From pwt at iosis.co.uk Fri Oct 26 10:25:58 2012 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Fri, 26 Oct 2012 10:25:58 +0100 Subject: ICO penalties for not encrypting sensitive personal data Message-ID: <508A5726.60806@iosis.co.uk> Smart Card News has today reported: Penalty Highlights Need for Encryption of Sensitive Data The Information Commissioner's Office (ICO) is reminding organisations that sensitive personal information should be encrypted when being stored and sent electronically. The news comes as Stoke-on-Trent City Council receives a monetary penalty of GBP 120,000 following a serious breach of the Data Protection Act that led to sensitive information about a child protection legal case being emailed to the wrong person. Stephen Eckersley, Head of Enforcement at the ICO, said: "If this data had been encrypted then the information would have stayed secure. Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure. It is particularly worrying that a breach in 2010 highlighted similar concerns around encryption at the authority, but the issue was not properly resolved. The breach happened on 14 December 2011 when 11 emails were sent by a solicitor at the authority to the wrong address. The emails included highly sensitive information relating to the care of a child and further information about the health of two adults and two other children. The emails should have been sent to Counsel instructed on a child protection case. The ICO's investigation found the solicitor was in breach of the council's own guidance which confirmed that sensitive data should be sent over a secure network or encrypted. However, the council had failed to provide the legal department with encryption software and knew that the team had to send emails to unsecure networks. The council also provided no relevant training. ** end quote ** I am concerned that such a penalty inflicted on a public sector body is monetary, thus presumably either going back to the Treasury or being used to fund the ICO. Why not instead require the guilty party to do the necessary work of disciplining of staff (and if necessary of Elected Members), training, and provision of the tools, do it quickly, and demonstrate (to the satisfaction of an inspector) that it has been done? Peter Peter Tomlinson Iosis Associates Bristol From flyingkiwiguy at gmail.com Sun Oct 28 17:55:02 2012 From: flyingkiwiguy at gmail.com (Gary Mulder) Date: Sun, 28 Oct 2012 17:55:02 +0000 Subject: ICO penalties for not encrypting sensitive personal data In-Reply-To: <508A5726.60806@iosis.co.uk> References: <508A5726.60806@iosis.co.uk> Message-ID: On 26 October 2012 10:25, Peter Tomlinson wrote: > Smart Card News has today reported: > > Penalty Highlights Need for Encryption of Sensitive Data > > The Information Commissioner's Office (ICO) is reminding organisations > that sensitive personal information should be encrypted when being stored > and sent electronically. > > The news comes as Stoke-on-Trent City Council receives a monetary penalty > of GBP 120,000 following a serious breach of the Data Protection Act that > led to sensitive information about a child protection legal case being > emailed to the wrong person. > That's interesting. I discovered today a website that intentionally makes false claims of using SSL, and Visa 3D Secure or Mastercard SecureCode, but in fact accepts credit cards online in plain text. How do you get the ICO to investigate such blatant misrepresentation and violations? Gary -------------- next part -------------- An HTML attachment was scrubbed... URL: From fearghas at gmail.com Sun Oct 28 19:50:19 2012 From: fearghas at gmail.com (Fearghas McKay) Date: Sun, 28 Oct 2012 13:50:19 -0600 Subject: ICO penalties for not encrypting sensitive personal data In-Reply-To: References: <508A5726.60806@iosis.co.uk> Message-ID: Tell the Guardian or other national rag? sent from my computerised otterbox - apologies for formatting etc. On 28 Oct 2012, at 11:55, Gary Mulder wrote: > On 26 October 2012 10:25, Peter Tomlinson wrote: >> Smart Card News has today reported: >> >> Penalty Highlights Need for Encryption of Sensitive Data >> >> The Information Commissioner's Office (ICO) is reminding organisations that sensitive personal information should be encrypted when being stored and sent electronically. >> >> The news comes as Stoke-on-Trent City Council receives a monetary penalty of GBP 120,000 following a serious breach of the Data Protection Act that led to sensitive information about a child protection legal case being emailed to the wrong person. > > That's interesting. I discovered today a website that intentionally makes false claims of using SSL, and Visa 3D Secure or Mastercard SecureCode, but in fact accepts credit cards online in plain text. How do you get the ICO to investigate such blatant misrepresentation and violations? > > Gary -------------- next part -------------- An HTML attachment was scrubbed... URL: From pwt at iosis.co.uk Sun Oct 28 21:57:11 2012 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Sun, 28 Oct 2012 21:57:11 +0000 Subject: ICO penalties for not encrypting sensitive personal data In-Reply-To: References: <508A5726.60806@iosis.co.uk> Message-ID: <508DAA37.8050005@iosis.co.uk> I think that its for the bankers to shut that one down. Peter On 28/10/2012 17:55, Gary Mulder wrote: > That's interesting. I discovered today a website that intentionally > makes false claims of using SSL, and Visa 3D Secure or Mastercard > SecureCode, but in fact accepts credit cards online in plain text. How > do you get the ICO to investigate such blatant misrepresentation and > violations? > > Gary From ben at liddicott.com Sun Oct 28 22:02:08 2012 From: ben at liddicott.com (Ben Liddicott) Date: Sun, 28 Oct 2012 22:02:08 +0000 Subject: ICO penalties for not encrypting sensitive personal data In-Reply-To: References: <508A5726.60806@iosis.co.uk> Message-ID: <508DAB60.20509@liddicott.com> Surely the people to tell are MasterCard and Visa? I would imagine they would put a stop to it in short order? Perhaps your experience is otherwise however. Anyone know how they respond to things like this? Cheers, Ben. On 28/10/2012 17:55, Gary Mulder wrote: > > That's interesting. I discovered today a website that intentionally > makes false claims of using SSL, and Visa 3D Secure or Mastercard > SecureCode, but in fact accepts credit cards online in plain text. How > do you get the ICO to investigate such blatant misrepresentation and > violations? > From lists at internetpolicyagency.com Mon Oct 29 08:50:19 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 29 Oct 2012 08:50:19 +0000 Subject: ICO penalties for not encrypting sensitive personal data In-Reply-To: <508A5726.60806@iosis.co.uk> References: <508A5726.60806@iosis.co.uk> Message-ID: In article <508A5726.60806 at iosis.co.uk>, Peter Tomlinson writes >The ICO's investigation found the solicitor was in breach of the >council's own guidance which confirmed that sensitive data should be >sent over a secure network or encrypted. A secure network doesn't stop you sending data to the wrong addressee. -- Roland Perry From lists at internetpolicyagency.com Mon Oct 29 08:50:10 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 29 Oct 2012 08:50:10 +0000 Subject: ICO penalties for not encrypting sensitive personal data In-Reply-To: References: <508A5726.60806@iosis.co.uk> Message-ID: In article , Gary Mulder writes >I discovered today a website that intentionally makes false claims of >using SSL, and Visa 3D Secure or Mastercard SecureCode, but in fact >accepts credit cards online in plain text. How do you get the ICO to >investigate such blatant misrepresentation and violations And I saw one the other day that archives your CVV (along with everything else) "for use next time", which I understand is against the Card Companys' T&C. -- Roland Perry From jj.gray at shc.qinetiq-tim.com Mon Oct 29 08:39:56 2012 From: jj.gray at shc.qinetiq-tim.com (JJ Gray) Date: Mon, 29 Oct 2012 08:39:56 +0000 Subject: ICO penalties for not encrypting sensitive personal data In-Reply-To: <508DAB60.20509@liddicott.com> References: <508A5726.60806@iosis.co.uk> <508DAB60.20509@liddicott.com> Message-ID: <508E40DC.4000209@shc.qinetiq-tim.com> On 28/10/2012 22:02, Ben Liddicott wrote: > Surely the people to tell are MasterCard and Visa? I would imagine they > would put a stop to it in short order? You would think so wouldn't you. The reality I have found to be different, certainly on a "personal" level ie not a Pen Test. There was a particular hotel that thought it was a Good Idea (TM) to record my CC details and CV2 number in their little hotel application. I queried this in my usual tactful style and they removed the details. I then called the CC company and tried to explain the situation, assuming that they would have much more effect than myself but that all went Helpdesk Loop pretty quickly. As I was not reporting a stolen card or fraud conducted against my card, they really didn't seem to care about anything else. In the absence of a "Bubble the Merchant" hotline, I don't think they will. Cheers, JJ From maryhawking at tigers.demon.co.uk Mon Oct 29 09:30:41 2012 From: maryhawking at tigers.demon.co.uk (Mary Hawking) Date: Mon, 29 Oct 2012 09:30:41 -0000 Subject: ICO penalties for not encrypting sensitive personal data In-Reply-To: <508DAB60.20509@liddicott.com> References: <508A5726.60806@iosis.co.uk> <508DAB60.20509@liddicott.com> Message-ID: <081147A1FC484747B47BAAA01A1AC980@MaryPC> Is this a criminal offence, and if so under what law? (I'm assuming it isn't as no-one has suggested the police) And if it isn't, surely it falls under some regulator? Do the customers receive the goods/services for which they are paying? i.e. is this a criminal scam to gather customer card details, or a real business with deplorably unsafe/illegal on-line procedures (? Trading Standards?)? Is there any way of discovering whether the customers of this site have a higher than normal risk of having their card details used illegally? And above all, how common is this, and is there any way a savvy shopper can spot it in time? Mary Hawking "thinking - independent thinking - is to humans as swimming is to cats: we can do it if we really have to." Mark Earles on Radio 4. don't forget patients like Fred! http://primaryhealthinfo.wordpress.com/2012/08/04/will-apps-help-fred/ -----Original Message----- From: Ben Liddicott [mailto:ben at liddicott.com] Sent: 28 October 2012 22:02 To: ukcrypto at chiark.greenend.org.uk Subject: Re: ICO penalties for not encrypting sensitive personal data Surely the people to tell are MasterCard and Visa? I would imagine they would put a stop to it in short order? Perhaps your experience is otherwise however. Anyone know how they respond to things like this? Cheers, Ben. On 28/10/2012 17:55, Gary Mulder wrote: > > That's interesting. I discovered today a website that intentionally > makes false claims of using SSL, and Visa 3D Secure or Mastercard > SecureCode, but in fact accepts credit cards online in plain text. How > do you get the ICO to investigate such blatant misrepresentation and > violations? > From pwt at iosis.co.uk Mon Oct 29 14:26:39 2012 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Mon, 29 Oct 2012 14:26:39 +0000 Subject: ICO penalties for not encrypting sensitive personal data In-Reply-To: <081147A1FC484747B47BAAA01A1AC980@MaryPC> References: <508A5726.60806@iosis.co.uk><508DAB60.20509@liddicott.com> <081147A1FC484747B47BAAA01A1AC980@MaryPC> Message-ID: <508E921F.3030804@iosis.co.uk> From material and people dug up by Smartex over the years, some time ago the police decided that the bank card payment system is so prone to problems that they were not prepared to be the first port of call for aggrieved people. Not that the police have completely abdicated, they just want the serious incidents passed on, and they are also pro-active - for example a year or so ago a gang was "cashing out" in the early morning at ATMs in Bristol's central shopping area, an operator of a private 24 hour CCTV service spotted it, called the police, and a big gang was rounded up (they had counterfeit bank cards). That lady who used to represent the banks kept on assuring us (her manner on TV reminded me of "She only does it to annoy...") kept on assuring us that things were getting better [1]. But then came PCI DSS, which I believe means that merchants have to have their payment engine certified compliant in order to comply with their banking contract. So I don't think that running a non-compliant payment site is a criminal offence if the owner doesn't steal money or otherwise defraud the visitor, but the bankers will want to shut it down. And Trading Standards might be interested, but in which geographical jurisdiction will they decide to get involved? Peter [1] She is now Chief Exec of Energy UK. Actually the correct text is "He only...". On 29/10/2012 09:30, Mary Hawking wrote: > Is this a criminal offence, and if so under what law? (I'm assuming it isn't > as no-one has suggested the police) > And if it isn't, surely it falls under some regulator? > > Do the customers receive the goods/services for which they are paying? > i.e. is this a criminal scam to gather customer card details, or a real > business with deplorably unsafe/illegal on-line procedures (? Trading > Standards?)? > > Is there any way of discovering whether the customers of this site have a > higher than normal risk of having their card details used illegally? > > And above all, how common is this, and is there any way a savvy shopper can > spot it in time? > > > Mary Hawking > "thinking - independent thinking - is to humans as swimming is to cats: we > can do it if we really have to." Mark Earles on Radio 4. > don't forget patients like Fred! > http://primaryhealthinfo.wordpress.com/2012/08/04/will-apps-help-fred/ > > > -----Original Message----- > From: Ben Liddicott [mailto:ben at liddicott.com] > Sent: 28 October 2012 22:02 > To: ukcrypto at chiark.greenend.org.uk > Subject: Re: ICO penalties for not encrypting sensitive personal data > > Surely the people to tell are MasterCard and Visa? I would imagine they > would put a stop to it in short order? > > Perhaps your experience is otherwise however. Anyone know how they > respond to things like this? > > Cheers, Ben. > > > On 28/10/2012 17:55, Gary Mulder wrote: >> That's interesting. I discovered today a website that intentionally >> makes false claims of using SSL, and Visa 3D Secure or Mastercard >> SecureCode, but in fact accepts credit cards online in plain text. How >> do you get the ICO to investigate such blatant misrepresentation and >> violations? >> > > > > > > From flyingkiwiguy at gmail.com Mon Oct 29 22:27:27 2012 From: flyingkiwiguy at gmail.com (Gary Mulder) Date: Mon, 29 Oct 2012 22:27:27 +0000 Subject: ICO penalties for not encrypting sensitive personal data In-Reply-To: <508E921F.3030804@iosis.co.uk> References: <508A5726.60806@iosis.co.uk> <508DAB60.20509@liddicott.com> <081147A1FC484747B47BAAA01A1AC980@MaryPC> <508E921F.3030804@iosis.co.uk> Message-ID: On 29 October 2012 14:26, Peter Tomlinson wrote: But then came PCI DSS, which I believe means that merchants have to have > their payment engine certified compliant in order to comply with their > banking contract. So I don't think that running a non-compliant payment > site is a criminal offence if the owner doesn't steal money or otherwise > defraud the visitor, but the bankers will want to shut it down. And Trading > Standards might be interested, but in which geographical jurisdiction will > they decide to get involved? > > Peter > Interestingly, it is a legitimate small UK travel agent. Well legitimate to the point of providing actual travel services to most of their customers. A friend of mine used to work there and reported that they re-ticket customers on functionally equivalent fare codes, and pocket the difference in ticket price. I believe it could be criminal fraud, but hard to prove. Of course they use an offshore guy to do the re-ticketing, which is likely a violation of the DPA, as well. They also claim to be PCI compliant, which is quite funny, as their net profits are probably less than the cost of PCI compliance. Gary -------------- next part -------------- An HTML attachment was scrubbed... URL: From igb at batten.eu.org Wed Oct 31 17:06:12 2012 From: igb at batten.eu.org (Ian Batten) Date: Wed, 31 Oct 2012 17:06:12 +0000 Subject: BBC News - Draft Communications Bill: May says web monitoring will save lives Message-ID: <007B1C54-04D6-4313-9164-59CF32993AD0@batten.eu.org> http://www.bbc.co.uk/news/uk-politics-20157059 > Of the 30,000 estimated cases last year where the police made an urgent request for communications data, between 25% and 40% of them resulted in lives being saved. More than ten thousand lives a year being saved by urgent requests for communications data. Impressive. But I bet you that the vast majority are reverse DQ and location data on 999 calls, which I don't think anyone rational is attempting to prevent. ian