Another day another breach, this time for EasyJet who announced that it has been the target of an attack from a highly sophisticated source. Here’s what has been published so far.
“Our investigation found that the email address and travel details of approximately 9 million customers were accessed. These affected customers will be contacted in the next few days. If you are not contacted then your information has not been accessed. Other than as referenced in the following paragraph, passport details and credit card details of these customers were not accessed. Our forensic investigation found that, for a very small subset of customers (2,208), credit card details were accessed.”
The interesting point to note is that out of 9m customers, only 2,208 had their credit card details accessed (0.02%). Whilst I await further news about the attack, the fact that any credit card details were accessed at all should raise the simple question – Why were any credit card details accessed?
Basic data protection and cyber security practice from the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC) requires that sensitive data such as personal data should be encrypted, and this is before one considers contractual requirements such as the PCI-DSS which mandate it for this type of data. Yet recent DCMS studies shows that less than only 2% of organisations are consulting this guidance.
In my experience companies focus too much on the complex threats and ignore the basic ones. This is highly frustrating as you do need to build your cyber security strategy from a solid foundation. History and experience shows that in most cases basic errors are to blame, whether technical, human or procedural, and they could have been easily avoided with a better governance and compliance culture.
I’ve already discussed how the board’s intentions rarely meet reality in terms of action within organisations in regards to cyber security, but one really does need to consider if an attack divulged unencrypted cardholder data was it really as sophisticated as being reported? I increasingly find anecdotal evidence of large companies being fearful of basic compliance requirements for data protection and cyber security, yet these are the basics that should create the solid foundation to build upon.
The burden of compliance obligations within the UK is increasing, even though all the cyber security obligations within the UK come from a single authority. Looking across the pond where multiple organisations provide compliance requirements (e.g. PCI council, NIST, Center for Internet Security), recent surveys show that the burden of compliance with these items is consuming 40% of cyber security budgets and 58% are seeing the compliance requirements constraining business.
The UK regulatory burden is not that difficult if you interpret it correctly and understand the obligations clearly. Again, in my experience most companies don’t do this. If you can achieve this the upside is you can significantly reduce the time, cost and resource in meeting those compliance obligations, and also ensure that you have all bases covered with no basic cyber security gaffes.
It would be very useful if government and its advisers saw the opportunity to realign the cyber security requirements that have been published since May 2018 with the baseline requirements first and then build on the differing requirements. That would maybe mean that we would see the bar being risen and the attackers truly having to work harder. Companies have to stop focussing on the complex and just address the information security basics. Once you have that done you can start to navigate cyber security governance, risk and compliance with confidence and avoid these recurring basic breaches.
My forecast is that there will be more data breaches in 2020 as COVID-19 has meant that there will be a new normal in our working environment and data has been made more accessible to support an operational necessity. I sincerely hope that UK companies are ensuring that the basics cyber security foundations are in place for this new normal.