The report estimates that 3.7 billion phishing emails targeting Brits were sent in the last 12 months. According to the consumer research commissioned by CPP, 26% of Brits have fallen victim to online fraud with 48% of these in the last 12 months. Fake banking emails were the most common method used by criminals, with online banking fraud rising by more than 100% in the last 12 months.

“Fraudsters are becoming ever more skilled in their techniques and tactics. It can be extremely difficult to spot a legitimate email from a scam, so we advise caution at all times when online. And as social networking sites become increasingly popular, people need to continue to be mindful of what they post. Their identity is as valuable to a thief as a credit card, so protecting personal details is key.”

The CPP has created a list of tips to avoid falling prey to online fraud, including:

• Use an anti-virus program & anti-phishing tools
• Use a firewall
• Update software regularly & automatically
• Be cautious giving away personal information – banks will never ask for it online
• Install additional security software to protect your personal information

If you have concerns about online fraud, there are many fantastic resources about this online. Just search for online fraud, and you’ll come across them!

According to the report, many of the breaches have been the result of human or technical error, resulting in the recommendation to increase personnel training in security.

“Organisations should have clear security and disclosure procedures that staff can understand, properly implement these and ensure that they are being followed by staff. Staff must be adequately trained not just in the value of personal information, but in how to protect it.”

According to the ICO report, of the 1,007 data breaches, 233 were due to lost data or hardware and another 307 were from stolen data or hardware. The report indicates that 254 breaches were the result of information being disclosed in error.

Via Dave Jevans

Dave Everitt, EMEA general manager with Absolute Software, says the statistics show it is essential for companies to know where their data – and data devices – are on a consistent basis:

“It’s crucial for organisations to understand the importance of knowing where your data is at all times. It might sound obvious, but IT departments need to be managing and monitoring all devices on a daily basis”

Products from Absolute Software such as Absolute Manage and the Computrace product line can help you secure your IT assets – and thus your data. It’s important to know who is operating which devices and what data is at risk on that device – that way, if something goes missing, you can shut that device down and track it for possible recovery.

Via infosecurity

Highlights from the report:

- 69% of organizations suffering breaches were retailers. Finance was second most common.
- 66% of organizations had <100 employees
- Payment card data was compromised in 85% of cases (in all, they were not PCI DSS compliant at the time)
- 80% of attacks on data came from sources external to the organization (SQL injection the most common attack)
- 86% of compromises came from attacks on applications, with just 14% on the IT infrastructure
- Intellectual property was stolen in only 3% of organizations

You can see, from looking at the above data, that basic security requirements, like those of PCI DSS, do prevent data loss. In all the breach cases that payment card data was compromised, companies had no more than half the base requirements of the standard.

The documents outline a Metropolitan Police Service and MI5 counterterrorist operation against al-Qaeda suspects. The document revealed details for a planned arrest of terrorist suspects following a long covert surveillance operation. Steps were made to censor the photographs (only successful in Britain) and Mr. Quick’s location fearing that information would tip off the suspects. The operation was able to continue, with arrests made sooner than was planned, but it is still a major security blunder.

Bob Quick says he “deeply regretted” revealing the documents to photographers, and some people seem willing to forgive him for simply holding the paper the wrong way. However, the secret documents should not have been carried outside of secure areas in printed format – at the very least, they could have been transported in an encrypted drive. This is not the first incident where a government official has accidentally shown secret notes to the journalists who often wait outside of Downing Street.

Bob Quick resigned soon after the incidence, following a meeting with the home secretary and the Metropolitan Police commissioner.

“I have today offered my resignation in the knowledge that my action could have compromised a major counterterrorism operation.

I deeply regret the disruption caused to colleagues undertaking the operation, and remain grateful for the way in which they adapted quickly and professionally to a revised timescale.”

It is a pity that the breach was made, but the repercussions are already wide-ranging. Not only has the public outcry damaged the trust in government security, but the MPS has lost its most senior, and experienced, counterterrorism specialist. This should underscore the importance of having a clear security policy and ongoing employee training – at all levels – to ensure compliance to basic security measures.

Via Schneier

The figures, which were released in Parliamentary answers, include:

• Since 2002, 1,774 laptop computers and 1,035 desktop computers have been lost or stolen across Government, at a rate of nearly five a week and three a week respectively
• In 2008 (as of December 29), 238 laptops and 40 desktops went missing
• Since 2002, 676 mobile phones, 202 hard drives and 195 memory sticks have also been lost or stolen
• The worst offenders are the Ministry of Defence (which handles very sensitive information), which has had 866 laptops stolen and has lost 178, as well as 157 desktops stolen and seven lost

Liberal Democrat Home Affairs Spokesman, Paul Holmes said:

“Everyone understands that things go astray but it is truly staggering that over the last seven years a laptop has been lost every working day across government.

It demonstrates a culture of carelessness across Whitehall that ministers have done nothing to curtail.”

It is clear that fundamental changes need to happen in the Government in terms of the way data is handled. This includes a ‘culture of change‘, changing attitudes and knowledge of security practices, as well as upgrading technology that protects data devices (like Absolute’s Computrace can).

Also in troubling Government security news, the IRS in the US has failed to patch more than half of the cybersecurity problems identified in November. Only 49 of the 115 issues found by the Government Accountability Office have been addressed. Read more here…

Via Daily Mail, ITV ; image: mconnors @morguefile

The Information Commissioner, Richard Thomas, announced that the number of data breaches reported since November 2007 has reached 277. November 2007 marks when HMRC lost 25 million child benefit records (story here). Of those 277 breaches, 28 are attributed to the central government. The ICO is investigating 30 of the most serious breaches of this past year.

In a speech delivered to the RSA Conference, Commissioner Robert Thomas talked about the state of data security, or “data insecurity“, he adds. The HMRC data breach of 25 million child benefit records merely brought the existing data security issues to public and political attention, Thomas notes.

“The number of breaches brought to our attention is serious and worrying. I recognise that some breaches are being discovered because of improved checks and audits as a welcome result of taking data security more seriously. More laptops have now been encrypted and thousands of staff have been trained. But the number of breaches notified to us must still be well short of the total.”

Arguing that information can be a “toxic liability” as well as an asset, Robert Thomas challenges CEOs to ensure that they are minimizing the amount of data they hold and that appropriate data security measures are being taken. He says this responsibility lies with the CEO, not with the IT department or other staff.

“It’s no good saying the IT boys are looking after this, it’s no good saying the lawyers are sorting out the policies, it’s no good saying human resources are doing the training – it’s right across the organisation.”

Richard Thomas notes that personal information is the lifeblood of both government and business, but that more responsibility needs to be taken to assure that data remains safe. The first step in that is to understand the risks being faced associated with the vast centralized stores of data and its portability across networks and devices.

The ICO continues to offer advice on data security, from the encryption of laptops to improved data access policies. As noted several times by the ICO in their report, the actual figures for data breaches probably are much higher than 277. Currently there is no legal obligation to report data losses in the UK, and many data breaches may go undetected.

Out of the 277 reported breaches, 67 were due to the loss or theft of a computer or laptop. The National Health Service (NHS), the worst breach offender so far for 2008 with 75 breaches, has had 27 of those breaches the result of lost or stolen computers. Learn how Computrace can help provide multi-layered security solutions for your computers here.

Further Reading:

• ICO Press Release – Privacy watchdog calls on CEOs to take responsibility for data protection safeguards [PDF]
• Transcript – Speech to RSA Conference Europe on data breaches
  Richard Thomas, Information Commissioner [PDF]
• ICO Chart – Data security breaches since November 2007, by breach type and sector

Via BBC