12 July 2019

IRM Weekly Cybersecurity Roundup: British Airways' ICO fine and more

British Airways face record £183m fine for data breach

British Airways is “surprised and disappointed” after facing a record fine of £183m from the Information Commissioner’s Office (ICO) for last year’s breach of its security systems.

The incident took place after users of the British Airways (BA) website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers, the ICO has said.

At the time of the attack, BA said hackers had carried out a “sophisticated, malicious criminal attack” on its website.

Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.

“That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The incident was first disclosed on 6th September 2018 and BA had initially said approximately 380,000 transactions were affected, but the stolen data did not include travel or passport details.

You can read more here.

Forensic services firm paid ransom after cyber-attack

The UK’s biggest provider of forensic services, accounting for half of the forensic science provision in the UK, has paid a ransom to criminals after its IT systems were disrupted by a cyber-attack.

Eurofins Scientific was infected with a ransomware computer virus a month ago, which led British police to suspend work with the global testing company.

The attack was said to have been “highly sophisticated” and “well-resourced”. It is not known how much money was involved in the ransom payment or when it was paid.

The agency, which is investigating the attack, said: “As there is an ongoing criminal investigation, it would be inappropriate to comment.” Eurofins said operations were “returning to normal” now some 3 weeks after the attack.

You can read more here.

Anaesthetic devices ‘vulnerable to hackers’

The anaesthetic machine used in NHS hospitals can be hacked and controlled from afar if left accessible on a hospital computer network, a cybersecurity company says.

A successful attacker would be able to change the amount of anaesthetic delivered to a patient. Alarms designed to alert anaesthetists to any danger could also be silenced however GE Healthcare, which makes the machines, said there was no “direct patient risk”.

NHS Digital said it could not confirm the extent to which the machines were still in use across the NHS and were assessing the volume of how many of the machines were in use across England.

You can read more here.

Concerns around NHS Alexa Tie-Up

Legal and security experts have raised concerns over a new NHS deal with Amazon, allowing patients to access health information through voice-assistant technology.

The tie-up is designed to help those who would find accessing the NHS website difficult, such as the elderly or blind. The initiative could also help to reduce the workload for GPs and pharmacists who have to take time out to field simple questions on common illnesses, the NHS argued.

“The public need to be able to get reliable information about their health easily and in ways they actually use,” claimed Matthew Gould, CEO of the new digital transformation unit NHSX. “By working closely with Amazon and other tech companies, big and small, we can ensure that the millions of users looking for health information every day can get simple, validated advice at the touch of a button or voice command.”

Although many Patients use the NHS website currently they will be keen to know how their personal health data is being used and where it may be stored with this new agreement.

You can read more here.

Quick fire updates:

Fake voices ‘help cyber-crooks steal cash’: A security firm says fake audio footage made with artificial intelligence is being used to steal millions of pounds after three cases of seemingly ‘deepfaked’ audio of different chief executives were used to trick senior financial controllers into transferring cash. Read more here.

IRM Risky Business Survey still live: Calling cybersecurity decision-makers – we want your opinion! We’ve launched the 2019 Risky Business Survey designed to aide future strategy based on the latest trends. To receive the final report & for the chance to win a £100 Amazon gift card, go here.

Japan gears up for cyber-attacks during 2020 Tokyo Games: the abundance of smart devices and drones has encouraged Japan to prepare for an increase in cyber-attacks during the upcoming games, encouraging visitors to remain on-guard for scams and real-world attacks. Read more here.