You are on page 1of 1

NEWS

Continued from front page


regulations may have to show compliance within 20 days of the regulation
being passed.
With data breaches becoming an everyday occurrence, this ruling on GDPR
couldnt have come at a better time,
said Peter Galvin of Thales e-Security.
Companies have two years in which to
prepare to comply with the legislation,
which might seem like a long time but it
certainly wont be without its challenges.
Organisations need to start planning
and mapping out their strategies now,
thinking beyond traditional models of
securing the perimeter and locking down
specific segments of IT infrastructure in
order to formulate their data protection
goals. A strong encryption strategy needs
to be at the heart of this not only to
ensure that the business is complying
with the regulations but also to assure
customers their personal data is safe.
Only organisations that do this well will
establish and build trust with their customers.
The GDPR imposes much stricter
regulations concerning accountability, the
rights of data subjects, restrictions on data
flows between countries and disclosure of
breaches by organisations that get hacked.
Failure to disclose a breach within 72
hours, for example, can lead to fines of up
to 4% of a companys turnover.
Organisations need to evaluate the
personal data they have, categorising
the data so they are clear where the
personal and sensitive data resides and
where other less important data sits in
the company, said Christine Andrews,
managing director of data governance,
audit and consultancy firm DQM
GRC. Once organisations understand
just what personal data they have they
should then ensure that regular risk
assessments are completed in order to
understand the degree of threat imposed
on the company when processing data.
Like many European regulations,
individual nations have a certain
degree of flexibility in how the laws are
implemented in their own countries.
Each nation must establish its own
Supervisory Authority to enact and
police the more than 50 Articles in the
regulations. It remains to be see how

May 2016

much flexibility the GDPR allows and


how various countries exploit that.
Meanwhile, the European Commissions
Article 29 Data Protection Working Party
has responded with some concern to the
recent Privacy Shield agreement that was
created to allow US companies to collect
data in Europe and export it to servers
abroad. This agreement was concocted
after a legal challenge led to the collapse of
the previous Safe Harbour agreement.
According to a formal response,
the group detailed its concerns which
include the legality of national security
exemptions, what it sees as an overly
complex and ineffective review mechanism and the independence or lack
thereof of the US Ombudsman that is
supposed to oversee allegations of data
abuse. Overall, it characterised the agreement as not acceptable. The report is
available here: http://bit.ly/1YaaTf3.

Bangladesh bank raiders


manipulated Swift
software

ackers who stole $81m from the


Bangladesh central bank were
able to manipulate the Swift system
to partly cover their tracks. This has
led to calls for an overhaul of Swift
(the Society for Worldwide Interbank
Financial Telecommunication), a cooperative owned by 3,000 financial institutions that is responsible for handling
international banking transactions.

The theft is believed to be the largest


bank robbery ever committed. And the
attackers came very close to making it
bigger still. They attempted to transfer
$951m from the Bangladesh central banks
account at the Federal Reserve Bank of
New York. The $81m that got through
was moved to accounts in the Philippines
and then diverted to casinos there. Most of
those funds are still missing.
The transactions were initiated after
the attackers broke into the Bangladesh
Banks computers. It has since been
revealed that the theft was made possible,
in part, by the banks lack of firewalls and
use of $10 secondhand routers. However,
precisely how the criminals were able to
create fraudulent orders and push them

through the system remains a mystery.


In an attempt to hide the fraudulent
transactions they made, the hackers
exploited the Alliance Access software
on the banks servers which interfaces
with Swifts messaging platform. They
even manipulated printed reports to hide
what they were doing. And according to
researchers at BAE Systems, the attackers used malware that specifically targeted
Swift software. A software update has been
released by Swift which has admitted that
this isnt the first time that operator credentials had been forged on its systems.
The specific attack on the Swift bank
messaging system that was compromised
in Bangladesh is not likely to appear in
US or UK banks, but the damages from
attacks on that system very well could,
said Jonathan Sander, VP of product
strategy at Lieberman Software. Like
so many other systems today, the global
banking system is interconnected in so
many ways that the chain truly is broken
through one weak link. The losses in
Bangladesh were $81m, but you have to
imagine that will have ripples in other
banks doing business there and elsewhere because of how things work in a
global economy. The cyber-security of
those you do business with is no longer
a curiosity, its a critical risk you must
understand and address.
BAE Systems has released some information about the malware that was used
for the attack. Details are here: http://
bit.ly/21zWqLD.
Meanwhile, the file-sharing website
Cryptome has published a number of
files, totalling 1.4GB, that it says contain
the names, phone numbers, passwords
and other sensitive data belonging to
customers of the Qatar National Bank.
Doha News reported that most of the
data appears to belong to Al Jazeera staff,
and some of those details have been
confirmed as correct by members of
the media agency. However, other data
appears to belong to members of the
Qatari royal family, plus government,
police and other officials and even
some alleged spies. Some of these people have also confirmed that the details
are correct. At the time of writing, the
bank itself has neither confirmed nor
denied the breach.

Computer Fraud & Security

You might also like