Recently we went through ways you can protect yourself from cyber attacks, particularly with regards to ransomware. There is a well known, and rather depressing aphorism that goes: A fence keep out only those who don’t really want to get in. In other words, regardless of what you do you still might be attacked.
The news that Gloucester City Council was fined £100,000 for having their data breached by, it would appear, Anonymous, the group known to attack websites, is a warning to us all. If there is no way to secure your data, no certainty in fact, then anyone might possibly be fined such hefty amounts.
That specific case is worth looking into. The report from the Information Commissioner’s Office (ICO) states that the breach of security was via a well known fault in the software, one that the ICO had warned about in the past, and not infrequently. It seems that in their opinion there had been a lack of due diligence.
Also interesting is the fact that the council were outsourcing their IT systems. Despite this, the council were fined due to lack of oversight. This reinforces the fact that you cannot pass off your responsibility with regards security of data.
The vulnerability that Anonymous exploited should not have been present as there were patches that could have been applied to the software to secure the route in. If systems were established to ensure regular checks on software updates, as we all should have, then they were inadequate.
What the fine reflected was the lack of systems, a casualness with the data. The council should have done better. What about us? A ransomware attack might hurt us from two directions: one’s data, particularly email marketing software, might be inaccessible and the ICO could reinforce our problems with a hefty fine.
In the last article we pointed out ways to reduce your vulnerability to attack. Such systems should be documented together with regular checks that they are working. New ways to protect data come allong regularly and you should show that you have considered whether they would be effective for you.
If it can be demonstrated to the ICO that not only did you do your best, but you used systems and software that were, if not in the vanguard, then accepted as of good quality, then it is probable that they will be sympathetic to your plight. Further, you should be able to show that you responded to warnings, particular those from the ICO.
Be open about any hacking. Send out notification to your subscribers to the effect that you have suffered an attack and tell them whether their data is likely to have been compromised. This is unlikely in the event of ransomware, at least at the moment, but not unknown.
Most importantly, make the necessary changes to your systems. Whatever the route in, you must ensure that something similar cannot reoccur.
I can’t speak for the ICO, especially their enforcement decisions, but this case is a clear warning to those who don’t treat data security seriously.