Tackling the Cyber Threat at the World Cup

World Cup

The 2018 FIFA World Cup has finally arrived with the expectations for the England team  more subdued than normal…..away from the football pitch the cyber threat landscape will once again present challenges for this major sporting event.  Already this year we have seen the Winter Olympics in South Korea experience wiper malware that hit the internet and TV broadcasting of the opening ceremony.

With Russian hackers having  “home advantage ” it will be interesting to see the attack vectors utilized and how resilient cyber security will be to combat this.

GCHQ have warned the Football Association that both the officials and players could well be targeted by hackers during the tournament.

https://www.theguardian.com/football/2018/jun/12/england-world-cup-squad-targets-russian-hackers

Why the World Cup ?

Major sporting events grab the attention of the entire world but unfortunately this also attracts elements of the population who perceive this as an opportunity to be exploited  ….. the world of cyber crime.

The threat that cyber crime poses to an event such as this is similar to that which exists for any other business but on a much larger scale and with more dramatic consequences due its high profile and the many threat vectors that may exist.

Assessing the Cyber Threat

Some of the targets for cyber criminals are likely to be the following :-

1.The Official World Cup Website

Distributed denial of service (DDoS) attacks preventing access to website by fans.

The accessing of the website by hackers and altering the data such as falsifying the results and tables and providing incorrect information to the public.

Defacement of the website by a hacktivist.

Fans will no doubt access the website via Wi-Fi and vulnerability will exist if they inadvertently log in through a rogue Wi-Fi connection which could lead to the stealing of their personal data.

2.Match Day Tickets

Ticket fraud with the setting up of bogus websites taking fans money and issuing counterfeit tickets.

Website scamming offering last minute match day tickets for the big games with no ticket actually being produced.

3.The Stadiums

Technology will be pivotal in all aspects of the running of the ten stadiums being used in the tournament. Stadium entry, ticketing processing, management of floodlights and associated infrastructure would all be impacted in the event of a cyber attack.

4. Tournament Data 

The event will involve a huge amount of data ranging from credit card data of fans, players confidential information or the database of the organizers which is likely to be targeted by hackers. This could occur through phishing attacks in order to steal personal private information (PPI)and then lead to possible bank fraud of individuals. With GDPR now in force hackers are likely to focus more on stealing data.

5.E-mail Transmission

E-mail scamming could be caused by bogus e-mails set up to obtain players and officials personal information that is disseminated over the internet. The numerous sending and exchanging of e-mails also presents an opportunity or spamming.

6.Media Coverage

World wide coverage will be provided to this event by television companies who will be reliant on technology and the service could be interrupted or even blacked out by a hacker wishing to cause transmission downtime.

7. Computer Network 

The spreading of a malware attack within the internal computer network and third party providers could cause enormous interruption to the running of the tournament. The reliance on technology reaches far and wide ranging from the transportation network to close circuit TV surveillance systems.

8. Mobile Applications 

Fake mobile apps devised by developers to give the impression of the official FIFA app.

9.Cyber Terrorism

Cyber terrorism could occur in a number of forms. A ransomware attack would limit or entirely restrict the use of computer systems affecting many aspects of the tournament.

There may be political motivation from countries that want to disrupt the tournament. This could be to make a political stand on an issue or perhaps a country that failed to reach the finals or a country that has controversially been knocked out of the competition.

The threat of remotely controlled drones by cyber terrorist entering a stadium causing disruption and delay to matches.

10.Social Media

Infiltration of social media websites by hackers of the tournament and personal accounts pose a threat to fans , players and officials privacy.

Cyber Risk Management Program

FIFA will no doubt have in place a comprehensive cyber risk management program to manage the World Cup  which is likely to be broken down into the following :-

  • Identification of cyber risk vectors
  • The mitigation of cyber risk within the tournament
  • The transfer of residual cyber risks that they are unwilling or unable to manage.

Cyber Insurance

Cyber Insurance can assist with the transfer of cyber risks by the following insurance modules :-

  • Network Security Liability
  • Data Privacy Liability
  • Multimedia Liability
  • Network Business Interruption
  • Data Asset Protection
  • Cyber Extortion
  • Crisis Management

A cyber insurance policy also provides post breach vendor assistance helping with data breach notification , forensic investigation and public relations.

Image : Shutterstock

Is Our Data Safer Under GDPR?

GDPR

Now that GDPR is in force will this make our data safer…..

The volumes of data running through businesses in the UK is difficult to visualise and practically impossible to safeguard so will GDPR actually make any difference to our data being better protected? The chances are that it will be but the same inherent threats will still exist.

So what are these threats ?

1.Businesses that have not yet complied with GDPR

In the the run up to GDPR a number of reports indicated that many business were behind in achieving the required standards expected there is therefore a danger that firms are still very much behind the curve in meeting the GDPR standards.

2.Inability to restore data

In the event of a compromise of personal data it will be important that a businesses can restore data by having the appropriate back-ups in place if this is not possible this will impact on their business confidence and reputation.

3.Internal espionage

Rogue employees or a disgruntled member of staff might wish to cause disruption or make a point on a company wide issue. Morrisons were recently involved in a court case and found vicariously liable for the acts of an employee who gained access to the personal details of employees and released this into the public domain.

http://www.hrmagazine.co.uk/article-details/the-morrisons-data-breach-and-gdpr-compliance

4. Heightened cyber security threats 

It is conceivable that there will a visible increase in cyber attacks on businesses as hackers will target firms for their data and exploiting vulnerabilities. Such threats as ransomware or a DDos attack where a hacker could hold a business to ransom by threatening to steal or disseminate data.

http://cyberbrokers.co.uk/will-ransomware-attacks-increase-under-gdpr/

5. Poor cyber risk management

A data controller with poor cyber risk management would be a prime target for a hacker. Basic cyber hygiene is vital with minimum standards of Cyber Essentials and preferably ISO27001 advanced cyber security processes in place.

6. The absence of an incident response plan

If a businesses is hit by a data breach it will need to react quickly to this, an incident response will assist with this . Business continuity and disaster recovery plans should also be in place so that the business can continue to operate.

Cyber Insurance can help….

This specialist form of insurance can provide valuable coverage in the event of a data breach and help mange the impact of this.

The main elements of coverage provided to protect data are as follows:-

  • Privacy Liability
  • Data notification costs
  • Regulatory costs and expenses
  • 24/7 Incident response services

There is no doubt that data will still be at risk with threats to its security emerging as technology and the incentives to use data for ill means increases.

Image : Shutterstock

Panama : The Cigar is Still Smouldering…

Panama

Up until recently Panama was associated with a canal , hats and cigars…..it is now known for one of the biggest data breaches ever known – the Panama Papers.

What are the Panama Papers?

These are a leaked set of 11.50 million confidential documents that provide details of approximately 214,000 offshore companies listed by Panamanian law firm Mossack Fonseca. This information contained identities of shareholders and directors of these companies and showed the wealth of high profile individuals , including the assets that were hidden from the public. Individuals included past and current heads of states, government officials and celebrities from over 40 countries. Investigations have now determined some of the companies may have been utilized for various illegal purposes.

The Panama Papers far exceeds the previous highest data breach record previously held by Wikileaks by 1500 times.

How did this happen?

An anonymous source know as “John Doe” passed the documents to German newspaper Suddeutsche Zeitung which it is understood commenced at the beginning of 2015. The quantum of data involved was 2.6 terabytes which is a vast amount of data In view of the amount of data involved the newspaper recruited the assistance of the International Consortium of Investigative Journalists (ICIJ) which distributed all the documents so that they could be investigated by various journalists and media organizations around the world. The first documents were published on 3rd April. The ICIJ will issue a full list in May of all the companies involved.

What was the cause of this huge data leak ? 

There are a number of different schools of thought as to whether this was due to an insider or outsider hacker attack , but one thing that is certain is that Mossack Fonseca did appear to have very poor cyber security procedures in place.

This has been evidenced by some of the following cyber security flaws that have since been discovered:-

  • The Outlook Web Access login had been utilized since 2009 with the client login not being updated since 2013
  • The computer systems included a high risk SQL injection vulnerability that allows anyone to remotely execute arbitrary instructions.
  • The main computer system included a version of WordPress that was three months out of date.
  • Configuration of the website was not recognized as best practice.
  • Mossack Fonseca’s e-mails were not encrypted
  • The systems were vulnerable to external scanning and possible exploitation

With the amount of data involved it is believed that it took about one year for the data to arrive at its destination. It is a wonder that no one noticed this amount of data leaving the company ? Interestingly enough very few US citizens were listed in the papers , which may be due to the fact that the US does have different corporate tax structures which negates the need for offshore tax arrangements.

www.wired.co.uk   The security flaws at the heart of the Panama papers

Why was Mossack Fonseca targeted ?

Legal firms hold a great deal of data on their clients including copies of personal data , confidential documents and legal transactions which does make them a prominent target for hackers. A high profile legal practice such as Mossack Fonseca involved in the areas that they practiced in therefore represents an ideal victim to a hacker.

With the poor cyber security procedures in place it does perhaps suggest that this data compromise may have come from an insider hacker who knew the computer systems and perhaps an employee with a point  to make or an overarching grudge.

Reputational damage is also a consequence of a breach of this nature , another possible reason for the this attack. which sometimes causes irreversible damage to a firm.

What could have prevented this data breach? 

In the current climate no one business or individual is 100% secure from a cyber security breach but certain procedures seemed to be absent from what would be expected to be standard cyber security risk management procedures:-

  • Prioritising  of cyber security
  • Regular patching of software
  • Updating of software
  • Regular login updating
  • Encryption of all sensitive documents
  • Website security

How Cyber Insurance could have helped ? 

A cyber insurance policy can provide the following coverage.

  1. Data breach costs incurred including notification costs to the appropriate regulatory bodies
  2. Regulatory costs and investigations that may arise as a result of the breach
  3. Post breach costs including investigation and forensics costs incurred to monitor and analyse the data breach which would help identify the cause of the incident.

The proposal for cyber insurance also requires certain minimum security measures to be in place at the onset prior to the policy incepting , the purchase of a cyber insurance policy therefore may have help Mossack Fonseca focus on certain areas of cyber security that may have prevented the hacker to penetrate their computer systems.

From the wider perspective the insurance market is assessing its exposure by gathering data from insurers and reinsurers in order to ascertain the consequences of this loss to the industry. One thing for sure is that insurance coverage would not respond to any illegal activities.

General Data Protection Regulations

Despite being passed the GDPR are not yet in force , but what would have been the ramifications of this on Mossack Fonseca.. ? These rules will apply to entities that carry out business with companies based in the EEC , whether the complicated legal structures put in place by Mossack Fonseca would have implicated by this is difficult to tell , but fines of 4% of annual global turnover or E20,000,000 , which ever is the less would apply if this was the case.

Lessons to be learned 

  • Robust cyber security measures and procedures are paramount to a business armoury in protecting their mere existence.
  • Law firms will be alerted to this data breach and with recent attacks in the US , this sector is clearly currently a target for hackers
  • Cyber Insurance can help improve cyber security and mitigate the effects of a data breach

The biggest data breach ever experienced is still being uncovered, further revelations will no doubt come to light in the coming months… the cigar is still smoudering.

 

EU – US Privacy Shield – is data safe again?

Privacy

The privacy of the transfer of data between the UK and US received a boost this week when the European Commission announced that political agreement had been reached on what is effectively a replacement of the Safe Harbor, known as the “Shield Decision”. A Working Party has subsequently published their initial reactions which the European Commission must take into account if the Working Party does not agree with “The Shield Decision”. In the event that that national data protection authorities refuse transfers on the basis of this decision this will be raised to the European Court of Justice.

This is the result of three months of negotiations between the EU and US  after the fall of the Safe Harbor agreement that existing up until October last year. The deadline of 31st January was missed as negotiations over run with both parties failing to agree new privacy boundaries.

In the meantime it is understood that local data protection authorities will continue to accept standard contractual clauses and binding corporate rules for transfers  of data to the US, providing privacy protection between these countries.

The main obligations imposed on firms handling Europeans personal data are as follows:-

  • US firms will need to commit to “robust obligations”  on how personal data is processed and individual rights guaranteed . This will be monitored by the US Department of Commerce.
  • Clear safeguards and transparency obligations will be imposed on the US Government which will set out specific limitations for law enforcement and national security reasons
  • There will be protection for EU citizens rights with options for redress. This will include avenues for citizens who feel the privacy of their data has been misused with strict guidelines for response to complaints

It is by no means “home and dry” , in addition to the Working Party involvement , Europe’s national privacy agencies meet to pass their own judgement on how data can be safely moved from the EU.

How does this impact on the cyber insurance market and insurers perception of data being at risk ?

It is too early to assess the impact of this decision , especially as the “Privacy Shield” has some way to go before being fully ratified , but any privacy protection laws and regulations assists cyber insurers in being more comfortable with the associated risks of loss of personal data and individuals privacy.