London-based airline EasyJet revealed on Tuesday that nine million customers’ personal information was stolen in what it called a “highly sophisticated” cyber-attack.

In addition to email addresses and travel details being accessed, 2,208 of those customers affected also had their credit card information stolen. EasyJet clarified that no passport details were uncovered in the breach, and that it would contact those affected.

It is not yet known how the historically large data breach occurred, but EasyJet said that it had “closed off this unauthorised access” and reported details of the incident to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre.

The size of the breach raises the possibility of EasyJet being forced to pay significant compensation, as was the case for British Airways after the personal information of 500,000 customers was stolen. In that case, the ICO fined the airline £183 million.

A similarly sized fine would likely be a significant blow to EasyJet, which has already said it expects to make a loss of around £275 million this year as the COVID-19 pandemic continues to drive demand for air travel through the floor.

Reacting to the news, Tony Pepper, CEO of Egress, called the breach “another stark reminder that airlines must take a comprehensive risk-based approach towards protecting customer data”.

“For organisations, it remains crucial they continue to prioritise data security at all times, but especially when there’s widespread introductions of new systems as there has been in response to sustained remote working during the COVID-19 pandemic.”

The FCA, the authority that regulates UK banking and financial services, has this week admitted to accidentally leaking the private data of around 1600 people that complained against the regulator.

In a document on its website, the FCA published names, phone numbers and addresses in response to a freedom of information request in November 2019. No other data like financial information or passport info was included, however. The private data belonged to those who complained against the FCA between January 2018 and July 2019.

The FCA has admitted to the leak and apologised, with the intent to address each person whose data was revealed and apologise to each in writing. It has referred itself to the Information Commissioner’s Office (ICO) and will likely expect a fine for the data breach.

On the back of this news, Andy Barratt, UK MD at international cybersecurity consultancy, Coalfire, told Finance Monthly: “The question on a lot of people’s minds will be how does the ICO respond to a data breach at a fellow regulator.

“Together, the ICO and FCA enforce some of the largest monetary penalties for data breaches and there could be cries of foul-play if one’s punishment of the other appears to be a light touch.

“While many will see this as embarrassing for the FCA, it now has a real opportunity to go through the same pain as those it regulates and learn from it.

“Human error is, to an extent, unavoidable and it will be interesting to see whether the FCA better empathises with those it polices in future.”

Here Andy Barratt, UK managing director at international cybersecurity specialist Coalfire, explores how the financial services sector can turn the tide on costly, high-profile cyber missteps.

It’s fair to say that the financial services sector has struggled to secure positive consumer sentiment for itself recently – particularly in relation to cybersecurity. At the end of October, the government’s Treasury Select Committee (TSC) went so far as to say that the number of IT failures at banks and other financial services firms has reached a level it deems “unacceptable”.

The criticism, which highlighted poor IT performance within financial firms and a lack of decisive action from their regulators, comes in the wake of a string of high-profile and costly cyber glitches in recent years. Most notable among those is TSB’s unsuccessful attempt to migrate its systems over to new parent company Banco Sabadell.

Customer details were left easily accessible and vulnerable to fraud attacks, as well as resulting in thousands being unable to access their accounts. But TSB are not the only culprits: Barclays, RBS and VISA are among a raft of other major financial service providers to have suffered serious technical glitches in the past few years.

Why then, with so much at stake, are financial firms lagging behind when it comes to their cyber strategy?

Complex legacy tech infrastructure

The first aspect that makes large firms so susceptible to attacks is that their IT systems are often complex and, significantly, outdated. Hackers can easily find weak spots in the system or, as in TSB’s case, vital information can slip through the cracks.

The first aspect that makes large firms so susceptible to attacks is that their IT systems are often complex and, significantly, outdated. Hackers can easily find weak spots in the system or, as in TSB’s case, vital information can slip through the cracks.

Our inaugural Penetration Risk Report, which took place around the time of TSB’s issues, found that the largest firms are less likely to be prepared to face up to cybercrime than their mid-sized equivalents – despite greater budgets and resources – due to their cumbersome and slow-moving infrastructure.

More recently, we’ve seen those larger businesses close the gap, mostly through the support of in-built cloud security services, but the risks still remain for many. In the financial services sector specifically, this year’s study indicated that the level of external threat has actually increased.

The rush to implement services under a new ‘Digital’ initiative sometimes comes at the cost of addressing the underlying legacy issues too. Whilst the big banks rush to keep up with the online-only challenger banks they re-allocate budget for the new apps and forget the underlying infrastructure they depend on.

‘Yes’ culture

One of the key risks boosting that threat is a habit within large corporate cultures for IT teams or risk managers consistently ‘downgrading’ risks due to lack of understanding or complacency when reporting to those further up the pecking order. This is dangerous and can lead senior figures to the conclusion that everything is ‘ok’ within their organisation when, in reality, an IT crisis is just around the corner. This is particularly true when organised crime groups are targeting financial services with highly sophisticated attacks that are often discounted by management with a throw away ‘nobody would do that’ comment.

Companies should attempt to foster a ‘safe’ environment where staff feel comfortable raising problems they encounter so that solutions can be found before disaster strikes. They should also to remain current with intelligence from their incident response and forensic partners who will see the sophisticated threats when they do cause a breach.

An enhanced understanding of the issues facing the business is less likely to leave senior spokespeople up a creek without a paddle when facing the media. No one would expect a CEO to know all the ins-and-outs of their IT infrastructure, but basic comprehension can go a long way. Knowledge is power.

[ymal]

Weak links in the chain

Due to the nature of the industry and the services they provide, banks and large financial firms are required to interact with third parties on a massive scale. Unfortunately, this isn’t without its drawbacks.

Many third parties – and, by extension, their own supply chain – lack the sophistication and / or the wherewithal to deal with cyberattacks. As such, they are often the first port-of-call for a hacker looking to worm their way into a major system.

An example includes the British Airways data breach in the summer of 2018, when hackers were able to take information directly from the airline’s website thanks to access from a third party.

Often, being subject to this form of intrusion is pure bad luck rather than bad planning. However, large firms must ensure that they’re sufficiently protected and that access for third parties is limited. It’s a simple case of making sure that your back’s covered wherever possible.

Human error

Perhaps the most common error (and the most tangibly addressable) is the human risk inherent within any business. Naturally, the larger your workforce, the greater the risk you face, which is a major issue within the financial services sector.

Phishing, a scam that prompts staff to provide their username and password, is still one of the simplest but most successful ways potential attackers get their foot in the door.

The key to combatting the danger is providing constant training to employees so that they’re fully aware of the threat and the responsibility that they have towards protecting the business.

What’s more, the high-profile cases mentioned above are dangers in themselves: when the glitch or failure makes the news, a sign post is placed for hackers looking to break in. Each headline is an ‘x-marks-the-spot’ for a company’s weak spot, as well as their competitors’.

It’s a brutal world that financial services businesses face as technology advances but, with such large amounts of money at stake, they must be up to the challenge.

According to  Simon Hill, Head of Legal & Compliance at Certes Networks, this is mostly due to the fact that financial institutions are not only heavily regulated by data privacy requirements, but they are also under mounting pressure to be open to consumers and businesses about how they are protecting their data from potential breaches. 

Additionally, no bank or financial services organisation wants to face the consequences of a data breach. This is demonstrated by the fallout of numerous data breaches in the industry over the years - from Capital One in 2019, to Equifax in 2016 and Tesco Bank in 2017. In the case of the Capital One data breach, a hacker was able to gain access to 100 million Capital One credit card applications and accounts. This included 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers. Additionally, an undisclosed number of people's names, addresses, credit scores, credit limits, balances and other information dating back to 2015 was involved, according to the bank and the US Department of Justice.

What’s more, the damages of these data breaches are not only reputational, but also financial. As a result of Equifax’s data breach, the organisation reached an agreement to pay at least $575 million and up to $700 million to compensate those whose personal data was exposed. In 2016 Tesco Bank was fined £16.4 million by the Financial Conduct Authority (FCA) over its "largely avoidable" cyber-attack that saw criminals steal over £2 million from 34 accounts. This clearly shows that these consequences can arise no matter how ‘large’ or ‘small’ a data breach may seem; companies that do not encrypt their data adequately enough to safeguard it will be penalised.

On top of this, the increasing expectations of consumers means that banks and financial institutions are trying to achieve a balancing act: how can they protect data privacy, while at the same time remaining transparent about how data is being protected? However, it doesn’t have to be a trade-off between meeting customer expectations and meeting cyber security compliance requirements. Banks and financial services organisations can utilise technology to the fullest extent while still protecting data and avoiding the unthinkable repercussions of a data breach.

The balancing act 

To achieve this balance, banks and financial services organisations need to take greater measures to control their security posture and assume the entire network is vulnerable to the possibility of a cyber-attack. Robust encryption and controlled security policies should be a central part of an organisation’s cyber security strategy. When stringent policies are generated and deployed, it enables greater insight into applications communicating in and across the networks. New tools are now available to enforce these policies, not only impacting the application’s workload and behaviour, but the overall success of the system access.

Conclusion 

Banks and financial services organisations should not have to worry about keeping data secure and protected when it is entirely possible to do so. Adopting new ways to look at how organisations define policies through micro-segmentation and separating workloads by regulations, is one example of how to keep data more secure. Also, ensuring policies define only those users who have a critical need to see the data limits network vulnerabilities. And lastly, a robust key management system that is automated whereby keys are rotated frequently, can also help to safeguard system access and strengthen the organisation’s security posture.

Back in July Finance Monthly reported on how much your personal data was worth on the dark web.

Price comparison experts Money Guru conducted research on several dark web marketplaces and uncovered that criminals can buy your details on the dark web for less than a coffee. In fact, email logins could be bought for as little as £2.10, and Facebook logins for £3.

Sadly, data breaches are becoming a common occurrence. In the past few months alone British Airways, Reddit, HMRC and Ticketmaster have all been hit.

New research from Money Guru shows that the cost of personal data on the dark web has reduced significantly following Facebook’s recent data breach.

How Much Is Your Data Worth Now?

Your data, which can include everything from banking details to social media logins, is worth less than you might think to hackers and scammers.

Following the Facebook data breach hacked Facebook account details are now being sold on the dark web for as little as £0.77 ($1). This is £2.23 ($2.90) down from Money Guru’s previous findings earlier in June 2018.

They also found that hacked Instagram credentials are available on the dark web for as little as £1.91 ($2.50), down £2.89 ($3.80) and that hacked Twitter accounts are being sold for as little as £0.61 ($0.80), a reduction £1.89 ($2.50).

However, that wasn’t all that the price comparison expert discovered during their research.

Money Guru discovered tools and guides to help people hack into Facebook accounts available on the dark web for as little as £1.29 ($1.70), and similar tools for Instagram for £0.87 ($1.15) and Twitter for £0.87 ($1.15).

The personal finance experts discovered tools to help hack Gmail, commit phishing attacks and bypass phone verification available on the dark web for as little as £0.87 ($1.15). They are also found a plaintext database of Twitter account details with millions of emails and passwords available for £31.86 ($41.60).

Staying Safe Online

Deborah Vickers, channel director at moneyguru.com said: “Our social media accounts put our lives under a microscope and these details are frequently stolen and sold to unscrupulous companies so they can target you with advertising. By using your data against you, criminals can lock you out and take control of your accounts, which could cause serious reputational and financial worry.

“Rather concerningly all three dark web markets that we researched (Wall Street Market, Dream Market and Burlusconi Market) are currently offering ‘164m LinkedIn user records’ including separate pieces of information such as email addresses, names, passwords for only £7.65 ($9.99).

“However, it seems that as more data breaches occur, the more aware the general public are becoming of the issue which could be causing the significant price drops of personal data on the dark web. Our research into personal data and how much it's actually worth on the black market is shocking to say the least. It just goes to show how vital it is to protect your data where possible to avoid facing costly consequences.”

So What Data Can Criminals Buy on the Dark Web?

The marketplaces Money Guru searched were ‘Dream Market’, ‘Burlusconi Market’ and ‘Wall St Market’ (three of the most popular current markets since the fall of the Silk Road) all of which provide goods including:

• Personal Data
• Fraud Kits & Instructions
• Counterfeiting Supplies & Services
• Illicit Drugs
• Weaponry

This week, IBM Security and Ponemon Institute released the annual Cost of a Data Breach report.

This year’s report found that the UK experienced a decrease in the cost of a data breach, from £2.53 million in 2016, to £2.48 million in 2017. The average cost per lost or stolen record in the UK is estimated at £98.

Key points from the study include:

• Incident Response Leads to Significant Cost Savings: For the third year in a row, the study found that having an Incident Response team in place significantly reduced the cost of a data breach, saving $19.30 USD per lost or stolen record.
• Containment Speed Is Critical: The cost of a data breach was nearly $1 million lower on average for organizations that were able to contain a data breach in less than thirty days compared to those that took longer than 30 days.
• Room for Improvement: On average, organizations took more than 6 months to identify a breach, and more than 66 additional days to contain a breach once discovered.
• By Industry, Healthcare Breaches Most Costly: For the 7^th year in a row, healthcare has topped the list as the most expensive industry for data breaches. Healthcare data breaches cost organizations $380 per record, more than 2.5 times the global average across industries ($141 per record.)
• Top Factors Increasing Cost of a Breach: The involvement of third-parties in a data breach was the top contributing factor that led to an increase in the cost of a data breach, increasing the cost $17 per record.
• Top Factors Reducing Cost of a Breach: Incident response, encryption and education were the factors shown to have the most impact on reducing the cost of a data breach. Having an incident response team in place resulted in $19 reduction in cost per lost or stolen record, followed by extensive use of encryption ($16 reduction per record) and employee training ($12.50 reduction per record).

IBM has also created a “Cost of a Data Breach Calculator,” which can use below.

(Source: IBM)