Online gambling business – ICO taking a look at user tracking. #DataProtection #GDPR

ImagecourtesyofGualberto107atFreeDigitalPhotos.net

ImagecourtesyofGualberto107atFreeDigitalPhotos.net

The UK Information Commissioners Office (ICO) is taking a look at lovation tracking software installed without users knowledge who log into online betting services.

 

The use of this software may be contravening the Data Protection Act (1998) as this Act requires data subjects to be aware if their personal information is collected and give permission for it to be used in ways they agree to and nothing more.

The timing of this investigation is crucial as GDPR will enter law next May and fines of up to 4% of global turnover will come into force for serious data protection breaches.

If you want to read more about the story click here.

If you want to learn more about Data Protection and GDPR click here.

GDPR and the Gambling Industry

The EU’s General Data Protection Regulation (GDPR) is going to affect all businesses trading in or through the EU and the UK gambling market will also feel it’s impact.

The UK has its own Data Protection Act and the EU Data Protection Directive has been in place since 1995.  But developments in technology and business models have left the rules out of date in many ways and so an overhaul was overdue.

For Gambling, there will be a lot of things to think about and we can’t cover everything in a blog post. But here is some food for thought or a starter at least. You know where we are if you need us.

GDPR will impact all Gambling providers and non-EU providers need to be extra vigilant and take care not to breach these regulations. Most of the regulations are not new but the requirement for compliance will be enforced and a fine of up to 4% of the previous year’s global turnover (or €20,000,000 which is the new, greatly increased, ceiling) for a serious data breach.

Data subjects must be clearly notified their information is being collected and or processed and for what specific purpose. There must be a clearly defined reason for collecting the data that the subject is completely aware of.

Once you have the subjects data, you can only hold and use it for the purpose you collected it for and for no longer than it is required for that purpose. The data subject also needs to to totally clear on who they have lent their data to.

If any ‘data profiling’ takes place, the subject should be informed and of any of the consequences that may arise from it. There should also be a mechanism for the data subjects to withdraw their consent to use their data.

Operators will also be required to notify data subjects within 72 hours of a breach of un-encrypted data.

Stack of Chips

You can get us at http://www.advent-im.co.uk

0121 559 6699 / 0207 100 1124

bestpractice@advent-im.co.uk

Four Winds casino hit by hackers

Stack of Chips(US) Michigan casino Four Winds has discovered that cardholder data including all of the data stored on the mag strip, has been stolen by hackers and the casino is warning users between October 2014 and October 21, 2015 , that their information may have been compromised and/or stolen.

Cybercrime knows no geography, so it is important not to be distracted by the location of the crime. This may have happened in Michigan, but the criminals could be anywhere.

phishThere are no details available yet on how the hackers managed to upload the code that allowed this information to be copied from the casino system. Phishing of employees is one of the most popular and successful routes into a business and ensuring employees are able to spot phishing and its more aggressive and successful big brother, spear phishing, is imperative. Employees are always going to be the Achilles heel of a security strategy and that is why businesses that handle personal information, need to ensure they place enough importance on training and re-training them with security awareness and the latest threats.

Advent IM HMG accreditation concepts trainingInsider threat is often a worry for many businesses too and it is the other end of the human threat; when the nefarious individual is already on the inside. Obviously, we don’t know what happened in this instance but this offers all such businesses a warning to review security training, vetting and overall strategy.

Watch out for those iPhone/iPad phishing emails


ID-10067364For reasons far too dull to expand upon, there were no Apple products in my stocking this year. I have however, had a mountain of email telling me to click through various links in order to re-register my iPad, to download a free app or piece of music, and a variety of other things. Also for my iPhone (that I don’t have) a variety of free apps and other vital pieces of software I must have/register or otherwise obtain. I hope that you have not been subjected to any of this opportunistic phishing. For that is what it is.Given that Apple products dominated Christmas this year in terms of phones and tablets, it looks like a safe bet for a phisher. Add to that some of the recipients might be kids/inexperienced/slightly merry on Christmas day and therefore more likely to click an unexpected link or file and thereby deliver the toxic payload or whatever the email was designed to do..

At this point I would refer you to my previous post about making sure you are allowed to use your device on your employers networks, before you actually do. Especially if you have not been careful about what you have clicked on when you had your party hat on…

Happy 2015 everyone.

UK at the forefront of the fight against cyber crime

The UK is uniquely placed to spearhead the global response to cybercrime, according to Andy Archibald, Head of the National Crime Agency’s (NCA) National Cyber Crime Unit (NCCU). But does the UK have it’s cyber-ducks inline? There are many areas to consider as we push forward to promote a global response to cyberthreat.

The UK is affiliated with all the right people to help move the global response forward such as Five Eyes Alliance, the EU, G8 cybercrime working groups, Europol and Interpol. The UK has also introduced initiatives such as Cyber Streetwise, designed to highlight and educate people in the risks to security and privacy online, both at home and at work. This is much needed as our culture has changed so much, with flexible working seeing more of the workforce mobile and using their own devices (BYOD). Consequently, the line between these two life areas has blurred. Additionally, there has been the introduction of the new cyber information sharing platform, part of the new Cert UK. But what do we really need to grasp in order for standards of cybercrime detection and prevention to be improved?

However, according to a recent BT report1,  UK plc is not as concerned as the rest of the world about some key cyber topics. The UK under-indexed in perceived threat from malicious and non-malicious insider threat, organised crime, nation state and terrorism. Add to that the same research revealed that the UK lags behind Brazil, US, Singapore, France, Hong Kong and Germany in the percentage of businesses that see cyber security as a major priority. Raising levels of concern and C-Suite engagement must surely form a key part of the battle against cybercrime.

Under reporting of cyber dependent and cyber enabled crime is a significant issue. In business the report rate is around 2% and 1% from private individuals3. This is for a variety of reasons including: not realising it is a crime, thinking it has been dealt with  internally, reputational damage (in business) and not knowing where to report such matters.  Add to this the fact that cybercrime is not broken out in police statistics, as these crimes are recorded as the individual law they have broken, such as fraud. So a phisher for instance may have not have physically taken a credit card and fraudulently used it; it may all have been done electronically. However, they are more likely to be tried for Fraud than under the Computer Misuse Act. This makes it very hard to measure and therefore benchmark, making improvement or dis-improvement hard to quantify.

Less than a quarter of UK employees do not know what phishing2 is yet this is one of the most common cybercrimes. In 2009 there were 51,000 “Bank” phishing websites, this increased fivefold to 256,641 in 2012.  Add to this the fact that we cannot accurately attribute all fraudulent activity and financial loss experienced due to phishing as it is often hard to identify. However, given the growth in these specific bank-related phishing sites, we can be fairly certain that this too is spectacularly under-reported. Action Fraud suggest that one third of reported frauds during January to December 2012 were cyber enabled. That is basically 48,000 frauds in one year. Yet these frauds will not have been reported or recorded as cybercrimes.

Taking all of this into consideration then, estimating the cost of cybercrime is very hard. This is recognised by The Cabinet Office in the UK Cyber Security Strategy, “A truly robust estimate will probably never be established but it is clear the costs are high and that they are rising.” The general consensus informally is that we are talking billions of pounds.

It will be challenging to gauge our response If we don’t know how cybercrime is evolving based on an accurate assessment of reporting and UK plc cyber preparedness. Placing the UK at the forefront of the fight means the UK needs to significantly up its cyber-game. Global index 2014

_________________________________________________________________

 

Source: 1BT Cyber Readiness Survey 2014;  2Onepoll survey for Phishme;  3Home Office “Cyber Crime: A review of the Evidence

Cyber Security Skills Gap

What kind of trouble are we storing up for the future? Youngsters are not being attracted into Cyber Security the headlines would have us believe and as the whole world becomes the threat to the whole world and cyber terrorism looms larger in the public psyche, who are we gonna call…..?

Mike Gillespie, our MD spoke with BBC Radio 5 Live recently, alongside the head of UK Cyber Security Challenge, Stephanie Daman. You can hear it here…it lasts about half an hour and Mike appears roughly 11 mins in and is accompanied by some background information slides.

Slide1

 

What is Social Engineering

Social Engineering – If you don’t work in either the security or IT industry, you may wonder what the term means and if it forms any real threat to you organisation. If you have heard the term, then assuming it is an IT issue in isolation, would be a mistake.

Social engineering can be likened to hacking attacks against information systems where a tool is used to probe those systems to exploit vulnerability.  In the case of social engineering, human attackers use guile, perhaps inside knowledge or just plain bluff to try to penetrate the defences of the individual to obtain the knowledge they are not entitled to know.  In other words, they hack information or access it from an individual.

More often than not attacks to obtain information, including sensitive personal data, are targeted against organisations by using techniques to manipulate unsuspecting staff to willingly provide information, usually because they have been duped into passing information to an individual, even though they do not know them.

The ability of an attacker to develop a rapport with the target is important, which together with some inside knowledge, acquired from research or the use of an insider, will often pay dividends to establish that familiarity that puts front line staff off their guard.  Particularly vulnerable are those at the “coal-face” – customer facing staff such as receptionists, telephone exchange or help-desk support staff.

The approaches are often apparently innocent in nature and the attacker could pose as a new or former employee exchanging gossip or advice and may request help perhaps for lost passwords.  The attacks are insidious and over time may provide nuggets of information about the organisation or individuals within it.

Another example is where access into a particular site is sought, an attacker may try to gain access by reporting to reception that they have something within a box for delivery to a named individual that research has identified is within the site.  Reception may be busy, or the attacker may time his moment by observing reception from a distance to find the right opportunity to prosecute his attack.  When challenged the suggestion that “it’s OK, I know where he is and I need a signature anyway” will often create that familiarity that will grant the intruder access.

As described above, social engineering is often linked to insider attacks, since the majority of physical or electronic attacks can be assisted in some way by an insider.  The little tit-bit of inside knowledge is used to get past the initial security perimeter be it verbal or physical.

Human nature enables social engineering to develop and become increasingly sophisticated as well as technical.  It is essential for all organisations, but particularly those that have sensitive or valuable assets to ensure that front-line staff are provided with regular training to be aware of the threat and be conscious to attack techniques.