Universities and charities in the UK, US, and Canada have all been affected by a hack that hit software supplier Blackbaud.
Over 20 universities and charities have stated they were affected after Blackbaud – a supplier of administration and financial software – was hacked back in May, with personal data being held for ransom.
Blackbaud agreed to pay the ransom, despite this being against the advice of most law enforcement agencies. Most worryingly, however, it took a long time to inform those affected.
According to BBC News:
Questions are being asked about why Blackbaud took weeks to inform its customers of the hack.
Under General Data Protection Regulation (GDPR), companies must report a significant breach to data authorities within 72 hours of learning of an incident – or face potential fines.
The UK’s Information Commissioner’s Office [ICO], as well as the Canadian data authorities, were informed about the breach last weekend – weeks after Blackbaud discovered the hack.
You can read the full article from the BBC here.
How Blackbaud has approached the hack is extremely worrying, especially given how sensitive data was stolen including “phone numbers, donation history and events attended”.
There is no guarantee that the hackers destroyed this data despite the ransom being paid, and the length of time Blackbaud took to deal with this issue has left those affected unable to take steps to prevent themselves.
If you want advice on how to handle these kind of situations and your data protection procedures, get in touch with us today for our expert advice.
900,000 people have been hit by a Virgin Media data breach in which a database containing personal details was accessible over the internet for 10 months.
The database contained details including email addresses, home addresses, and phone numbers, which were being stored for marketing purposes.
Virgin Media have stated that the breach took place due to the database being “incorrectly configured” by a member of staff. There was no hacking or malicious intent behind the breach, although it was also apparently accessed “on at least one occasion” by an unknown and unidentified user.
Zoe Kleinman, Technology Reporter at BBC News, stated that:
The fact that Virgin Media’s database hasn’t been actively hacked is reassuring for customers, but while the details are light, it sounds like human error is to blame and that is rather embarrassing for a tech firm.
Ten months is a long time for all that data to have just been sitting there, waiting to be found.
And while no passwords or bank details were among it, there’s an awful lot of contact information for a cyber-criminal to work with. Phishing expeditions – when someone tries to get financial information out of a victim by pretending to be a company with a legitimate reason for contact – are not particularly sophisticated, but they are effective for those caught off-guard, and can be a lucrative source of income.
It’s unclear whether this was yet another case of unsecured data being stored on a cloud service that’s easily searchable if you know how. There have been dozens of examples of this lately, including just this week a database of the personal details of people using train station wi-fi around the UK.
Virgin Media has apologised and really, there’s very little practical advice to offer in the light of this kind of breach, beyond the usual protocol of staying alert to any messages requesting personal information or access to any kind of finance.
You can read the full article on this story from the BBC, with Kleinman’s commentary, by clicking here.
This Virgin Media data breach is the latest in a series, from various organisations, which have seen databases left unsecured online. For example, a Microsoft database containing 250 million details was left exposed in December, as we reported here.
This is a worrying trend, and shows that these databases should be configured carefully by people who know the proper procedures and are fully trained and knowledgeable about cybersecurity.
Virgin Media has taken steps to close access the database, contact the ICO, and notify those affected by the breach, with advice about how to protect themselves from potential repercussions. While these are all positive steps, there’s no doubt that significant errors have been made and this breach could easily have been avoided.
If you want advice on how to protect user data, get in contact with our GDPR consultants today for invaluable, expert advice.
A report from cybersecurity firm DynaRisk has uncovered some interesting facts about UK data breaches. The information uncovered by the company includes:
- There have been more data breaches for users with BT email addresses than for those who use Gmail, Hotmail, or Yahoo emails.
- UK consumers suffered more data breaches than people in such countries as Canada, New Zealand, and the majority of Europe.
- Three out of five consumers in the UK were victims of a data breach.
- The average Cyber Security Score – which works like a credit score but tracks cyber security – of UK consumers rose by 26% in the last 12 months.
According to a report from ITProPortal:
“It’s encouraging to see that the average score in the UK is now so high (800) and has increased by so much from this time last year,” said Andrew Martin, CEO, DynaRisk.
“Consumers are clearly becoming more aware and more protective of their online information in the UK; and getting better at arming themselves against an ever-increasing number of cyber threats.”
Even though the numbers are promising, Martin says there’s still plenty of room for improvement, and that consumers should always be cautious when signing up to different services with their email address.
“Constant investment and training needs to be put in place by all companies to ensure customer information is as safe as it can be,” he said.
The takeaway from this report is that while the frequency of UK data breaches is worrying, the overall trend is one of improvement. Users are increasingly aware of the cyber security risks that they face in the modern technological environment.
Do you have concerns about possible data breaches at your organisation and want to plug the gap? Activa Consulting is here to help. Get in touch with us today and find out how we can help your data protection programme!
A Microsoft data breach left a customer database exposed online last month, with 250 million entries involved. Microsoft revealed that the database, which stored anonymised user analytics, was left without protection between 5th December and 31st December.
The information on the database included email addresses, IP addresses, and details of support cases. While Microsoft stated that the majority these records didn’t contain personal user information, these details could still be used maliciously.
According to a report from ZDNet.com:
The database was spotted and reported to Microsoft by Bob Diachenko, a security researcher with Security Discovery.
The leaky customer support database consisted of a cluster of five Elasticsearch servers, a technology used to simplify search operations, Diachenko told ZDNet today. All five servers stored the same data, appearing to be mirrors of each other.
Diachenko said Microsoft secured the exposed database on the same day he reported the issue to the OS maker, despite being New Year’s Eve.
“I have been in touch with the Microsoft team helping and supporting them to properly investigate it,” Diachenko told ZDNet.
You can read the full article from ZDNet by clicking here.
While this is a worrying security breach, the positive news is that Microsoft have responded it well – and reports that it “found no malicious use” of the data.
The company not only worked immediately to plug the breach on New Year’s Eve, but has also already begun notifying users who had been affected by it. This hopefully means that the impact should be minimal.
Unsure how your organisation ought to respond to a data breach? Our GDPR Consultants can help – get in touch with us today for our professional expertise!
Regus, an office-space provider, has seen the data of 900 employees exposed by accident. This Regus data breach took place following a staff review, and involved staff details being posted publicly online.
According to BBC News, the review involved sales staff showing researchers around an office space, while the researchers pretended to be clients interested in renting the space.
However, subsequent to the review, a spreadsheet of staff data was published on the task-management website Trello. The details published included names, addresses, and job performance data.
Furthermore, the names and addresses of researchers from Applause, a company contracted by Regus parent company IWG, were also published.
According to the report from the BBC:
“Team members are aware they are recorded for training purposes and each recording is shared with the individual team member and their coach to help them become even more successful in their roles,” IWG said.
“We are extremely concerned to learn that an external third-party provider, who implemented the exercise, inadvertently published online the outcomes of an internal training and development exercise.
“As our primary concern we took immediate action and the external provider has now removed the content.”
How this Regus data breach happened is unclear. According to the co-founder of Trello, Michael Pryor:
“Trello boards are set to private by default and must be manually changed to public by the user.
“We strive to make sure public boards are being created intentionally and have built in safeguards to confirm the intention of a user before they make a board publicly visible.”
You can read the full article from BBC News by clicking here.
Given these measures on Trello, it appears that the breach has taken place due to human error. This demonstrates why data protection staff training is so important: any employee can be responsible for a data breach which results in significant fines.
Worryingly it appears that this data breach has not been reported to the Information Commissioner’s Office (ICO). This is despite it being a requirement under GDPR that data breaches are reported within 72 hours if it constitutes a risk to people.
However, it remains to be seen whether it has been reported to a data commissioner in another country; the BBC has made enquiries to Luxembourg’s official body to see if the breach has been reported there instead.
Are you uncertain what to do if you suffer a data breach? Or are you worried about the security of data at your organisation? Get in touch with us today to get expert help from our GDPR Consultants!