Out-Law / Your Daily Need-To-Know

Data security breaches mainly involve outsourced IT service providers, according to Trustwave report

Out-Law News | 12 Feb 2013 | 4:24 pm | 4 min. read

The majority of cyber security breaches investigated by a global information security company last year involved failings by third party IT providers, according to a new report.

Trustwave said that, of the more than 450 suspected data breach cases it had analysed, 63% involved IT outsourcing providers. Almost all the information hackers targeted was personal data, according to the findings of Trustwave's 2013 Global Security Report. The report outlined that the retail industry had been particularly targeted by criminals during last year as hackers tried to expose payment card data.

In a panel discussion at the launch of the report in London on Monday night, security consultant and former chief information security officer (CISO) at AstraZeneca Paul Simmonds said that he believes less than 20% of FTSE 100 companies employ "full-time information security teams". He said that businesses "should be forced to report on their assessment of cyber risk within their annual reports".

John Yeo, director of Trustwave's SpiderLabs unit in Europe, the Middle East and Africa, said that IT buyers need to be more aware of the security measures outsourcing providers have in place before contracting with them.

"In a large number of cases we investigated data breaches a third party was responsible," he said. "We are not saying outsourcing is bad, but what we are saying is that there may have been a lack of due diligence in the selecting of outsourcing providers."

Under the UK's Data Protection Act data controllers are required to take "appropriate technical and organisational measures" to ensure against the "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".

When outsourcing personal data processing, data controllers are required to select processors that can provide "sufficient guarantees" that they can properly meet the "technical and organisational measures" requirement and that they will "take reasonable steps" to "ensure compliance".

Data controllers must establish a written contract with data processors specifying that the processor may only undertake processing activities that the controller tasks them with, whilst the contract must also hold the processors to comply with the "technical and organisational measures" required under the DPA. Data controllers are also responsible for any failure of processors in meeting those personal data security standards.

Further rules apply to outsourcing of personal data processing where that processing takes place outside the European Economic Area.

Data protection law specialist Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said that clearer guidance from the ICO is needed on precisely what sort of security standards can be considered as compliant with the DPA.

"Sony was recently fined £250,000 by the Information Commissioner over alleged security failings that enabled hackers to obtain personal data of millions of online gamers on the PlayStation Network," Dautlich said. "Sony has indicated its intention to appeal, and that it is not clear why it was deemed not to have met the security requirements of the DPA."

"It may fall to an Information Rights Tribunal or a court to rule on the matter and thereby provide insight to data controllers about the standards necessary to meet the requirements of the DPA. However, in such a difficult area – good security is as much organisational and behavioural as it is technical, as the law recognises, and organisations are increasingly under threat from sometimes very sophisticated hackers – the ICO needs to do more," Dautlich said.

"Where data controllers run the risk of enforcement action against them for, in effect, negligence, we need more clarity about what constitutes reasonable care in the context of security standards, and what does not. This need will become acute once the reformed EU data protection law framework is in place, when mandatory incident reporting will apply to all controllers," he added.

Paul Simmonds said that companies that outsource IT services to cloud providers are often provided with "sales patter" by those providers. The information can suggest better data security measures are in place than that which is actually the case, he said. IT buyers conducting cyber security audits or other due diligence also often "ask the wrong questions about the wrong things", he added.

Simmonds said that most senior business executives currently lack sufficient knowledge or understanding of cyber security risks and often fail to ask sufficiently probing questions of IT managers as a result, he said. This leads to CISOs finding it difficult to persuade corporate board members that they need "bigger budgets for cyber security", Simmonds added.

According to Trustwave's findings, 45% of the cases it investigated last year involved the targeting of retailers.

"Payment card data is incredibly easy to monetise for which there is an established black market," Yeo said.

In the cases where Trustwave identified the 'data-targeting' method hackers used to infiltrate systems, nearly half involved "generic memory scraping", which is where hackers use technology to constantly probe networks used for transmitting data. Yeo said that hackers tend to focus their probing at the point that encrypted payment card data is deciphered - the "point of processing".

He added that hackers are increasingly using encryption on malware to make it harder for organisations and regulators to determine the methods they used to infiltrate systems. Hackers are also "nesting malware files within each other" and this is proving "relatively effective" at exposing data, Yeo said.

The Trustwave report also uncovered evidence that businesses are getting slower at containing cyber breach incidents, with 210 days the average time taken to do so, up from 175 days in 2011.

Organisations are also heavily reliant on third parties telling them they have been hacked, it said. In fewer than a quarter of cases (24%) breaches were self-detected by companies, whilst regulatory bodies and law enforcement detected the breaches first in 48% and 25% of cases respectively.

"Slow detection exacerbates data breaches," Yeo said.

Of the incidents Trustwave investigated, 'Password 1' was the most popular corporate password breached with it being compromised in 38.7% of cases, whilst 'password' was used as an authentication entry in 34.5% of cases.

Yeo said that Trustwave had found 400% more samples of mobile malware affecting Google's Android operating system last year in comparison with the year previously, but said that the company had not yet encountered a case of a "smartphone being used as a pivot point for [infiltrating] a corporate network, although we are not saying it doesn't happen or that it couldn't happen in the future".

Marc Dautlich said that the "immaturity of application development and coding standards in the mobile industry and the ubiquity of mobile devices" are factors that are likely to drive a continuing upward trend in mobile data hacking incidents.