Data Issues Roundup - 14 February 2017

Included in this issue: Sports agency subject of hacker blackmail; ICO reveals plans to potentially fine 11 more charities; Hackers steal details of 2.5 million gamers and more...

United Kingdom

Sports agency subject of hacker blackmail

Personal emails relating to former England international footballer, David Beckham, have been made available in the public domain in spite of a high court injunction being in place.

The emails, which appear to relate to Beckham's charity work, were stolen back in 2015 when the servers of sports agency Doyen Sports were hacked. It was reported in the Guardian that the hackers attempted to blackmail Doyen Sports by offering not to publish the emails in exchange for a payment of £1 million.

Beckham's management team rejected the offer and instead successfully obtained a high court injunction in December 2016 which prevented further publication of the stolen emails. The injunction could not, however, prevent foreign news agencies from releasing the emails to the public, and they have appeared in numerous high profile continental publications since 3 February.

This case highlights the growing trend in 'hacker blackmail' crime. This form of cybercrime is carried out either by conducting a pure hack of information on a victim's computer, where information is extracted and stored on another device ready for analysis and exploitation. The second option is the use of malware such as ransomware which locks the victim out of their device seizing control and encrypting the data within. Where a victim is locked out of their device a message appears demanding payment and where payment is made the device is unlocked or 'decrypted' again.

Hacker blackmail has become prevalent in the US recently with police departments and hospitals having been hit. Although celebrities, due to being in the public eye are a prime target for cyber criminals, the ordinary person is fast becoming a target as well. This case demonstrates the value that there is in data. Companies are reminded to review their security systems with a focus on preventing hacking and malware.

This story was published by the Guardian, it is available in full here

ICO reveals plans to potentially fine 11 more charities

Further to our article published on 17 January where we reported on the RSPCA and British Heart Foundation being fined by the Information Commissioner's Office (ICO), the ICO has released a statement confirming its plans to potentially issue eleven more charities with fines for data protection breaches.

The investigations into the charities were carried out in response to recent media reports which alleged that certain charities pressurise vulnerable supporters into donating.

The ICO will not release the names of the charities involved until the decisions have been finalised. The charities have been given 28 days to issue a response to the ICO's findings.

It will be interesting to see how this story develops in the next few weeks. We will report again on this topic in due course.

More information on this story is available on the ICO's website here

ICO issues CCTV registration reminder

The ICO has issued a reminder to companies that use CCTV cameras to make sure that they are registered following the recent case of a business owner in Coventry being fined £200 for breaching section 17 of the Data Protection Act. The business in question used on-site CCTV cameras but was not registered with the ICO.

Steve Eckersley, the ICO's Head of Enforcement, said:

“The message here is simple, if you are a business operating CCTV cameras you must be registered with the ICO. Business owners need to be aware of their obligations when dealing with people’s personal data and this includes footage from CCTV cameras. Being ignorant of the law and the regulator is no excuse; you could end up spending a day in court and receiving a fine, as well as suffering reputational damage to your business. This could all be avoided with some due care and attention.”

Where you are employing the use of CCTV on your premises, we recommend (in line with the ICO's guidance in this area) that you have a sign in place informing people that CCTV is in operation. In addition a CCTV policy should be in place for all employees which details how data gathered via CCTV ought to be treated.

The original ICO statement is available here

Worldwide

Hackers steal details of 2.5 million gamers

It has recently come to light via independent cyber security expert, Troy Hunt, that two popular online gaming forums XBOX360 ISO and PSP ISO were hacked in September 2015.

Hackers targeted the XBOX360 ISO and PSP ISO forums and were able to access the email addresses, passwords and IP addresses of 2.5 million users.

Mr Hunt, explained why there is often a delay between the date when a given website has been hacked and the date of when one becomes aware of being hacked: "once a site or impacted members knows there’s been a breach, the data becomes less valuable as people change passwords and do other things to protect their identities."

He continued: "It can take quite some time before attackers decide the usefulness of the data has been exhausted and they then offer it for sale publicly or dump it."

Considering that so much of the data stolen is traded on the dark web in an eBay like environment it makes sense that one only becomes a victim of hacking in the real sense where your data has been used for criminal purposes such as monies being stolen from a given account to being at the other end of a scam or identity theft.

This story serves to highlights the importance of frequently changing online passwords and not using the same password for every online account.

The full story as reported in the International Business Times is available here