One easy mistake to make cost this small business £80k in fines

Published on Tuesday, July 23, 2019 - 11:02 by Camilla Winlo

A London estate agency has been fined £80,000 under the Data Protection Act for leaving personal data relating to 18,610 of its customers exposed for almost two years.

Life At Parliament View Ltd (LPVL), which traded as LiFE Residential, transferred the data from its server to a partner organisation, but did not switch off the ‘Anonymous Authentication’ function.

This meant access was not controlled and anyone could obtain 52 different document categories which contained information typically used to verify someone’s identity; bank statements, salary details, copies of passports, dates of birth and addresses of both tenants and landlords.

During the company’s two-year period of vulnerability, from March 2015 to February 2017, there were an enormous 511,912 anonymous user logins from 1,213 unique IP addresses. The majority appeared to be repeated connections from the same IP addresses, which indicates that they were carried out programmatically (i.e someone found the vulnerability and targeted the server with a harvesting programme). 

The category of data is very similar to those lost by both British Airways and Marriott International, and where LPVL’s gross income for 2017 was c£12.8m, the fine works out at around 0.6% of its annual turnover. That’s £4.30 per record.

Whilst the company immediately fixed the vulnerability once it was picked up, LPVL only notified the ICO when a hacker contacted them to inform them of the issue, claiming to have their customer data and attempting to extract a ransom for it.

Steve Eckersley, Director of Investigations at the ICO said: “As we uncovered the facts, we found LPVL had failed to adequately train its staff, who misconfigured and used an insecure file transfer system and then failed to monitor it. These shortcomings have left its customers exposed to the potential risk of identity fraud.” 

For a lot of companies, this sounds like a shocking but relatable situation (one of those “glad it wasn’t me” type stories). Many companies set up an FTP server so they share and sync files with partner organisations, and often use Microsoft’s online guidance to do it.

Here, LPVL didn’t realise that the guidance they were following wasn’t appropriate for the task, because it allowed ‘Anonymous Access’ that didn’t enforce encrypted communications.

Clearly, they intended users to require a username and password for file transfers, but inadvertently left ‘Anonymous Authentication’ switched on, which meant that they weren’t necessary. Additionally, staff misconfigured the system so that approved transfers were encrypted, but transfers to non-encrypted parties were not.

These errors can be easy to make, especially within small businesses which typically follow a mindset that no one is going to target them or even notice their errors – so their approach to such situations is pretty unadvanced and they feel like they can wing it most of the time. Sure, when this company spotted the vulnerability they fixed it immediately, but it probably didn’t even occur to anyone in the business to check it hadn’t been exploited. Who would want to target them?

So, easily missed mistakes which led to disastrous consequences.

Small businesses need to move past the mental mindset that teenagers in hoodies, or super-advanced wizard hackers, are plotting somewhere in the dark and carefully selecting their targets for attack  - so if they don’t think of you (and why would they?), you’re safe.

The stark reality is that these “wizards” are setting demons (or bots) loose which go out looking for vulnerabilities to exploit and alert their master when they’ve found something to cash in on. Most of the time it’s your vulnerabilities that alert the hackers to an opportunity, as opposed to them stumbling across them inadvertently.

However, fear not. There are several actions companies can take to avoid suffering a similar fate to LPVL:

  • Carry out a Data Protection Impact Assessment (DPIA) before transferring data.
  • Carry out a Vendor Security Assessment before approving your transfer mechanism.
  • Ensure that a qualified expert configures the software - especially software that is used to process personal data.
  • Train all staff in basic cybersecurity practices and data protection principles.
  • Ensure data protection is part of any conversation around data processing activities – especially when there are changes.
  • Regularly review data processing activities, particularly those that involve transferring data outside of the organisation.
  • Use data tracking tools which monitor data usage from both employees and third-parties. This enables you to keep an eye on your data even when it leaves the building, and gives you an early warning if it’s appearing in places it shouldn’t.
Access Granted

Find out more?

Leave your contact details below and one of our expert team will be in touch

We will only use the contact details you supply on the basis of our legitimate interest to respond to your query and contact you about DQM GRC. You will always be given the opportunity to opt-out from future communications. Please read our privacy policy for more details.

 

Find out more..

If you are interested in any of our services then please either use the contact form or contact us via of the methods below:

  •   Telephone
  •   E-mail

  •   +44 (0)1494 442900
  •   sales@dqmgrc.com