UK Data Breach Highlights Need For Stronger Financial Data Security
A UK-based phone and broadband provider announced that the contact and payment information of 4 million individuals had been exposed in a recent data breach, including credit card and bank account numbers.
While the investigation is still ongoing, their website was the target of a distributed denial of service attack (DDoS). However, DDoS attacks are designed to take down websites, not steal information. Some speculate that the DDoS attack was merely a diversion to distract the company while malicious hackers somehow accessed customer information.
Some sources close to the investigation report that the company received a ransom email of approximately £80,000 (~USD $122,000). Attackers are threatening to publish their customer data if they aren’t paid the full amount in Bitcoin, according to KrebsonSecurity.com.
The Current State of UK Banking Data Regulations
In an interview with the BBC UK, the company’s chief executive stated that she couldn’t guarantee all of the customer data was encrypted. An FAQ on their website confirms that “not all of the data was encrypted,” but the chief executive claimed her company was “not legally required” to encrypt the banking data, according to Ars Technica.
The UK’s Data Protection Act does not require encryption, it just mandates that an organization takes appropriate technical measures against unauthorized processing of personal data.
While the UK’s Data Protection Act might not require encryption, the European Banking Authority recognized the need for stronger guidelines around securing online payments last year. The guidelines are primarily surrounding payment service providers, but still affect the same kind of customer data.
Released last December and estimated to go into effect this August, the EBA makes recommendations on the Protection of Sensitive Payment Data for secure end-to-end encryption when exchanging payment data online.
Another one of the security requirements they recommend include the use of ‘strong authentication,’ defined as the use of multi-factor authentication. That requires the use of two or more of 1) something only the user knows; 2) something only the user possesses; and/or 3) something the user is.
How Can Customers Protect Themselves?
There are real implications to customers, obviously. The Guardian reports that a Glasgow man reported receiving several scam phone calls a day before the breach was reported publicly. Selling records on the underground market can be lucrative, especially for those numbering in the millions.
Customers can protect themselves by never giving personal information over the phone, especially any banking information that could allow scammers to log into your accounts remotely, such as your username or password.
Customers can also use two-factor authentication to protect their accounts - if your bank doesn’t support it, ask them to and encourage others to ask as well, too.
How Can Companies Protect Against a Data Breach?
Companies can follow the security guidelines recommended for banking and payment information, including a few basics outlined by the EBA:
- Governance - Implement a formal security policy and define security objectives and risks, roles and responsibilities, etc.
- Risk Assessment - Carry out and document risk assessments for tech solutions used by the company, outsourced services, and the technical environment of their customers.
- Incident Monitoring and Reporting - Establish a process to monitor, handle and follow up on security incidents.
- Risk Control and Mitigation - Incorporate multiple layers of security defenses, segregate IT environments (dev, test and production), use least privilege etc. Track, restrict and monitor access to sensitive payment data and physical resources.
- Traceability - Ensure that transactions are logged, and trace any additions, changes or deletions of transaction data. Also, ensure they have the tools needed to evaluate, or query/analyze transaction log files.
The guidelines also list a number of specific controls and security measures for internet payments, including strong customer authentication, customer identification, provisioning, and more.
One way to quickly guard against future breaches is by deploying two-factor authentication throughout your organization, particularly for privileged users that may have access and permissions to view or download sensitive customer information.
Narrowing down and customizing the type of users that can log into your environment can help mitigate risks as well, by implementing authentication policies and controls that block logins based on user location or network types, including anonymous ones. Learn more about Policy and Controls.
Advanced endpoint solutions can also analyze and flag all of the devices logging into your network that may contain vulnerabilities, potentially exposing your organization to an easily preventable exploit that can result in the theft of sensitive data. Learn more about Device Analysis.