Principles
Security
Data Breach at an Online Retailer
In July 2016, we received a breach report from an organisation operating retail and online sales. The organisation had been notified by a customer that their credit card was used in a fraudulent transaction without their knowledge which they believed arose from their provision of payment details online to the organisation.
The organisation engaged an expert third party to conduct an analysis of its website. It was determined that the payments system on the website had been compromised by malware for the previous 6-8 weeks. The malware copied data entered by customers during the online payment stage to an external destination.
Our assessment of the breach identified that there were deficiencies in the measures which the organisation had taken to secure users’ personal data including the following.
No contract or service level agreement existed between the data controller and the data processor.
No steps were taken to ensure that the data processor was compliant with technical security and organisational measures.
Insufficient measures were in place relating to appropriate technical security and organisational security measures to:
ensure that the server and website platform were maintained and that the software versions were up to date;
ensure that appropriate user authentication and access control measures were in place;
ensure appropriate technical security was in place, such as secure configuration of the website platform, measures to detect malware, measures to monitor suspicious activity and measures to ensure regular backups were taken; and
ensure governance processes were in place such as periodic reviews of the data processor and its technical security and organisational measures.
In light of the above, we considered that the organisation had contravened Section 2(1)(d) of the Data Protection Acts 1988 and 2003 by failing to take appropriate security measures against unauthorised access to, or unauthorised alteration, disclosure or destruction of, its users’ personal data.
Recommendations were issued to the organisation that it take steps to mitigate the risks identified. The organisation subsequently informed us that it had taken the following steps to address the recommendations:
Contracts are now in place to ensure that the appropriate technical security and organisational measures are in operation;
The organisation conducts regular reviews of the server and website platforms to ensure they are maintained and that the software versions are up to date;
The organisation conducts annual reviews by a third party expert to ensure compliance and to independently validate that the appropriate technical security and organisational measures are in place.
This case highlights the need for organisations to ensure that they have appropriate technical security and organisational measures for ICT security in place, particularly when engaging a data processor. Organisations should be cognisant of the measures outlined under Section 2C of the Acts to understand their obligations, in particular:
To ensure that appropriate security measures are in place;
Reasonable steps are taken to ensure that employees of the Data Controller and any other persons, for example, Data Processor employees, associated with the processing are aware of their obligations;
To ensure that proper contractual agreements are in place governing the processing;
That reasonable steps are taken to ensure compliance with the measures.
Crypto Ransomware Attack on a Primary School
In October 2016, we received a breach report from a primary school that had been the victim of a “Crypto Ransomware” attack, whereby parts of the school’s information systems had been encrypted by a third party thereby rendering the school’s files inaccessible. These files contained personal details including names, dates of birth and Personal Public Service Numbers (PPSNs). A ransom was demanded from the school to release the encrypted files.
Our assessment of the attack identified that the school had deficiencies in the measures it had taken to secure pupils’ personal data including:
No polices or procedures were in place to maintain adequate backups;
No procedures or policy documents existed focusing on system attacks such as ransomware or viruses;
No contracts with data processors (the ICT services providers) were in place (as is required under Section 2C(3) of the Data Protection Acts 1988 and 2003) setting out their obligations and, as a result, actions taken by the ICT suppliers were inadequate in response to the attack; and
A lack of staff training and awareness of the risks associated with opening unknown email attachments or files.
We considered that the school had contravened the provisions of Section 2 (1) (d) of the Acts, having failed to ensure that adequate security measures were in place, to protect against the unauthorised processing and disclosure of personal data.
Recommendations were issued to the school that it take steps to mitigate the risks identified. The school subsequently informed us that it had taken the following steps based on the recommendations issued:
Implement a staff training and awareness programme on the risks associated with email and the use of personal USB keys.
Implementation of a contract review process to ensure appropriate contracts are in place with its ICT suppliers
Ensure that any ICT support the school engages with either on a local basis or as recommended by the Board is performed by competent data processors.
This case demonstrates that schools, like any other organisation – commercial, public sector or private, operating electronic data storage systems and interacting online must ensure that they have appropriate technical security and organisational measures in place to prevent loss of personal data, and to ensure they can restore data in the event of Crypto Ransomware attacks.
By continuing to use this website, you consent to the use of cookies in accordance with our Cookie Policy.HIDE THIS NOTICE
Data Protection Commissioner Data Protection Commissioner