£385,000 Data Protection Fine For Uber
Ride-hailing (and now bike and scooter-hiring) service Uber has been handed a £385,000 fine by the ICO for data protection failings during a cyber-attack back in 2016.
What Happened?
The original incident took place in October and November 2016 when hackers accessed a private GitHub coding site that was being used by Uber software engineers. Using the login details obtained via the GitHub, the attackers were able to go to the Amazon Web Services account that handled the company’s computing tasks and access an archive of rider and driver information. The result was the compromising (and theft) of data relating to 600,000 US drivers and 57 million user accounts.
The ICO’s investigation focuses on avoidable data security flaws, during the same hack, that led to the theft (using ‘credential stuffing’) of personal data, including full names, email addresses and phone numbers, of 2.7 million UK customers from the cloud-based storage system operated by Uber’s US parent company.
The ICO’s fine to Uber also relates to the record of nearly 82,000 UK-based drivers, including details of journeys made and how much they were paid.
Attackers Paid To Keep Breach Quiet
Another key failing of Uber was that not only did the company not inform affected drivers about the incident for more than a year, but Uber chose to pay the attackers $100,000 through its bug bounty programme (a deal offered by websites and software developers to offer recognition and payment to those who report software bugs), to delete the stolen data and keep quiet about the breach.
Before GDPR
Even though GDPR, which came into force on 25th May this year says that the ICO has the power to impose a fine on a data controller of up to £17m or 4% of global turnover, the Uber breach took place before GDPR. This means that the ICO issued the £385,000 fine under the Data Protection Act 1998, which was in force before GDPR.
Other Payments and Fines
Uber also had to pay a $148m settlement agreement in a case in the US brought by 50 US states and the District of Columbia over the company’s attempt to cover up the data breach in 2016.
Also, for the same incident, Uber is facing a £533,000 fine from the data protection authority for the Netherlands, the Autoriteit Persoonsgegevens.
What Does This Mean For Your Business?
As noted by the ICO director of investigations, Steve Eckersley, as well as the data security failure, Uber’s behaviour in this case showed a total disregard for the customers and drivers whose personal information was stolen, as no steps were taken to inform anyone affected by the breach, or to offer help and support.
Sadly, Uber joins a line of well-known businesses that have made the news for all the wrong reasons where data handling is concerned e.g. Yahoo’s data breach of 500 million users’ accounts in 2014 followed by the discovery that it was the subject of the biggest data breach in history to that point back in 2013. Similar to the Uber episode is the Equifax hack where 143 million customer details were stolen (44 million possibly from UK customers), while the company waited 40 days before informing the public and three senior executives sold their shares worth almost £1.4m before the breach was publicly announced.
This story should remind businesses how important it is to invest in keeping security systems up to date and to maintain cyber resilience on all levels. This could involve keeping up to date with patching (9 out of 10 hacked businesses were compromised via un-patched vulnerabilities) and should extend to training employees in cyber-security practices, and adopting multi-layered defences that go beyond the traditional anti-virus and firewall perimeter.
Companies need to conduct security audits to make sure that no old, isolated data is stored on any old systems or platforms, thereby offering no easy access to cyber-criminals. Companies may now need to use tools that allow security devices to collect and share data and co-ordinate a unified response across the entire distributed network.
Even though the recent CIM study showed that less than one-quarter of consumers trust businesses with their data security, at least the ICO is currently sending some powerful messages to (mainly large) businesses about the consequences of not fulfilling their data protection responsibilities. For example, as well as the big fine for Uber, back in October, the ICO fined a Manchester-based company £150,000 for making approximately 64,000 nuisance direct marketing calls to people who had opted out via the TPS, and earlier this month, a former employee of a vehicle accident repair centre who stole customer data passed it to a company that made nuisance phone calls was jailed for 6 months following an ICO investigation.
Data Protection Trust Levels Still Low After GDPR
A report by the Chartered Institute of Marketing (CIM) has shown that as 42% of consumers have received communications from businesses they had not given permission to contact them (since GDPR came into force), this could be a key reason why consumer trust in businesses is still at a low level.
Not Much Difference
The CIM report shows that only 24% of respondents believe that businesses treat people’s personal data in an honest and transparent way. This is only slightly higher than the 18% who believed the same thing when GDPR took effect 6 months ago.
Young More Trusting
The report appears to indicate that although trust levels are generally low, younger people trust businesses more with their data. For example, the report shows that 33% of 18-24 and 34% of 24-35 year olds trust businesses with their data, compared with only 17% of over 55s.
More Empowered But Lacking Knowledge About Rights
Consumers appear to feel more empowered by GDPR to act if they feel that organisations are not serving them with the right communications. For example, the report showed that rather than just continuing to receive and ignoring communications from a company, 50% of those surveyed said that GDPR has motivated them to not consciously opt-in to begin with, or if opted in, make them more likely to subscribe.
This feeling of empowerment was also illustrated back in August in a report based on a study by business intelligence and data management firm SAS. The SAS study showed that more than half of UK consumers (55%) looked likely to exercise their new GDPR rights within the first year of GDPR’s introduction.
Unfortunately, even though many people feel more empowered by GDPR, there still appears to be a lack of knowledge about exactly what rights GDPR has bestowed upon us. For example, the report shows that only 47% of respondents said they know their rights as a consumer in relation to data protection. This figure has only increased by 5% (from 43%) since the run-up to GDPR.
What Does This Mean For Your Business?
The need to comply with the law and avoid stiff penalties, and the opportunity to put the data house in order meant that the vast majority of UK companies have taken their GDPR responsibilities seriously, and are likely to be well versed in the rights and responsibilities around it (and have an in-house ‘expert’). Unfortunately, there are always a few companies / organisations that ignore the law and continue contacting people. The ICO has made clear examples e.g. back in October Manchester-based Oaklands Assist UK Ltd was fined £150,000 by the ICO for making approximately 64,000 nuisance direct marketing calls to people who had already opted out of automated marketing. This is one example of a company being held accountable, but it is clear from the CIM’s research that many consumers still don’t trust businesses with their data, particularly when they hear about data breaches / data sharing on the news (e.g. Facebook), or continue to have their own experiences of unsolicited communications.
It may be, as identified by the CIM, that even though GDPR has empowered consumers to ask the right questions about their data use, marketers now need to answer these, and to prove to consumers how data collection can actually benefit them e.g. in helping to deliver relevant and personalised information.
The apparent lack of a major impact of GDPR on public trust could also indicate the need for an ongoing campaign to drive more awareness and understanding across all UK businesses.
Tech Tip – Using The Best Small Business Apps
We all use apps on a daily basis, but if you’d like to know which apps are the most useful for small business, here is a list of the top 25 that could help you:
Go to: https://www.nerdwallet.com/blog/small-business/20-apps-small-business-owners/
Firefox Quantum Browser’s ‘Monitor 2.0’ Will Warn You About Security Breaches
Mozilla’s latest update for its Firefox Quantum browser includes the Firefox Monitor 2.0 security tool, which can tell you whether a site you’re visiting has suffered a security breach in the last 12 months and whether your details have been leaked online.
Developed in Partnership with HIBP
Back in June, the Mozilla blog detailed how it was testing the Firefox Monitor tool which was being developed in partnership with HaveIBeenPwned.com (HIBP), a service run by Troy Hunt, described by Mozilla as “one of the most renowned and respected security experts and bloggers in the world”. At the time of testing, it was announced that Monitor, through its HIBP / Firefox partnership, would be able to check a user’s email address against the HIBP database in a private-by-design way. Mozilla said that visitors to the Firefox Monitor website would be able to check (by entering an email address) to see if their accounts were included in any known data breaches, with details on sites and other sources of breaches and the types of personal data exposed in each breach. It was also announced that the Firefox site would offer recommendations on what to do in the case of a data breach, and how to help the user to secure their accounts.
Rolled Out
The Monitor 2.0 security tool that’s just been rolled out in the latest Firefox Quantum update can tell you if your details have been leaked online (if you visit monitor.firefox.com), provide a desktop notification /alert when you visit a website that’s been compromised in the last 12 months, and give extra security details such as how many accounts were affected by a breach and what happened in the breach.
You Can Turn Notifications Off
Mozilla has been quick to point out that the Monitor tool has been designed to help but not annoy users and as such, if you’ve already been told about the potential security issues, you can navigate back without being told again and you can disable the notifications altogether with a just few clicks, if you’d prefer not to see them.
What Does This Mean For Your Business?
Google Chrome dominates the browser market, but there is still a lot of competition among those fighting it out with a less than 10% share of the market – Apple’s Safari, Firefox, Microsoft’s Internet Explorer & Edge. Adding this tool, that’s linked to a renowned security expert, to the Firefox browser could add some real value at a time when the news is full of major security breaches, but most of us may not know how to check whether our details have been stolen, and what to do next.
Businesses always need to be very security-conscious, particularly since the introduction of GDPR, and being able to see notifications about pages that have been breached may be another way that business users can help to protect themselves.
The tips and personal stories of those who have been affected by a data breach highlighted on the Firefox website for Quantum business users may also help raise awareness about online privacy and could help provide prompts and ideas to help keep improving data protection and cyber resilience in businesses.
Make Skype Calls Through Your Amazon Echo
On Monday, the Microsoft Skype blog announced that Skype calling is now available on Amazon Alexa devices using a simple voice command and that Alexa customers can now call most landlines and mobiles internationally using Skype, as well as benefitting from 200 free minutes of Skype to call 34 countries.
Can Already Make Calls
Many Amazon Echo / Echo Plus and Echo Dot users may already be used to making calls via their Echo. Last year, Alexa-to-Alexa calls from compatible devices were enabled e.g. calling another Echo from your Echo by saying “Call (John’s) Echo”. Also, Echo Connect combined with a user’s landline or VoIP service has enabled compatible Echo devices to call any number supported by a user’s home phone service provider e.g. contacts by name, specific mobile numbers, and by saying the individual digits of a full phone number.
How To Set Up Skype Calls On Your Alexa Device
Amazon Echo users can set up Skype calling by :
– Opening the Amazon Alexa app (the same one used to set up the Echo in the first place)
– Going to ‘Settings > Communication > Skype’
– Signing-in using the same account used for Skype
How To Make A Call Via Skype
According to the Microsoft Skype blog, once Skype has been set up on the Amazon Echo, (using an example) making a completely hands-free call should be simply a case of saying, “Alexa, call Mum on Skype.”
The new Skype call service via the Echo is being rolled out in the U.S, U.K., Ireland, Canada, India, Australia, and New Zealand. The addition of the new feature is also being supported by a price drop in the Echo.
Video Calls With Echo Show / Spot Display-Based
The hook up with Skype also means that although speaker-only Echo devices can only make audio Skype calls, an Echo Show or Echo Spot display-based device should be able to make video calls using Skype.
It should also now be possible to make Skype calls via the Echo to other Skype-enabled devices e.g. PCs, smartphones, or even an Xbox One console. SkypeOut also means that calls can be made to mobile and landline numbers.
What Does This Mean For Your Business?
Amazon is already the market leader (41% market share) of global smart speaker shipments, ahead of Google at 28% (Strategy Analytics data). There is fierce competition in the huge and growing smart speaker market e.g. one-quarter to one-third of the U.S. population already owns a smart speaker, and the global number of installed smart speakers may more than double to 225 million units in two years (Canalys). Amazon is trying to make its smart speakers as ubiquitous as possible e.g. at home, at work and in the car, and adding feature like this may make it even more attractive to customers, particularly at the season where sales are likely to be high, and where sales are already being supported by a price drop for Echo devices. More sales of Amazon Echo devices could also mean that voice shopping on Alexa could potentially generate more $5 billion+ per year in revenue by 2020.
For users of Amazon’s Alexa smart speaker devices, the promise of easy, hands-free Skype calls could be another value-adding feature to tempt them to buy an Amazon smart speaker instead of others such as Sonos, or Google Home.
MFA Lockout For Microsoft & Azure Users Causes Business Disruption
The latest multi-factor authentication (MFA) issue left users of Azure and Microsoft Office 365 unable to login to their accounts on Monday 21st, causing widespread disruption to businesses in Europe, Asia, and some parts of the US.
What Happened?
According to reports by Azure, the root cause was a European-based database, reaching operation threshold with requests from MFA servers. This led to latency and timeouts, and an attempt to re-route traffic through North America caused the extra traffic to block servers.
Finally Rectified
After lasting from 4.39 am to the evening in the UK, the problem was finally rectified. According to Microsoft reports, services could be resumed after engineers removed the link between the backend service and the Azure Identity MFA service, thereby allowing the impacted servers to catch up with the existing authentication requests.
Happened Before
This was certainly not the first time that disruptive outages had occurred with Azure and Microsoft’s service. For example, a global outage in September this year affected Azure and Office 365 users worldwide after one of Microsoft’s San Antonio-based servers was knocked offline by severe weather. Also, in October, UK Office 365 users endured a 3-day-long outage and had the frustration of having more login prompts appearing after their user credentials had already been entered.
Price Rise Makes Outages More Annoying
In addition to the obvious costly business disruption, the spree of outages occurring around the time of announcements of new commercial prices i.e. an increase of 10% over previous on-premise pricing (4% increase for employees who are part of a volume discount agreement), the service failures caused even greater annoyance.
MFA
Multi-factor authentication, which works by requiring any two or more verification methods for a login / transaction, such as a randomly generated passcode, a phone call, a smart card (virtual or physical), or a biometric device, is designed to be beneficial to a user and their business because it should provide an extra layer of security for user sign-ins and transactions. Unfortunately, in the case of this most recent outage, MFA cost users rather than helping them.
What Does This Mean For Your Business?
For some companies, the recent outages at Microsoft and Azure are likely to bring into focus the dangers of placing huge operational dependency on one environment i.e. Microsoft, and of trusting a single cloud supplier to keep connected and productive during unplanned (and planned) email outages, especially when you have no independent cyber resilience and continuity plan. In recent months, many businesses will have been counting the productivity costs of sticking to a software-as-a-service monoculture with a company whose service has let them down on several occasions. Unfortunately, the dominance of big tech companies with their familiar Operating Systems and environments, and the fact that most businesses are committed to them with few possible, practical alternatives to choose from, mean that most businesses may simply have to unhappily endure the outages and weigh them up against the benefits and reliability of the environment generally.
For Microsoft, these outages can be damaging to its reputation and can shake the trust of its prized business users.