Nine years worth of data swiped from Ontario casino – hacker claims

Nine years worth?! OK hackers make as lot of claims, but data going back nine years is almost as impressive as the MySpace hack that reminded everyone that once had a MySpace page.

Does beg the question why they were keeping this old data though…collect it for what you need it for and delete safely!

Full story…

Watch out gambling guys, the ICO is watching

Gambling affiliates be warned that the Information Commissioner’s Office (ICO) is watching for what it considers to be unacceptable levels of ‘spam’ texts to users. A new code of practice is also being introduced with strict requirements for how customer data is used. This is inline with the current Data Protection Act (1998) and ahead of the EU GDPR (new regulation on Data Protection for any data processors using EU citizens’ data) that will be implemented in May 2018. If you want more detail or support on GDPR, please visit our website.

You can read more about it here. 

GDPR and the Gambling Industry

The EU’s General Data Protection Regulation (GDPR) is going to affect all businesses trading in or through the EU and the UK gambling market will also feel it’s impact.

The UK has its own Data Protection Act and the EU Data Protection Directive has been in place since 1995.  But developments in technology and business models have left the rules out of date in many ways and so an overhaul was overdue.

For Gambling, there will be a lot of things to think about and we can’t cover everything in a blog post. But here is some food for thought or a starter at least. You know where we are if you need us.

GDPR will impact all Gambling providers and non-EU providers need to be extra vigilant and take care not to breach these regulations. Most of the regulations are not new but the requirement for compliance will be enforced and a fine of up to 4% of the previous year’s global turnover (or €20,000,000 which is the new, greatly increased, ceiling) for a serious data breach.

Data subjects must be clearly notified their information is being collected and or processed and for what specific purpose. There must be a clearly defined reason for collecting the data that the subject is completely aware of.

Once you have the subjects data, you can only hold and use it for the purpose you collected it for and for no longer than it is required for that purpose. The data subject also needs to to totally clear on who they have lent their data to.

If any ‘data profiling’ takes place, the subject should be informed and of any of the consequences that may arise from it. There should also be a mechanism for the data subjects to withdraw their consent to use their data.

Operators will also be required to notify data subjects within 72 hours of a breach of un-encrypted data.

Stack of Chips

You can get us at http://www.advent-im.co.uk

0121 559 6699 / 0207 100 1124

bestpractice@advent-im.co.uk

Affinity Gaming and Trustwave legal action

A post from Chris Cope CISM, CISSP, MInstISP, CESG Certified Professional, PCBCM, ISO27001 Lead Auditor  and Advent IM Security Consultant

It had to happen at some point;  a cyber security company is being sued by a customer for not delivering the goods.  Las Vegas based Affinity gaming has initiated legal proceedings against Chicago firm Trustwave for making representations that were untrue and for carrying out work which was ‘woefully inadequate’.  The point of contention was a hack on the casino’s payment card system in 2013.  Affinity allege that Trustwave concluded that the intrusion had been contained and dealt with, but the casino operators later suspected this was not the case and engaged another security consultant, Mandiant, to confirm.  The breach had not, allegedly, been contained and now Affinity is looking to obtain damages from Trustwave.

This is not the place to suggest what did or didn’t happen; that will be discussed, at considerable length I suspect, in the American courts.  Rather, a better topic for discussion is that of contractor liability.  This lawsuit is a bit of a first for the cyber security industry, although the concept of suing contractors for damages is by no means new.  Countless companies and individuals have been sued for breaches of contract or for tort damages.  I suspect it was only a matter of time before our industry saw similar action.  But this should be taken as a wake up call.

In English Law, a consultancy firm is seen as providing a service to the customer. The 1982 Supply of Goods and Services Act, Section 13  states that ‘In a contract for the supply of a service where the supplier is acting in the course of a business, there is an implied term that the supplier will carry out the service with reasonable care and skill’.  The key term here is reasonable; what would a reasonable person judge to be a service that was carried out in a competent fashion? Note, the law does not require that a contractor provides the perfect service; there is a realisation that contractors are human and to expect perfection is unreasonable.

So how then can a cyber security contractor ‘prove’ its competence and ability to deliver a reasonable service?  Whilst the emphasis remains on the accuser to prove incompetence, it doesn’t hurt to ensure that a good, pro-active defence is in place.  First of all, the competence of employees must be evaluated and baselined.  There are a plethora of cyber security qualifications available, drawing comparisons between qualification awarded by different bodies can be difficult, but it remains perfectly possible to ensure that consultants are qualified for the tasks they are expected to perform, and perhaps most importantly of all, maintain those qualifications.  Secondly, cyber security is a very broad field and being an expert in every area is almost impossible, therefore assigning consultants to tasks which suit their skills sets is hugely important.  The supervision of less well qualified personnel must also be taken into account; junior staff members must be able to develop their skills, but for the customer’s sake, they must be supervised properly in the process. It’s worth companies remembering that they are responsible for the actions of their employees whilst delivering a contract, via vicarious liability.  Their mistakes will come back to haunt the employer unless sufficient care is taken.  We must also ensure that we appropriately manage the expectations of our customers.  No venture is ever risk free and there is no one piece of technology which will solve every problem; our goals should be clearly stated that we intend to reduce the risk to an acceptable level, not eradicate it completely.  If we promise too much then it’s no surprise that customers expect too much.  Finally, whilst the above is correct for English Law, other jurisdictions have different rules; companies that work globally would be wise to ensure they understand the local environment properly before signing a contract.

The cyber security profession is evolving and it is only to be expected that practitioners will face greater scrutiny.  Rather than adopt the position that companies like Affinity are looking for a scapegoat for their own failures, we must ensure that we are able to consistently deliver a good enough service.  This may be the first such action, but I doubt it will be the last.

Understanding the motives in attacks

ddos attacklReading a recent story about the sentencing of a UK teen for carrying out a Distributed Denial of Service (DDoS) attack on an online casino, we were reminded of how important it is to understand and scope all of the motivations for carrying out cyber attacks.

An apparently disaffected young person, with no other intent other than to gain notoriety or ‘see if they can’, is as real a threat to an online casino as a determined criminal seeking to harvest credit card details. It has cost the business money and inconvenience, the only good thing to be said about it is that apparently no customer details were compromised.

generic_jail_prison_barsOther details of the teen in question included his collection of weaponry bought over the internet from China. His sentence may have been suspended but interest in him and his online habits are unlikely to be…

If you would like to read the whole story click here.

Four Winds casino hit by hackers

Stack of Chips(US) Michigan casino Four Winds has discovered that cardholder data including all of the data stored on the mag strip, has been stolen by hackers and the casino is warning users between October 2014 and October 21, 2015 , that their information may have been compromised and/or stolen.

Cybercrime knows no geography, so it is important not to be distracted by the location of the crime. This may have happened in Michigan, but the criminals could be anywhere.

phishThere are no details available yet on how the hackers managed to upload the code that allowed this information to be copied from the casino system. Phishing of employees is one of the most popular and successful routes into a business and ensuring employees are able to spot phishing and its more aggressive and successful big brother, spear phishing, is imperative. Employees are always going to be the Achilles heel of a security strategy and that is why businesses that handle personal information, need to ensure they place enough importance on training and re-training them with security awareness and the latest threats.

Advent IM HMG accreditation concepts trainingInsider threat is often a worry for many businesses too and it is the other end of the human threat; when the nefarious individual is already on the inside. Obviously, we don’t know what happened in this instance but this offers all such businesses a warning to review security training, vetting and overall strategy.