ICYMI: Tea-loving hackers, Venom flaw and overworked CISOs

This week's ICYMI column looks at a tea shop data breach, analysis on the Venom flaw and concerns over 'burnt-out' security professionals.

ICYMI: Tea-loving hackers, Venom flaw and overworked CISOs
ICYMI: Tea-loving hackers, Venom flaw and overworked CISOs

Scone: Bettys Tea Shop loses 122,000 customer records in data breach

The directors of Bettys & Taylors of Harrogate pledged to harden security on the Bettys.co.uk website and keep customers informed, after details of 122,000 customers were lost in a data breach earlier this week.

The company discovered on 8 May that its database had been breached and customer details copied but it has not revealed exactly when the breach is thought to have occurred.

It blames an “industry-wide software weakness” but declined to specify which software was involved.

Bettys & Taylors notified customers via an email, and promised to follow it up with a letter by post for those customers for whom it has a postal address.

The company has also created a mini-site which contains additional information about the breach including a lengthy section on Frequently Asked Questions (FAQs).

A spokesperson told SCMagazineUK.com that it has also shared information about the breach with the Information Commissioner. This is the first time the website has been hacked, she said.

Cyber-security now the top concern for financial services

Cyber-security ranks as the number one concern for nearly half of financial institutions in the US, according to a recently published survey.

According to the Depository Trust & Clearing Corporation (DTCC), 46 percent of respondents to its most recent study ranked cyber-security as of more concern than geopolitical risk and the impact of new regulations.

The findings were contained in the DTCC report, Systemic Risk Barometer Study, completed in the first quarter of 2015 with responses from 250 financial market participants including DTCC clients and other key stakeholders.

The 46 percent response rating for cyber-security is a record for the DTCC surveys, almost double the 24 percent response just one year ago.

Meanwhile, even for those who didn't put it first, cyber-security was still ranked in the top five risks overall by 80 percent of respondents as concern grows over the frequency and sophistication of attacks.

Venom vulnerability: toxic threat or hissing hyperbole?

Anyone reading the news headlines on the Venom flaw last week might be forgiven for thinking that the sky, or at least the cloud, is falling down.

Reports of the undoubtedly serious 'Virtualised Environment Neglected Operations Manipulation', or 'Venom', vulnerability have suggested that cloud security is now broken and even that this is a perfect spy tool for the National Security Agency (NSA). But putting the Heartbleed-level hyperbole aside for one moment, just how real a threat is venom to the virtual machine environment?

GCHQ and police hackers protected by revised Computer Misuse Act

The Computer Misuse Act 1990 has recently been quietly updated, handing out life sentences to hackers and seemingly giving more power and protection to law enforcement and surveillance agencies.

Details of this change were revealed at the Investigatory Powers Tribunal which is hearing a challenge to the legality of computer hacking by UK law enforcement and intelligence agencies, as filed by Privacy International.

The amendments were passed in March as an addition to the Serious Crime Bill, while the Computer Misuse Act has also been updated to serve life sentences for some computer-related crimes.

Meanwhile, under clause 10, the act now states that certain law enforcement and surveillance agencies will be free from prosecution for hacking. The bill passed into law on March 3 this year, and became effective earlier this month, on 3 May.

'Burnt-out' security pros hide breaches, demand bigger budgets

A report into the ethics of security professionals reveals some eye-opening findings on hidden data breaches, and how incidents are being used to push for bigger budgets.

Threat intelligence security vendor AlienVault released its ‘Ethics, security and getting the job done' report last week and it makes for an interesting read for anyone involved in security, from system and network administrators to CISOs and board members in control of information security budgets.

The report, which is based on professional experience of report author Javvad Malik (security advocate at AlienVault, former analyst at 451 Research), as well as well a study from RSA, which gathered 1,107 responses, highlights that most respondents believe that CISOs should ultimately be accountable for a breach, although some do also cite CIOs, CEOS and even auditors.

However, the most interesting section of the report concerns post-breach mitigation, finding that one in five have witnessed their firm hide or cover up a breach, whilst two-thirds have used the situation to lobby senior execs for bigger budgets.

SC Webcasts UK

Sign up to our newsletters

FOLLOW US