In the wake of the recent attack on the WisePay website which saw some parents unwittingly making school payments to cyber-criminals, we look at how to spot whether personal data may have been compromised and how to protect personal information going forward.

WisePay

WisePay is a payment services provider to UK schools and academies offering a SaaS (Software as a Service) model. Its school payments software services mean that parents and guardians can make secure, cashless payments to their school or college for bursaries, trips, meals, school clubs and more.  The company, started by Sarah Phillips, joined forces with leading US-based education-tech company ‘Community Brands’ back in January 2018.

WisePay also offers a digital ‘parental engagement’ and forms manager service where it deals with emailing, texting, forms, and data collection on behalf of its school and academy customers.

Website Hack and Spoof Page

WisePay estimates that an attack on their website occurred at some time between Friday 2nd and Monday 5th October. Cyber-criminals were able to hack the WisePay website and re-direct the payment gateway page to a different URL of a spoof payment page that they controlled.  This kind of attack is known as ‘URL manipulation/ URL rewriting’.  In this way, parents who went to the right website to pay their UK school fees were still able to be duped into paying their money to the cyber-criminals.

The hack was quickly discovered (on Monday morning) and parents of the schools affected were informed just days after the attack.

After the Attack

The attack is thought to have affected around 300 schools and because it happened over just a weekend, it is likely that not many people (relatively) will have been affected.  Parents and guardians were informed that following the attack, WisePay had taken its website offline to deal with the incident and that it was taking steps to implement additional security measures to stop a recurrence of that kind of attack. Also, WisePay notified the UK’s Information Commissioner (as they were required to under GDPR) and notified UK law enforcement.

Forensic Investigation

Parents/guardians at the affected schools were also informed that their payment card data may have been unlawfully disclosed, asked to contact the school, and informed that WisePay had engaged a computer forensics expert and that there was a forensic investigation which is ongoing.  WisePay, via the school, recommended that those likely to be affected should be cautious regarding personal financial arrangements and should take prompt steps to pause or cancel the payment card was used to pay via WisePay during the period at the beginning of the month.

Echoes of Form-Jacking Attacks of 2019

The WisePay attack is reminiscent of the high-profile form-jacking attacks from the beginning of last year, such as those on BA and Ticketmaster who were targeted by the ‘Magecart’ hacking group. In the Ticketmaster attack, the hackers first compromised a chatbot that was used for customer support on Ticketmaster websites and this chatbot provided the ‘way in’ for the Magecart attackers, enabling them to alter the JavaScript code on Ticketmaster’s websites so that payment card data from customers could be siphoned off.

It is not yet known, however, what was the root cause of the WisePay attack.

How Do You Know If Your Personal Data Has Been Compromised?

As identified by WisePay in its communication (via schools) following the attack, in addition to following the advice to cancel the card used to pay, those who believe they may be affected by this kind of attack should look out for the following indicators:

– Any suspicious transactions shown on payment card statements and/or funds missing from a bank account.

– Receipt of ransomware messages or fake antivirus messages.

– The appearance of unwanted browser toolbars or unexpected software installs.

– An unfamiliar search history in a browser.

– Re-directions of internet searches and frequent, random popups onscreen.

– Reports that friends have received social media invitations that have not been sent.

– Online passwords not working.

– The mouse moving between programs and making selections.

Vigilance

After a cyber-attack, it is not uncommon for the victims to be targeted quickly again by those pretending to be helping them to recover from the attack, with a view to stealing money and details.  For example, attackers in this case may target affected parents/guardians pretending to be from the school, the police, or Action Fraud, and may ask for personal details to help with their enquiries. Those who have/may have been victims of a recent cyber attack should, therefore, be extra vigilant for this kind of social engineering and fraudulent activity.

Further Steps

There are steps that we can all take as individuals and businesses to protect our personal data from cyber-criminals, particularly if we suspect that our details may have been stolen in an attack.  These steps could include:

– Regularly reviewing financial account statements and credit reports, and reporting any suspicious activity to the financial institution/company concerned, the police, and Action Fraud.  It may be useful to obtain a free copy (30-day free trial) of your credit report from the major credit reporting agencies e.g. Equifax, to help spot any unusual activity.

– Consider placing a fraud alert on your credit report. It is free and will stay on your credit file for at least 90 days. An alert keeps creditors informed of any possible fraudulent activity within your report and requests that the creditor contact you prior to establishing any accounts in your name.

– Consider placing a security freeze to stop any new credit from being opened in your name without a special security freeze PIN, and to stop others from accessing your credit report without your consent.

– Check whether your email address has been compromised in any known previous attacks by going to https://haveibeenpwned.com/.

Plans In Place

For businesses, in addition to taking steps to maintain day-to-day cyber defences, it is important to have realistic, workable plans in place such as a Cyber Resilience Plan to prepare for, respond to and recover from cyber-attacks. Business continuity planning and disaster recovery plans can mean the difference between the life and death of a business after a serious attack.

Looking Ahead

URL manipulation/URL rewriting and form-jacking attacks are becoming more frequent and educational institutions along with other large organisations are likely to be considered to be lucrative, softer targets.  The hackers involved had to find a way into the website in order to manipulate the URL and, as previous (similar) attacks have shown, this can be through chatbots, previously compromised accounts, phishing attacks and other means. Businesses and organisations therefore need to take a holistic approach and make sure that security measures are taken and maintained across the board as one small incident or loophole can sometimes lead to much bigger and successful attacks.

Employees being given too much access to privileged, sensitive company data can put an organisation in danger.  In this article, we explore the issues around this subject and how businesses can minimise the risk.

Survey

In a recent survey of 900 IT professionals commissioned by IT security firm Forcepoint, it was revealed that 40 per cent of commercial sector respondents and 36 per cent of public sector respondents said they had privileged access to sensitive company data through their work.  Also, 38 per cent of private sector and 36 per cent of public sector respondents said that they did not need the amount of access they were given to complete their jobs.  The same survey showed that 14 per cent of respondents believed that their companies were unaware of who had what access to sensitive data.

The results of this survey confirm existing fears that by not carefully considering or being able to allocate only the necessary access rights to employees, companies may be leaving open a security loophole.

Risks and Threats

The kinds of risks and threats that could come from granting staff too many privileges in terms of sensitive data access include :

Insider Threats

Insider threats can be exceedingly difficult to detect and exact motives vary but the focus is generally to gain access to critical business assets e.g. people, information, technology, and facilities.  Insiders may be current or former full-time employees, part-time employees, temporary employees, contractors/third parties, and even trusted business partners. The insider may be acting for themselves or for a third party.  Information or data taken could be sold e.g. to hackers or to representatives of other organisations/groups or used for extortion/blackmail. An insider could also use their access for sabotage, fraud, social engineering or other crimes. An insider could also cause (unintentional) damage.

The insider threat has become more widely recognised in recent years and in the U.S., for example, September is National Insider Threat Awareness Month (NIATM).

Intrusions From Curiosity

The digitisation of all kinds of sensitive information, and digital transformation, coupled with users being given excessive access rights, has led to intrusions due to curiosity, which can lead to a costly data breach.  One example is in the health sector where, in the U.S., data breaches occur at the rate of one per day (Department of Health and Human Services’ Office for Civil Rights figures).  Interestingly, Verizon figures show that almost 60 per cent of healthcare data breaches originate from insiders.

Accidental Data Sharing

Some employees may not be fully aware of company policies and rules, particularly at a time when the workforce has been dispersed to multiple locations during the lockdown.  A 2019 Egress survey, for example, revealed that 79 per cent of employers believe their employees may have accidentally shared data over the last year and that 45 per cent sent data to the wrong person by email. Unfortunately, the data shared or sent to the wrong person may have been sensitive data that an individual did not need to have access to in order to do their job.

Hacking

If hackers and other cybercriminals are able to obtain the login credentials of a user that has access rights to sensitive data (beyond what is necessary) this can provide relatively easy access to the company network and its valuable data and other resources.  For example, cybercriminals could hack or find lost devices or storage media, use social engineering, or use phishing or other popular techniques to get the necessary login details.

How Does It Happen?

The recent Forcepoint and the Ponemon Institute survey showed that 23 per cent of IT pros believe that privileged access to data and systems are given out too easily.  The survey results suggest that employees can end up having more access rights than they need because:

– Companies have failed to revoke rights when an employee’s role has changed.

– Some organisations have assigned privileged access for no apparent reason.

– Some privileged users are being pressured to share access with others.

How To Stop It

Stopping the allocation of too many privileged access rights may be a holistic process that considers many different aspects and activity from multiple sources, including:

– Incident-based security tools. Although these can alert the organisation to potential problems and can register logs and configuration changes, they can also give false positives and it can take a prohibitively long time to fully review the results, find and plug the breach.

– Trouble tickets and badge records.

– Reviews of keystroke archives and video.

– User and entity behaviour analytics tools.

– The challenge is that many organisations lack the time, resources, and expertise to piece all these elements together in a meaningful way.

Looking Forward

It appears that where there is a disconnect between IT managers and staff, and where access rights are not regularly monitored or checked, a whole business or organisation can end up being in danger. Some security commentators suggest that the answer lies in easy-to-use technology that incorporates AI to help monitor how data flows and is shared to bring about the necessary visibility as regards who has access and what they’re doing with that access.  Always seeking verification and never acting simply on trust is a key way in which organisations can at least detect malicious activity quickly.

A recent survey appears to have shown that changes brought by the pandemic have meant that IT buyers from companies working on digital transformation now value cybersecurity the most.

Survey

The survey, conducted among IT business leaders attending the all-virtual Digital Transformation Expo (DTX), DTX: NOW this month showed that 26 per cent of respondents put IT security at the top of their digital transformation list. A close second place was the cloud at 21 per cent.

Pandemic Accelerated Digital Transformation

As shown in survey results published last month by Studio Graphene, the need to quickly shift staff to working from home because of the lockdown appeared to be a driver and an accelerator of digital transformation for businesses.  The survey showed that nearly half (46 per cent) of business leaders said that said Covid-19 had driven the most pronounced digital transformation that their businesses had experienced.

Adapt

The distribution of the workforce/staff working from home which the pandemic lockdown caused has meant that not only have businesses have been forced to adapt their cloud strategy, but also their cybersecurity measures, and their business cultures to ensure that their businesses function as well as possible.

Challenges and Gains

The survey found that the biggest challenges to digital transformation projects were identified as being changes in the scope, reduced budgets, and changes in team structures.  At the same time, the survey results revealed that the need to ensure that all employees could work from home revealed IT issues that may not otherwise have been addressed, thereby helping the business to modernise and realise which areas needed investment going forward.

New Ways of Working

With further restrictions, local lockdowns, the possibility of new, stricter restrictions ahead and a decidedly uncertain near future for traditional office-based working, the pandemic has driven diversification of work methods and structures. Flexible, smarter, hybrid working, involving different location looks to be a reality for businesses as we try to gain more control in an increasingly unpredictable world and businesses environment.

What Does This Mean For Your Business?

The results of the survey appear to support the idea that necessity has driven digital transformation.  The pandemic lockdown has been a catalyst that has moved many aspects of businesses forward and led them to clearly and quickly see the importance of cybersecurity, where weaknesses are, where investment is needed next and has shown them that new, more flexible models of work can benefit employer and employee.  Whilst changes have been difficult, and people and their organisations have been forced to adapt to changes quickly, the lessons learned in digital transformation may have boosted confidence within organisations that they have the in-built flexibility, creativity, experience and ability to weather the storm and reinvent how they work according to prevailing conditions.

Privacy campaign groups Big Brother Watch and The Open Rights Group have voiced their concerns that there is a lack of clarity from the government about how the data of users of the new NHS contact tracing app will be protected.

Concerns

The privacy campaign groups are concerned that both the Track and Trace system and the contact tracing app appear to be risking the privacy of the public as regards their personal details and that a lack of clarity over this is contributing to a lack of trust in the system by the public and, therefore, may be endangering public health and prolonging the pandemic’s effects.

A key concern by the privacy groups is the apparent lack of a legally required Data Protection Impact Assessment (DPIA).  A DPIA, introduced by the UK’s data regulator, the Information Commissioner’s Office (ICO), is a process that can reduce the likelihood of data breaches.

No Longer Based on Public Trust

The Big Brother Watch website highlights what it believes to shift by the UK government from creating and nourishing public trust towards simply relying on coercion and penalties to make contract tracing in the UK work.  For example, Big Brother watch says “This new approach to contact tracing is no longer based on public trust, but on exclusion, criminal sanctions and police enforcement. Many people will be rightly shocked to find they’re refused entry to coffee shops and restaurants unless they hand over their personal contact details. This is an astoundingly excessive law that poses a serious risk to privacy and data rights.”

Open Rights Group

Although the Open Rights Group was pleased that, in June, the government scrapped its plans to use a centralised model for its Covid-19 tracker app and opted for the decentralised model (no big, central database), it is also very concerned about the apparent lack of a Data Protection Impact Assessment (DPIA). The Open Rights Group highlights its particular concerns over the government’s apparent lack of clear explanation of how bars and restaurants should keep data, and what the legal liabilities are.  It points out that although the England and Wales App and QR code scan for a venue may record that some people were there, it does not give the full picture and there may be a security and privacy loophole.  For example, if a person doesn’t have a modern smartphone, and simply hands their data to a pub or restaurant, the Open Rights Group is concerned that the person will have little or no privacy protection and that no thought appears to have gone into the privacy and risks,  even though those risks are very tangible.

What Does This Mean For Your Business?

The failure of the previous tracing app, criticisms of a lack of an effective, large scale track and trace system for 6 months, and a lack of availability of tests, a large death toll, and recent criticism of the government by the media over what appears to be a confused strategy and messages have all contributed to reduction in the level of trust.  This is a difficult backdrop with which to launch a new app to which the government wants all of us to subscribe to.  It may be particularly bad for many businesses who have been forced to make difficult decisions to comply with COVID laws e.g. in the hospitality industry to hear that the UK government may not have met its own legal requirement for a Data Protection Impact Assessment (DPIA).  Although posting the QR code at business premises is a way to make it easier for businesses to comply and help with track and trace, there may well be a grey area as regards the collection and protection of data for those who don’t have a smartphone with the capacity to work with the app system. Trust, transparency, and clarity are all areas the government may need to work on to make a test and trace system work, help businesses and protect public health.

A year after Transport for London (TfL) stopped ride-hailing service Uber’s London operating licence over safety concerns, an appeal has led to the company being granted a further 18-month licence.

What Happened?

Back in November 2019, TfL said that it had identified a pattern of failures by Uber, including breaches that had risked the safety of passengers and drivers, plus some uninsured journeys.  Uber had pledged to improve its drivers’ safety training and provide a direct connection to emergency services, but TfL stopped Uber’s licence to carry passengers in London.

What Failures?

The “pattern of failures” which led to Uber being refused a licence to operate in London back in 2019 may have included (according to details reported to be from letters sent to Uber by TfL):

– A global phishing scam involving GPS signal manipulation.

– Drivers using fake or possibly out-of-date insurance certificates.

– Unlicensed vehicles transporting passengers, and drivers with fraudulent private hire licences using the app to take passengers.

– Fraudulent account profile pictures used by some drivers.

– More than 27,000 safety-related complaints being made about Uber services between 1 December 2018 and 31 May 2019.

Happened Before

Uber had previously had its London licence removed by TfL in 2017 after it was decided that the company was “not fit and proper” following security issues, public safety issues, poor reporting (of serious in-car crimes), poor medical checks (of drivers) and poor background checks (of drivers).

In 2018, Uber was only given a probationary 15-month license in London following changes made to improve relations with city authorities.

Latest Ruling

After Uber appealed and argued that it has now improved insurance document verification systems and is rolling out real-time identification, Judge Tan Ikram said that “I am satisfied that they are doing what a reasonable business in their sector could be expected to do, perhaps even more”.  Now that Uber has been judged to be a fit and proper operator again, it has been granted an 18-month right to take rides in London.

Behaviour Towards Drivers

Uber has still to face the outcome of a Supreme Court hearing which will decide whether its drivers receive basic workers’ rights, such as holiday pay and the minimum wage for the hours they work.

Union

Unions such as the GMB have been vocal in their criticism of Uber’s behaviour towards its drivers with allegations that the ride-hailing giant may be effectively depriving drivers of an income by disconnecting them for days after false accusations have been made against them.

What Does This Mean For Your Business?

This is clearly good news for Uber and also for the many customers who have had a generally good experience of the company’s services in London in the past.  Even though Uber has made changes and apologised for mistakes, it will still face criticism from unions and have to handle objections and criticism from black cab operators, close scrutiny from TfL to make sure Uber keeps its promises, challenges from competitors who will not be pleased that Uber is back (e.g. Ola, Freenow and Bolt) and all the challenges, safety requirements and reduced revenue that have come with the pandemic. It now remains to be seen how Uber behaves going forwards and how it can operate effectively in a dramatically changed environment.

An anonymous person living in the village of Aberhosan, Powys, was found to have caused broadband outages for the whole village for the last 18 months every time they switched on their old television.

Investigation

An exhaustive investigation by frustrated Openreach engineers found that the disruption to broadband for the whole village, which mysteriously began at 7 am each morning, the time when the villager turned the TV on, led to the replacement of broadband cables in the village before the TV was singled out as the culprit.

SHINE

The engineers used a spectrum analyser to identify the single high-level impulse noise (SHINE) that was emitted from an old, second-hand TV when it was switched on every morning at the same time.  The SHINE caused enough electrical interference to down the broadband signal for the whole village.The villager, who has not been named for obvious reasons, is reported to have agreed not to use the old TV again.

Interference

Many different household devices can produce radio interference that can affect broadband and Wi-Fi signals.  These can include boilers, water heaters, any device with a motor inside, TVs, some types of Christmas lights, phone chargers, and even LED bulbs and dimmer switches.

Avoiding Interference

Although there is no way of guarding against someone using a rogue TV that knocks out the whole signal for the village/town, there are some steps you can take to reduce the chances of interference to the signal (delivered over your telephone line) in your own home.  These include:

– Not putting the router behind your TV or in the middle of mains cables.

– Connecting the router to a master socket where possible.

– Making sure that devices connected to the phone line have micro-filters.

– Removing any old, unused telephone extensions.

Also, it is a good idea to use devices in the home that conform to British Standards.

What Does This Mean For Your Business?

For any businesses in the village, and anyone working from home, the daily broadband outages must have been highly frustrating and costly. It is a shame that the problem persisted for 18 months before it was resolved. Now more than ever, with home-working due to the pandemic, having a reliable and fast broadband connection is vitally important so it is also important to be aware, as mentioned in the information and tips above, of how to minimise sources of interference where possible.  It is also worth noting that where there has been a broadband supply failure, a voluntary Code of Practice between the big broadband providers means that there is now an automatic compensation scheme in operation.