Staysure.co.uk Limited

Breach details

What Customer records containing payment card data including CVV2/CVC2 data were extracted from a public-facing website by a malicious attacker.
How much 93,389 customer details containing 110,096 payment card records.
When 14 October 2013
Why A malicious attacker used a publicly known (since 2010) vulnerability in the JBoss Application Server to install a backdoor in the Staysure web server. This allowed the attacker to access and download all data stored within the system which included over three million customer records, although it appears that only payment card data was targeted by the attacker.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 175,000.
When 20 February 2015.

Why the regulator acted

Breach of act Breach of the fifth data protection principle in that it was recognised that old payment card data should have been deleted, this activity was planned however due to human error it was not completed.
Breach of the seventh data protection principle as systems and processes were not in place to update software. Additionally PCI DSS prohibits the storage of CCV2/CvC2 data.
Known or should have known The Data Controller was aware of the Payment Card Industry (PCI) Data Security Standard (DSS) which requires security update management and prohibits storage of CVV2/CVC2. The patch to JBoss was available from the RedHat distribution and so the Data Controller should have know about its availability. Given the Data Controller processed payment card data it should have been aware that a breach of this data would be liable to cause its customers substantial damage and distress.
Likely to cause damage or distress Of the payment card data stollen, the Commissioner was aware that over 5,000 such payment cards were used to commit fraudulent transactions. Although the fraudulent transactions were reimbursed by the Data Subject’s bank, the Commissioner is of the opinion that distress had in fact occurred.

Worldview Limited

Breach details

What Customer records containing encrypted payment card data including CVV2/CVC2 data were extracted from a public-facing website by a malicious attacker.
How much 3,814 records.
When 18 June 2013
Why A single web server also contained the customer database and the WordPress content management system. A malicious attacker used SQL injection techniques to extract the WordPress password hashes which the attacker was then able to brute force due to the use of weak passwords. The attacker was then able to extract records from the database including encrypted payment data, however the encryption keys were stored on the same drive as the encrypted data and therefore available to the attacker.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 7,500.
When 31 October 2014.

Why the regulator acted

Breach of act Breach of the seventh principle in that insufficient technical and organisational measures were taken. The ICO highlighted:

  • Developer training
  • Security testing of web pages
  • Use of default passwords
  • Encryption/Decryption key management
Known or should have known The Data Controller was aware of The Payment Card Industry (PCI) Data Security Standard (DSS) and therefore should have been aware of the risks and the recommended controls.Given the nature of the information stored, it should have also been obvious to the Controller that a breach in security would be liable to cause damage or distress to the data subjects.
Likely to cause damage or distress The ICO argues that the loss of payment card data could lead to fraud and substantial damage to the data subjects affected (even though there was no evidence of this). The knowledge of the loss of their personal data would cause ‘substantial distress’ to a data subject.

Think W3 Limited

Breach details

What A malicious hacker was able to access significant amounts of customer data, including credit card details, after targeting Think W3 Limited’s website.
How much 1,163,996 records containing credit or debit card details, of which 430,599 were current.
When 21 December 2012.
Why A system intended for internal purposes was installed on the same web-sever as the businesses e-commerce application containing customer data. In order to facilitate working from home this service could be accessed via a login page on a non-customer facing website which was publicly available over the internet. The login page was not secure due to a coding error that was missed, as no security testing had been done the basis that this page was not public facing. The hacker was able to exploit this vulnerability and gain administrative access to all the data on the web server.

Regulatory action

Regulator ICO
Action Monetary penalty of £150,000
When 23 July 2014.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: Think W3 limited failed to take appropriate technical measures to ensue the security of personal data, predominately though failing to undertake suitable security testing, due to a failure to understand the extent to which the web server could be accessed via the internet, or to meet PCI DSS compliance requirements.
Known or should have known  By 2011 Think W3 Limited were aware of a number of issues with its PCI  DSS compliance, causing them to review their security practises. However they were slow in implementing improvements, despite being aware of the risk of contravention.
Likely to cause damage or distress Although CCV2 / CvC2 values were not obtained, the data obtained was clearly of interest to the attacker, due to the targeted nature of the attack, and could be used for fraudulent purposes. The data subjects would rightly be distressed to learn that their data had been accessed by a malicious third party.

Nationwide Energy Services and We Claim You Gain

Breach details

What Breach of the Privacy and Electronic Communications Regulations (PECR).
A high volume of unsolicited marketing calls from two companies both owned by “Save Britain Money Ltd” to consumers that had registered with the Telephone Preference Service (TPS) that continued despite customer complaints and requests to unsubscribe.
How much An unknown number of direct marketing calls resulting in over 2,700 complaints to the TPS or ICO.
When May 2011 – December 2012
Why Did not screen outbound calls against the TPS register.

Regulatory action

Regulator ICO
Action Nationwide Energy Services: Monetary penalty of £ 125,000

We Claim you Gain: Monetary penalty of £ 100,000
When 17 June2013

Why the regulator acted

Breach of act Breach of Regulation 21: repeatedly ignored provisions that marketing calls should not be made to individuals who had registered with TPS.
Known or should have known Both companies had been repeatedly contacted by the TPS and ICO and were made aware they were in contravention of the Act. The TPS contacted Nationwide Energy Services on 1,601 occasions and We Claim You Gain 1,070 times.
Likely to cause damage or distress The sheer volume of complaints should have indicated that distress would be caused and individual complaints to the ICO detailed varying degrees of actual distress.

News Group Newspapers

Breach details

What Customers’ personal data, some several years old.
How much ‘Thousands’ according to some press reports , a ‘large amount’ described in the undertaking and TechEye claimed 500,000.
When July 2011
Why A server hosting part of The Sun newspaper’s website had, unnoticed by the data controller, been repurposed several years earlier, and was subsequently compromised by a malicious attacker (Lulzsec). Further weaknesses had also been identified but remained unrectified prior to the attack.

BW Comments

It is surprising that a large organisation such as News Group Newspapers made such simple information security mistakes. Firstly in retaining data they no longer needed when they re-built a server for a new role, but more worryingly that they had previously had a penetration test but had not rectified the vulnerabilities identified by the tester.

Regulatory action

Regulator ICO
Action Undertaking to comply with the fifth and seventh data protection principles
When 9 November 2011
Details Along with the usual staff awareness and training, technical security controls on the web server were to be improved and implemented by 31 December 2011 (i.e. compliance with the seventh principle), and any customer data collected to be cleared regularly according to a defined retention and disposal policy (compliance with the fifth principle).

BW Observations

This undertaking was not released until the criminal trial of the UK-based Lulzsec hackers was concluded. It is interesting that the ICO didn’t see fit to consider a monetary penalty notice as the breach appears to meet the right criteria.

  • There was a breach of the fifth and seventh principles.
  • There had been a previous penetration test, so the Sun knew of the vulnerability.
  • It seems that a significant volume of data was lost and then circulated on the Internet. Although it wasn’t sensitive personal data, the volume of the data should be enough to pass the ‘likely to cause distress’ test especially given the data was posted to the Internet — i.e. the breach of confidentiality happened, it was not something that might happen if the lost data were exposed.

This undertaking should be contrasted with the Sony MPN that was also the result of Lulzsec’s activities and it will be informative to see if the ICO’s choice of an undertaking for the Sun is mentioned at Sony’s appeal to the Information Tribunal. Less charitable commentators may view this soft approach to News Group Newspapers as another example of the Commissioner’s fear of the UK press.

The Burnett Practice

Breach details

What Names and email addresses.
How much About 175 records.
When 3 October 2012 or earlier
Why The email service provider that the practice used wasn’t suitable to send sensitive medical results because it didn’t provide the appropriate technical security measures. As a result the practice’s email account was hacked.

BW Comments

Organisations should view this as an indication that if cloud-based, web-email services are used, services that offer two-factor authentication (e.g. Google Authenticator) should be selected.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 26 April 2013
Details The practice must use secure means of communication for test results – email can only be used if its security can be guaranteed. A security policy that is adequate to transfer patient data securely must be put in place, and staff must be made aware of this and trained.

BW Observations

Based on previous decisions, the loss of 175 medical records would seem to be a candidate for a Monetary Penalty rather than an undertaking. However, in this case the Commissioner would have struggled to satisfy the ‘known or should have known’ test given that most people (incorrectly) assume their email is generally safe from third party attack.

DM Design Bedrooms

Breach details

What Serious breach of the Privacy and Electronic Communications Regulations (PECR).
A high volume of unsolicited marketing calls to consumers that had registered with the Telephone Preference Service (TPS) that continued despite customer complaints and requests to unsubscribe.
How much An unknown number of direct marketing calls resulting in 1,945 TPS complaints and an unspecified number of complaints directly to the ICO.
When June 2011 to November 2012
Why Ignored requirement to screen call lists against the Telephone Preference Service (TPS) or maintain an opt-out register.

BW Comments

After initial contact from the ICO, the unsolicited calls continued and some reported to the Commissioner were described as aggressive.

Regulatory action

Regulator ICO
Action Monetary penalty of £90,000
When 20 March 2013

Why the regulator acted

Breach of act Breach of Regulation 21: repeatedly ignored provisions that marketing calls should not be made to individuals who had registered with TPS.
Known or should have known Concerns over PECR obligations were first raised by the Commissioner in 2004. The volume of complaints made before and after the Commissioner’s letter of May 2012 would have made the company aware that they were continually breaching regulations.
Likely to cause damage or distress The overall level of distress was assessed as substantial due to the very large numbers of individuals affected. A small number of individuals also personally suffered substantial levels of distress.

BW Observations

That DM Design breached the PECR by not screening against the the TPS register and maintaining their own opt-out list is not debatable. The volume of calls and complaints are significant (although we are not told what the average or maximum level of complaints are to the TPS in respect of a company other than “they [DM Design] were one of the organisations about which the most complaints were received”). What’s interesting is the ICO again used the same justification as the Tetrus Telecommunications MPN to determine the s55A(1)(b) ‘substantial damage or distress test’ – that although the distress in each individual case was not considerable, the cumulative effect of the distress caused by the totality of all calls made in contravention of PECR met the Commissioner’s threshold of substantial distress.

Sony Computer Entertainment Europe

Breach details

What Loss of personal data (names, addresses, email addresses, dates of birth, poorly-protected account passwords). Customers’ payment card details also potentially at risk.
How much Redacted. Information Week stated 77 million records.
When Detected 19 April 2011
Why In what was perhaps one of the most infamous breaches in recent times, attackers deliberately breached the Sony Playstation Network Platform security and compromised the confidentiality of the information stored.

BW Comments

This is the most heavily redacted monetary penalty notice published by the Commissioner. The details of the breach in the MPN are superficial, although there is much general information available elsewhere on the Internet. Essentially the attackers exploited a system vulnerability and extracted data including personal data, poorly-hashed passwords and encrypted payment card data. The MPN makes it clear that the exploited vulnerabilities were publicly known, and that ‘appropriate updates were available’.

The lessons that all organisations can learn are simple:

  1. Patch systems regularly.
  2. Run regular external vulnerability scans against systems.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 250,000
When 14 January 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the data controller failed to ensure appropriate technical measures were taken against unauthorised or unlawful processing of personal data stored on the Newwork Platform, such as additional cryptographic controls to protect passwords and regular patching of vulnerabilities.
Known or should have known Various Sony online networks had previously been the subjects of attacks from hacktivist organisations.
Vast amounts of personal data including financial information were stored on the Network Platform, where system vulnerabilities had not been addressed. The data controller should have anticipated a further attack and, given Sony’s technical expertise, should have put the necessary technical measures in place.
Likely to cause damage or distress It should have been obvious to the data controller that the loss of the substantial volume of personal data held on the Network Platform was likely to cause substantial harm or substantial distress to the data subjects.

BW Observations


A lack of basic security practices such as poor vulnerability management and what can only be assumed to be weak password hashes (at a guess, unsalted MD5) are sufficient to justify a MPN, especially when you consider the number of accounts and the attractiveness to an attacker. The amount could be seen as excessive given that no sensitive personal data was compromised, however it has to be remembered that some 77 million records were compromised. It is the sheer volume of the data breach that influenced the Commissioner.

The ICO correctly observed that the poorly-hashed passwords may be able to be used by the attackers to compromise customer’s accounts at other sites where the customer used the same username and password. This appeared to influence his thoughts on the size of the monetary penalty. However it is interesting to consider whether the poor password management practices of consumers should affect how an organisation chooses to value, and therefore protect, stored passwords. Should passwords be valued as a credential for just the single site, or valued (and protected accordingly) because it is known that many customers’ passwords will also be able to be used to access unrelated sites?

It has been reported that Sony intends to appeal the MPN to the Information Tribunal and although an appeal was initially launched, this was later withdrawn.

Lush Cosmetics

What

Compromise of credit card details.

How much

5,000 records.

Why

Malicious website intrusion.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the website is subject to continued penetration testing and kept to an appropriate level of security.

Reason for action

Security measures in place were deemed insufficient to prevent a determined attack.

When

09 August 2011.

Links

View PDF of the Lush Cosmetics Undertaking (Via ICO Website)

View PDF of the Lush Cosmetics Undertaking (Breach Watch Archive)