regulations may have to show compliance within 20 days of the regulation being passed. With data breaches becoming an everyday occurrence, this ruling on GDPR couldnt have come at a better time, said Peter Galvin of Thales e-Security. Companies have two years in which to prepare to comply with the legislation, which might seem like a long time but it certainly wont be without its challenges. Organisations need to start planning and mapping out their strategies now, thinking beyond traditional models of securing the perimeter and locking down specific segments of IT infrastructure in order to formulate their data protection goals. A strong encryption strategy needs to be at the heart of this not only to ensure that the business is complying with the regulations but also to assure customers their personal data is safe. Only organisations that do this well will establish and build trust with their customers. The GDPR imposes much stricter regulations concerning accountability, the rights of data subjects, restrictions on data flows between countries and disclosure of breaches by organisations that get hacked. Failure to disclose a breach within 72 hours, for example, can lead to fines of up to 4% of a companys turnover. Organisations need to evaluate the personal data they have, categorising the data so they are clear where the personal and sensitive data resides and where other less important data sits in the company, said Christine Andrews, managing director of data governance, audit and consultancy firm DQM GRC. Once organisations understand just what personal data they have they should then ensure that regular risk assessments are completed in order to understand the degree of threat imposed on the company when processing data. Like many European regulations, individual nations have a certain degree of flexibility in how the laws are implemented in their own countries. Each nation must establish its own Supervisory Authority to enact and police the more than 50 Articles in the regulations. It remains to be see how
May 2016
much flexibility the GDPR allows and
how various countries exploit that. Meanwhile, the European Commissions Article 29 Data Protection Working Party has responded with some concern to the recent Privacy Shield agreement that was created to allow US companies to collect data in Europe and export it to servers abroad. This agreement was concocted after a legal challenge led to the collapse of the previous Safe Harbour agreement. According to a formal response, the group detailed its concerns which include the legality of national security exemptions, what it sees as an overly complex and ineffective review mechanism and the independence or lack thereof of the US Ombudsman that is supposed to oversee allegations of data abuse. Overall, it characterised the agreement as not acceptable. The report is available here: http://bit.ly/1YaaTf3.
Bangladesh bank raiders
manipulated Swift software
ackers who stole $81m from the
Bangladesh central bank were able to manipulate the Swift system to partly cover their tracks. This has led to calls for an overhaul of Swift (the Society for Worldwide Interbank Financial Telecommunication), a cooperative owned by 3,000 financial institutions that is responsible for handling international banking transactions.
The theft is believed to be the largest
bank robbery ever committed. And the attackers came very close to making it bigger still. They attempted to transfer $951m from the Bangladesh central banks account at the Federal Reserve Bank of New York. The $81m that got through was moved to accounts in the Philippines and then diverted to casinos there. Most of those funds are still missing. The transactions were initiated after the attackers broke into the Bangladesh Banks computers. It has since been revealed that the theft was made possible, in part, by the banks lack of firewalls and use of $10 secondhand routers. However, precisely how the criminals were able to create fraudulent orders and push them
through the system remains a mystery.
In an attempt to hide the fraudulent transactions they made, the hackers exploited the Alliance Access software on the banks servers which interfaces with Swifts messaging platform. They even manipulated printed reports to hide what they were doing. And according to researchers at BAE Systems, the attackers used malware that specifically targeted Swift software. A software update has been released by Swift which has admitted that this isnt the first time that operator credentials had been forged on its systems. The specific attack on the Swift bank messaging system that was compromised in Bangladesh is not likely to appear in US or UK banks, but the damages from attacks on that system very well could, said Jonathan Sander, VP of product strategy at Lieberman Software. Like so many other systems today, the global banking system is interconnected in so many ways that the chain truly is broken through one weak link. The losses in Bangladesh were $81m, but you have to imagine that will have ripples in other banks doing business there and elsewhere because of how things work in a global economy. The cyber-security of those you do business with is no longer a curiosity, its a critical risk you must understand and address. BAE Systems has released some information about the malware that was used for the attack. Details are here: http:// bit.ly/21zWqLD. Meanwhile, the file-sharing website Cryptome has published a number of files, totalling 1.4GB, that it says contain the names, phone numbers, passwords and other sensitive data belonging to customers of the Qatar National Bank. Doha News reported that most of the data appears to belong to Al Jazeera staff, and some of those details have been confirmed as correct by members of the media agency. However, other data appears to belong to members of the Qatari royal family, plus government, police and other officials and even some alleged spies. Some of these people have also confirmed that the details are correct. At the time of writing, the bank itself has neither confirmed nor denied the breach.