Tag Archive | "Data protection"

ICO CLOSES IN ON BODYSHOP DATA THIEVES

Tags: , , ,

ICO CLOSES IN ON BODYSHOP DATA THIEVES


Theft of personal data is still common

The Information Commissioners Office (ICO) has searched two more properties in the North West of England as part of an ongoing investigation into nuisance calls linked to stolen bodyshop repair data.The latest search warrants were executed at a location in Gatley, Greater Manchester and Wilmslow, Cheshire where investigators seized computers and phones that are now subject to forensic examination.

“This illegal trade has multiple negative effects both on the car repair businesses targeted for their customer data and the subsequent nuisance calls made to customers. These can be extremely unsettling and distressing,” said, Mike Shaw, Enforcement Group Manager at the ICO. “These people won’t get away with it – any person or business involved in the theft and illegal trade of personal data may find themselves subject to ICO action.”

Since the investigation launched last year, ICO investigators have fined a Hampshire-based firm £270,000 after carrying out 22 million nuisance calls and imposed Keurboom Communications Ltd with a £400,000 penalty for the same offence. Two more properties were recently raided in Macclesfield and Droylsden but no sanctions have been confirmed.

Posted in Blogs, Factor & Supplier News, Garage News, News, Retailer NewsComments (0)

NBRA ISSUES SECURITY ADVICE TO MEMBERS

Tags: , ,

NBRA ISSUES SECURITY ADVICE TO MEMBERS


NBRA Director Jason Moseley

The National Bodyshop Repair Association (NBRA) has issued security advice to businesses in a bid to prevent further cyber attacks, following last month’s ICO raids on addresses where computers thought to have been used in the cyber crimes were seized.

“The National Body Repair Association (NBRA) has been focusing heavily on protecting member’s interests related to data security within bodyshops over the past 12 months”, said Jason Moseley, Director of NBRA. “Our latest move following last month’s massive ransomware cyber-attack, the NBRA has communicated some critical IT security advice to our members to protect their business”.

He adds. “The attack hit the NHS, the French carmaker Renault, many banks and companies around the world. The ransomware that hit the contract with Halfords NHS in England and Scotland, known as ‘Wanna Decryptor’ or ‘WannaCry’, has infected 200,000 machines in 150 countries since Friday.”

Some points advised to NBRA members include implementing an actively supported operating system that receives regular updates as well as a ‘disaster recovery plan’ backing up content onto devices kept offline. Moseley also encourages bodyshops to run anti-malware software ensuring they regularly receive signature updates.

Moseley concluded by saying, “We are in a new era of cyber criminality and as a trade association we have a duty of care to assist members to secure their businesses. Being a NBRA member means bodyshops have access to the latest information”. More details can be found on the firm’s website.

Posted in Blogs, Factor & Supplier News, Garage News, News, Retailer News, UncategorisedComments (0)

KEEPING SECURITY CONTROL

Tags: , , , ,

KEEPING SECURITY CONTROL


Ransomware is affecting the motor trade on an epic scale. We speak to an expert on how to kerb it.

Cyber expert William Taaffe

Security is a big deal in this day and age. You’ll know that the NHS is still reeling after the WannaCry virus hit a number of machines on its network last month, as happened to government and corporate networks around the world. In case you are not familiar, the so-called ‘ransomware’ encrypts the files on an infected computer and in this case, threatened to delete them unless a ransom, paid in Bitcoin is received. Even then, it is unlikely that you’ll get you files back as it will take someone, somewhere to manually authorise it… which they have no interest in doing after they have both you money and your files.

What you might not know is that this type of software has been affecting the motor trade possibly more than most industries over the past few years. It has mostly been targeted at dealerships, but wherever there is a mixture of weak security and sensitive data, hackers will pounce. To find out what can be done, we spoke to an expert in cyber security in the motor trade. William Taffe was the Cyber Security Business Manager (he has very recently switched companies) at RDS Global, a firm that started as the IT department of one of the main dealer groups in the 1990s, but has since become an IT support and consultancy brand of its own, following an MBO in 2013.

Our first question is why is the motor trade particularly vulnerable? Taaffe explained that the industry is a sitting duck for wrongdoers. “Turnover is what people are looking for. One reason is because the vehicles and stock are of a high value” he said. “The other reason is there is huge amounts of data that is collected, that data is stored in different systems. That data is a
big vulnerability”.

Another draw for criminals is that the consequences of cyber crime are less than street vice. “I saw a story on the BBC website where a frontline fraudster who was dealing in data was asked ‘why are you doing this?’. He said: ‘because I make more in a single day doing this than in a month selling cocaine.’ I thought it was a great quote – it just shows the power of modern criminality, and it revolves around identity fraud” said Taaffe.

So, what steps can be taken to secure your network? Taaffe recommends that each company should have a ‘cyber audit’, which in the case of very large chains could take several days. “One of the first things we do is look at the physical security” Taaffe explained, “I don’t just mean on the network, I mean who can physically walk into a site”.

There are a lot of quick and easy measures that can be taken to prevent random people from wandering into your main server cupboard, such as a lock on the door at the most basic level, rising to more sophisticated access control cards that can log people in and out of parts of your building (and for these, Taaffe recommends a firm called Paxton Access). However, the most sophisticated lock in the world is no use if it is left open. “Processes are one of the most important things you can do” Taaffe said. “It’s about accountability, such as who’s job is it to flag things up if there is a breech and is it mentioned in management meetings?” These ‘cyber essentials’ as Taaffe refers to them are obvious, but he explains how common it is to find firms that don’t even have a policy in place for the staff
to follow.

CHANGING LAW
This brings us on to another point that firms might not be aware of. By 2018, every company with more than five people will have to implement a cyber security policy, or it will be breaking the law itself.

However, the problem of the day is not with people physically messing with the computers, but perpetrators in unknown countries infecting computers with malicious software, or ‘malware’ as Taaffe calls it. “It takes different forms, but what you are we’ve been seeing is ‘multi-faced’ malware” Taaffe explained. “It doesn’t have one specific line of coding, it has a group of different coding. It will sit on your network very efficiently and it won’t run any applications. You might have heard the phrase ‘zero data tag’ which means something that hasn’t been seen before, so it bypasses the anti virus software. It can get into your system and work out where the vulnerabilities are – and then work out what face to put on. Sometimes, with the right conditions it can lock your network up and ask you for Bitcoin to unlock it”.

Once the computer is infected, there isn’t much you can do. “The police will always advise you not to pay, but the reality of the situation is that it is not black and white: said Taaffe. “The cost to the company for being ‘down’ was £100,000 per day. Sometimes it is better to pay the ransom and then rebuild the network, rather than keep it offline for days and days”.

Taaffe recalls a recent experience where a hacker had exploited a vulnerability in a network to extort a ransom. “In this case, they had a process, but it just wasn’t followed. There’s no point in sending out a memo once a year it has to be followed up regularly” he said.

Another old tactic that has seen resurgence is phishing. This is where the user is duped into handing over data by someone pretending to be something they are not – and this has moved on a lot from the days of apparent Nigerian princes asking politely for your credit card number. “Modern phishing attempts are more advanced” said Taaffe. “Some will learn individual employee’s diaries and will pretend to be them at certain times of the day, asking for certain amounts of cash to purchase vehicles or whatever. You’d be surprised by the number of people that get taken in by them.”

As with so may things, training, vigilance and enforcing policy are the best guard against criminals. “There are two misconceptions in the market and the first is that you can solve security problems by throwing technology at it: You can’t. The second is that they go away if you install anti virus software, that just won’t cut it anymore” concludes Taaffe.

Posted in CAT Features, Factor & Supplier News, Garage News, News, Retailer NewsComments (0)

FURTHER ICO HOUSE RAIDS OVER BODYSHOP “DATA THEFT”

Tags: , , ,

FURTHER ICO HOUSE RAIDS OVER BODYSHOP “DATA THEFT”


Two properties in the North West have been raided as part of an ongoing investigation into nuisance calls related to data theft from car body repair shops.

The Information Commissioner’s Office (ICO) carried out the searches on Tuesday 11th at private residences in Macclesfield and Droylsden. There is no word as yet about what, if anything, was seized, or if there were any arrests made.

The investigation centres on hacked data from crash repair shops used to make nuisance calls to people to encourage them to make personal injury claims. The same investigation saw a business and two homes raided in December.

Mike Shaw, Enforcement Group Manager at the ICO, said: “Many people get unsolicited calls suggesting they’ve had been involved in an accident, and wonder how the caller had their details. Calls can leave them feeling uneasy and frustrated”.

Jason Moseley, NBRA Director added: “Membership of our association promotes good data diligence and practices. This is something we have been working closely with the ICO for 12 months now, and we fully support that further actions are being taken against this criminal activity.”

 

Posted in Factor & Supplier News, Latest News, NewsComments (0)

BODYSHOP DATA THEFT: ICO RAID HOUSE

Tags: , , ,

BODYSHOP DATA THEFT: ICO RAID HOUSE


Theft of personal data is still common

Theft of personal data is still common

The Information Commissioners Office (ICO) has searched a house in Palmers Green, North London after the Nationwide Accident Repairs Services (NARS) reported illegal activity into its customer database.

NARS told investigators that its computer system had been hacked in order to obtain customer car repair estimates containing personal data.

The ICO believes that the stolen information may have been sold onto crooks that
call people who have had car crashes. “Our experience shows that unscrupulous people access personal data about car accidents to sell it on to marketing firms, who use the details to make nuisance calls”, said Enforcement Manager Mike Shaw. “We searched this house to gather more evidence as we have reason to believe that a person living at this address has illegally accessed personal information”.

NARS has confirmed the illegal activity is not emitted from a person working at the company.

Responding to the investigation, Jason Moseley, Director of RMI Bodyshops, said: “We are delighted that further actions are being taken against this criminal activity. Our trade association stands firmly in support of NARS and others for their work with the ICO”.

Theft of personal data is increasingly common as criminals find the risks are significantly reduced compared with other types of crime.

Posted in Blogs, Factor & Supplier News, Garage News, News, UncategorisedComments (0)

Tags: , , , ,

THE COMPUTER WILL SEE YOU NOW


Data protection rules are changing: Here’s what the aftermarket needs to know

Andrew Gallie is a senior associate at Veale Wasbrough Vizards specialising in information and data protection law.

Andrew Gallie is a senior associate at Veale Wasbrough Vizards specialising in information and data protection law.

Data protection law has recently been updated by Europe and will be in place in less than two years. Despite the Brexit vote, businesses – large and small – need to note the changes as the penalties for breaches will be severe and adjusting to the new rules will take time.

The European Union’s General Data Protection Regulation (GDPR) was finalised at the end of April 2016 after four years of discussion, disagreement and negotiation and will directly affect all member states from May 2018. Firms have no choice – the GDPR is not going away.

But a question arises: Now that we’re scheduled to leave the EU, will the GDPR still matter? The answer is yes – it will. The Secretary of State for Culture, Media and Sport, Karen Bradley, before a House of Commons committee at the end of October 2016, formally stated that: “We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR.”

TAKE THE LAW SERIOUSLY
The GDPR is not a monster but it needs to be taken seriously. Changes will be required, and if the required changes are not made then firms risk considerable fines and reputational damage. Indeed, under the GDPR, those organisations that breach the law could face a fine of up to four percent of annual worldwide turnover or €20m (whichever is the greater).

These penalties do seem geared to the larger firm, but a quick search of the Information Commissioners Office (ICO) website – the UK enforcer of data protection law – shows that organisations of all sizes are being taken to task.

PRESENTLY
The present data protection regime, under the Data Protection Act 1998 (DPA), protects a person’s rights in respect of their personal data and is built upon eight data protection principles. These are all common sense and require that personal data is processed fairly and lawfully; obtained and used for specified and lawful purposes only; adequate, relevant and not excessive in relation to their purposes; accurate and up-to-date; not kept for longer than is necessary; processed in accordance with the individual’s rights; kept secure; and not transferred outside of the European Economic Area without adequate protection.

Apart from these there are other points to note about the present law. The first is that there are extra obligations when handling sensitive personal data such as information about ethnic origin, sexual life, trade union membership etc. Further, individuals have a right via a Subject Access Request (SAR) to find out what information is held about them.

computer_data

THE CHANGES
Rights of the individual
Individuals have a right to know what is going to be done with their data, and who it is going to be shared with. A website privacy notice can tell people about this. Under the GDPR there is additional information which must be provided: Firms will need to tell data subjects – users – the legal basis for processing their data, the data retention period, and of their right to complain to the ICO. There is also a requirement that the privacy notice is concise, easy to understand and in clear language.

The GDPR confers new rights such as having inaccuracies corrected, to have information erased, to prevent direct marketing and a right to data portability (because of this firms will have to provide data electronically).

Presently, firms have 40 days to respond to a subject access request but under the GDPR this will drop down to a month. Refusing a request will require a firm to have appropriate policies and procedures in place. There will also be obligations to provide additional information such as data retention periods and the right to have inaccurate data corrected.

Consent for data processing
For many the most challenging area under the DPA is that of “consent”; that consent to use personal data cannot be inferred from silence, pre-ticked boxes or inactivity. The GDPR requires that consent must be freely given, specific, informed and unambiguous. If a firm is going to rely upon ‘implicit consent’ then it must be ready to deal with a challenge as to how unambiguous the consent was.

Other obligations
There is presently no general obligation to report any data breaches but the GDPR radically changes this and creates an obligation to report data protection breaches which could cause an individual harm within 72 hours. Firms should consider how they would deal with this new obligation. They should be asking: How secure are their systems? What training do staff have? Is personal data encrypted? What breaches might result in an obligation to report? How would the harm to individuals be mitigated? Do the procedures in place around data breaches allow these obligations to be met?”

One solution to compliance is obvious – appointing a capable, interested person with the responsibility for ensuring that the obligations are met.

The GDPR is a real and present threat to firms and organisations of all sizes and the financial consequences for ignoring the new rules are severe. However, those that plan and who choose to follow their obligations should have little to worry about.

Posted in CAT Know-HowComments (0)

ICO RAID ON BODYSHOP DATA

Tags: , , ,

ICO RAID ON BODYSHOP DATA


bodyshop_picThe Information Commissioner’s Office (ICO) has raided two houses and a business in the North West, following a tip that people in the premises were involved in the illegal sale of personal data from the motor trade.

The raids are connected to an ongoing investigation into hundreds of thousands of cold calls made to people to encourage them to make personal injury claims in relation to road traffic accidents.

Mike Shaw, Enforcement Group Manager at the ICO, said: “We know lots of people get these calls suggesting they’ve been involved in an accident, and wonder how the caller had their details”.

“The answer is that lists of people who’ve been involved in car accidents can be valuable leads to claims companies. That information is difficult to come by, even for the more disreputable firms, so data on people who’ve simply had their vehicles repaired is still prized, even though many of those people won’t have been involved in any accident”.

Jason Moseley, Director of RMI Bodyshops said: “We are pleased to hear that investigations into the illegal trade of motorists personal data are proving successful”.

He added: “We are committed to helping eradicate this type of behaviour which is tarnishing our sectors reputation. RMI Bodyshops members recognise the importance of ensuring motorists details remain confidential and we will continue to protect our member’s reputations by doing whatever it takes to prevent and stop this behaviour”.

Posted in Blogs, Factor & Supplier News, Garage News, News, UncategorisedComments (0)

Advertisement
  • Cybersecurity and the aftermarket: Are you protecting your business?
  • ECP and Andrew Page: Lenghtly 'Phase Two' investigation
  • Three ways tech could be killing your business

more info

    • Given rising costs, do you think the number of van runs from factor branches will decrease?

      View Results

      Loading ... Loading ...
    • Popular
    • Latest
    • Comments
    • Tags
    • Subscribe