Cyber Security - A Cyber week in London Part II
Everything has relevance but not everyone sees it A Cyber Week in London - PART II
International Security Expo 2018 evening reception, Terrace Pavilion, House of Commons, Westminster, London, UK. Photo Credit: International Security Expo 2018
By Jane Lo ASM Correspondent
“Data drives all we do”, the British data analytics firm Cambridge Analytica at the center of controversy in the United States and United Kingdom announced on its website which attacker accessed a customer information
confidentiality’)”. -GDPR Article 5, Para 1(f), Principles relating
“TalkTalk’s failure to implement the most basic cyber
database), patching out-dated software (which
security measures allowed hackers to penetrate
could have fixed a bug that allowed the attacker
TalkTalk’s systems with ease. Yes hacking is wrong,
to bypass access restrictions), installing defenses
but that is not an excuse for companies to abdicate
against common hacking technique SQL injection
To secure personal data, explicit obligations
their security obligations. TalkTalk should and
used to access the data.
for “appropriate technical and organizational
could have done more to safeguard its customer information. It did not and we have taken action.”
measures” include, in a written data processing “Integrity and Confidentiality”
agreement, “pseudonymisation and encryption
- UK ICO’s Elizabeth Denham, 5th October 2016. TalkTalk Data Breach
of data”, “ensuring the confidentiality, integrity, "Appropriate technical and orgnisational measures
availability and resilience of processing systems
shall be taken against unauthorised or unlawful
and services”.
processing of personal data and against accidental UK ICO’s enforcement actions include fines against law enforcement agency after interview disk went missing and individual health practitioner for
loss or destruction of, or damage to, personal data." - UK Data Protection Act 1998, Principle 7 –
approach to security, and benchmarking against industry standards and best practices. A critical
of TalkTalk
without a valid legal reason.
which is enshrined in the UK Data Protection Act
of £500,000 ICO is empowered to apply, for
2018. Referring to the integrity and confidentiality
contraventions of Data Protection Act 1998.
components of under the classic “CIA” model
cases, bank account details and sort codes.
“Cyber Security is a Board Room Issue” “Today’s record fine acts as a warning to
(confidentiality, integrity, availability), GDPR
others that cyber security is not an IT issue, it is a
stipulates that data be
boardroom issue. Companies must be diligent and
personal data of 156,959 customers, including names, addresses, dates of birth, and in many
weaknesses and external malicious threats.
UK Data Protection Act 1998, is also key in GDPR
fine against TalkTalk, close to the maximum fine
data from a cyber attack resulted in a breach of
aspect is how governance and culture mitigate privacy hazards arising from internal policy
The principle that deals with security under the
TalkTalk’s failure to properly protect customer
Many of these requirements are not new but complying would necessitate a fresh review of
applicable during the 2016 data breach incident
unlawfully accessing a patient medical records
The highest profile is undoubtedly the £400,000
to processing of personal data
vigilant. They must do this not only because they “processed in a manner that ensures appropriate security of the personal data,
have a duty under law, but because they have a duty to their customers.”
including protection against unauthorized or
-- UK ICO’s Elizabeth Denham, 5th October
prevented if TalkTalk had taken basic steps,
unlawful processing and against accidental
2016, on issuing the largest fine, £400,000 to
such as infrastructure scanning (which could
loss, destruction or damage, using appropriate
have uncovered vulnerable websites through
technical or organizational measures (‘Integrity and
ICO found that the attack could have been
44 | Australian Security Magazine
TalkTalk