Personal data breach incident - how to handle it?

It is the fifth month since the new regulations on the protection of personal data come into force. The period of the media storm related to the GDPR is probably behind us. Slowly, everyone has adapted to the new regulations, completed the documentation, implemented appropriate procedures and are trying to implement them with more or less commitment. However, one of the most frequent dilemmas related to the protection of personal data is the handling of security breach incidents.

Where did the idea for incident handling come from?

Both the old Act on the Protection of Personal Data and the new provisions of the GDPR mention the need to keep a register of incidents and implement the process of their proper handling. Where do such requirements come from? It is probably a derivative of ISO standards, where such a register has a control function that allows to monitor and evaluate the effectiveness of the information security management system. The number and frequency of security incidents proves whether our data protection system is effective. It also allows you to verify whether the security measures introduced by us are effective, i.e. whether they cause the number of incidents to decrease. Continue ...

We have just over two weeks until the new regulations on the protection of personal data enter into force. Adopted by the European Parliament in April 2016, the General Data Protection Regulation, known as the General Data Protection Regulation (GDPR), will come into force on May 25, 2018.
Lawyers actively support their clients in adjusting formal requirements to the new regulations. However, the preparation of appropriate templates of information clauses, questions for consents to the processing of personal data and contracts for entrusting or sharing data is not everything. It is important to adapt the technical infrastructure to the new realities along with formal and legal activities. And here a question often arises that lawyers are not able to answer: "what requirements must the IT infrastructure meet to be considered compliant with the provisions of the GDPR"? This problem stems from the fact that, unlike the "old" Act on Personal Data Protection, the new regulations do not indicate specific technical requirements. In the entire Regulation, there are only general conditions relating to the safety of infrastructure. So how do you adapt to them? We will try to help you find the answer to this question.

So what are these general requirements? Article 32 of the GDPR, which specifies that the personal data administrator implements appropriate technical measures to ensure a level of security corresponding to the risk, is the most relevant to this topic. It asks, inter alia, attention to solutions such as:

• Personal data encryption
• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
• The ability to quickly restore the availability and access to personal data in the event of a physical or technical incident
• Regularly testing, measuring and evaluating the effectiveness of technical measures to ensure the security of processing

Continue ...

Serious data leaks and security incidents do not necessarily have to be the result of deliberate actions by intruders aimed at a specific target. They are not always noticed immediately by the victims of the attack. Often a serious breach of security occurs as a result of a combination of several events and its detection may be the result of the inquisitiveness of a random person. The following is a transcript of an interesting investigation, as a result of which we discovered a very serious threat to customer data of a large hosting company.

WARNING:
The description below includes links to websites that have been attacked or maintained by reputable organizations. Opening them may be dangerous.

Case study

On one of the websites maintained at AZ.pl (a hosting company belonging to Home.pl that supports the largest number of domains in Poland according to http://top100.wht.pl/) I noticed suspicious behavior: typing the website address in the browser caused redirection to the address http://semanticore.com.pl/admin/dropbox/proposal/which opened a page pretending to be Dropbox and asking you to log in - a classic phishing. The first thing that occurred to me was that I missed my domain renewal and someone took over. But no, domain is paid for. So I log in to the hosting panel and check the website files. Several of them have today's modification date, although I have not made any changes today. The website has therefore been modified in an unauthorized manner. Quick analysis of possible attack vectors: Continue ...

The health service must immediately implement professional IT security solutions.

According to the current legal status, from August 1, 2017 (i.e. for a little more than a year), medical documentation will have to be kept only in an electronic company.

Although the date of entry into force of the provisions on electronic medical data of the "Act of April 28, 2011 on the information system in health care" has been postponed many times, and this may also be the case this time, we must take into account that this moment will inevitably is coming and will eventually come.

Undoubtedly, the implementation of the provisions of the Act and the ordinances of successive Health Ministers regarding electronic medical documentation imposes a gigantic and very responsible implementation task on the entire healthcare system. I really hope that the whole project will be successful. The consequence of launching electronic medical information systems will be increased requirements for the security of information systems in hospitals, clinics and other health care facilities.

There are several important places in medical information systems that can be vulnerable and vulnerable to cyber threats:

• Databases of personal data,
• Patient health databases,
• Life support systems and patient condition monitoring,
• HIS (Health Information Systems) in the medical and administrative part,
• Medical equipment,
• Other systems that may affect the implementation of key processes.

In January 2016, a spokesman for the Hospital in Ottawa reported that 4 of the nearly 10,000 computers in the hospital were attacked with software ransomware. This type of malware, after clicking on an attachment in an email, a link in an email or on a website, blocks files on the infected computer. After paying the ransom, the attack victim receives a key that enables the reopening of encrypted files. In the case of this attack, the hospital did not pay the ransom, and IT services wiped the contents of the disks and restored the data using backups. The hospital said the patient's data was not at risk.

Continue ...

Evolution of threats

Malware threats have changed radically over the last several years. Viruses, which at the end of the 20th century took the form of pranks displaying funny messages and sound or visual effects, have become a tool in the hands of organized crime groups. Behind today's malware is a thriving black market, where you can choose from offers to sell 0-days, exploits, exploitpacks, backdoors and even ready-made botnets consisting of thousands of hijacked computers. All of this makes it easier for organized crime groups to run large-scale phishing campaigns or infection with TeslaCrypt, CryptoLocker or CryptoWall ransomers.

Approach to protection

Unfortunately, the evolution that has taken place in the field of threats has not yet been accompanied by a change in our mentality in our approach to protection. If you asked a statistical administrator how his approach to securing IT infrastructure has changed in recent years, he would most likely reply that he replaced the floppy MKS with a network, centrally managed antivirus and a simple firewall with a "next generation" device. More aware administrators would boast about taking local administrator rights from their users and using GPO policies enforcing a secure password policy. Continue ...

In the period from September to November, UpGreat takes part in three IT conventions (Wielkopolskie, Mazowieckie and Śląskie) - cyclical events organized for employees of offices and public institutions. During these meetings, issues related to the adaptation of local government institutions to the requirements of legal regulations concerning, inter alia, computerization, personal data protection or the National Interoperability Framework. The meetings are also attended by UpGreat experts in the field of ICT security, personal data protection, audits and security policies. Our consultants advise IT specialists from public institutions on how to adapt their systems to the requirements of the KRI regulation related to, inter alia, with the implementation of the Information Security Management System. We discuss issues related to the implementation of information security policies as well as risk estimation and analysis. We also answer questions regarding the amended Personal Data Protection Act and the obligations of the Information Security Administrator.
We pay special attention to security audits and penetration tests, which are an indispensable element of security management in any organization.