Register (external link)

Europe’s tech ambition: To be the world’s digital policeman

I would not directly list the stringent privacy regulations as immediately curbing the freedom of speech as is suggested in this article. The difference in how Europe sees policies though is indeed what lies beneath the fundamental difference that is partially surfacing with the upcoming GDPR and it’s extra-geographical reach.
Although I must note that American law by nature already had the same extra-geographical reach of which the EU now is being called the policeman of the world for.
As for the effects in other countries taking over the European lead on data protection, that’s not new either as this happened before in some degree with the old data protection directive as well. As for oppressive regimes, those will continue on the same way they have been doing for the last years anyway European policing or not. Linking this to the new European laws on data protection as well as on competition seems rather childish of the article’s author.
source: POLITICO (external link)

Bonus article

Meerderheid zorgsites onbeveiligd, privacy-autoriteit dreigt met boetes (in Dutch)

So apparently in this case the Dutch DPA did bark, but probably didn’t bite at all. Recent news this week (late December) shows that the Autoriteit persoonsgegevens has not fined at least ones in the now 2 years it had the authority to do so.
According to their own statement it wasn’t necessary because warning usually was enough. I wonder what the outcome has been of this summer bark on those medical information sites show of carelessness with special category personal data.
Besides this, having no TLS (https) on your website and as specially on request forms containing sensitive data is obviously very careless. To me this is also indicative of far larger and potentially more dangerous problems in the handling of personal data within these organisations.
source: NOS (external link)