It has been a busy few months on cybercrime, on a number of fronts. The Information Commissioner’s Office fined TalkTalk £400,000, the largest fine it has issued and 80% of the current maximum, following its highly publicised data breach in October 2015. The number of records actually compromised was relatively low, but TalkTalk was heavily criticised for serious failures to take appropriate steps to protect personal data. The FCA published a speech by Nausicaa Delfas, Director of Specialist Supervision, on the FCA’s supervisory approach to cyber security in financial services firms.
The record for the highest volume of data used in publicised distributed denial of service attack (DDoS) attacks has been broken at least twice, first against the security researcher and reporter Brian Krebs, quickly followed up by another even larger attack against OVH which some reports say has broken the 1-terabit mark. These attacks are generated using internet-of-things (‘IoT’) devices, but the proportion of vulnerable devices actually being used in these attacks at the moment is estimated to be very low, so we expect this to be an easy source of attacks for some time to come. Soon, your connected lighting system, kettle, home security system or fridge could be firing data at a third party at the behest of cyber criminals.
Finally, there have been a number of very public attacks attributed by some to either the Russian state or prominent hacker groups in Russia, including the leaking of Democratic National Congress (‘DNC’) emails in the US and the theft of athlete data from the World Anti-Doping Agency (‘WADA’). The latter is particularly interesting because WADA has cast doubt on the accuracy of some of the information leaked, highlighting that cybercrime is not always about the theft of data or money – the goal can sometimes be misinformation or amending data for a wider goal. There has been too much activity to cover, so we do not go into more detail on the DNC and WADA attacks here.
The record fine against TalkTalk
In October 2015, TalkTalk suffered a very public data breach, which it was required to notify under the Privacy and Electronic Communications Regulations. Unfortunately for TalkTalk, the investigation then played out in a very public way on the front pages of a number of national newspapers over the next couple of weeks. First, TalkTalk said that all of its 4,000,000 customers were likely to be impacted, but the company couldn’t say how. It said a DDoS attack had resulted in the loss of customer data, until a number of security researchers pointed out that the attack in question couldn’t have caused the data loss the company was talking about. The CEO was interviewed on national TV and couldn’t say whether the company encrypted its own customers’ data. The company blamed “Russia-based cyber jihadists”, but the police arrested a 15-year old, two 16-year olds and a 20-year old, all from the UK (there have been further arrests in the UK since then). Ultimately, it transpired that around 156,000 customers’ personal data had been accessed, and around 16,000 customers’ bank account details, but very significant damage was done to TalkTalk’s share price and reputation.
In the grand scheme of data breaches, those are not particularly high numbers of customers. However, the ICO still issued a monetary penalty notice of £400,000 (not a high number in itself, but 80% of the current maximum). The notice highlights several issues which contributed to the size of the fine:
- The database which was compromised was acquired from Tiscali in 2009, but TalkTalk did nothing to protect the data contained in it in 6 years;
- The attack vector was a well-known SQL injection which was in common use by cyber criminals and was well known in the industry;
- A patch which would have prevented the attack had been available for more than 3 years; and
- TalkTalk had failed to detect, and therefore take remedial action following, two previous attacks using the same methodology in the months before October 2015.
TalkTalk is a FTSE250 company with revenues of around £1.8billion per year. Given the severity of its failings, if the breach had happened after the General Data Protection Regulation (‘GDPR’) comes into effect, the fine would have been comfortably into the millions of pounds. The failings for which it was criticised are not cutting edge cyber security issues – it failed to implement some very basic protections. The trend is very much now towards board responsibility for cyber security, and we expect increasing regulatory action (with very significant fines under the GDPR) for companies which get the basics wrong.
FCA’s supervisory approach to cyber security
There is little new in Ms Delfas’ speech, but it serves as a useful reminder of the FCA’s approach to supervision in this area. The FCA can and does investigate breaches at regulated firms if it has reason to believe that there may be systems and control issues, so regulated firms do need to be aware of their FCA obligations as well as obligations under data protection legislation.
The key issues from the speech for regulated businesses are that:
- the FCA expects businesses to have a culture of security, coming from the board downwards, with a recognition that cyber security is not an IT issue but involves people and processes as well as technology;
- regulated firms should identify their key assets and ensure there are adequate protections for those assets, and put in place adequate detection capabilities;
- practice good governance around cyber security (which in our view is part of good data governance as a whole);
- recovery and response systems, and business continuity, is crucial and is an area for improvement for some institutions;
- material breaches should be notified to the FCA under the Principles for Business, and information on attacks should be shared on the government’s Cyber-Security Information Sharing Partnership (‘CISP’); and
- data storage and outsourcing, and skills gaps, remain key areas of concern for the FCA in this area.
Terabit DDoS attacks
DDoS attacks have been around for a long time; for those who are not familiar with the concept, a DDoS attack involves using network resource to flood a target with more data than it can handle, with the aim of knocking the service offline. These attacks are primarily using IoT devices to generate data, many of which have been shown in the past to be highly insecure. The volume of data generated is significant, but this is likely to increase substantially over the next couple of years. The recent attacks only use a small percentage of available devices to generate data, and the cost of ‘buying’ a significant DDoS attack is decreasing.
We have seen an increase in ‘DDoS ransom’ attacks over the past year. These are threats to take a website or business offline via a massive DDoS attack unless a ransom, usually in bitcoin or similar cryptocurrencies, is paid. Many of these appear to be hoaxes, however, with no payment being made but no attack then following.
The more sophisticated DDoS attackers are timing their attacks strategically, around for example regulatory deadlines or planned announcements. Again, we expect to see an increase in this kind of attack, as attackers seek to leverage their capability to cause maximum damage (or seek bigger ransom payoffs).