This week’s Knowledge Update talks about Mailspoilt allowing spoofed emails to fool DMARC, PayPal admitting acquired company suffered a major breach and Morrisons found liable for insider data leak.
Mailspolit allows spoofed emails to fool DMARC
A security researcher from Germany has recently discovered a group of vulnerabilities in various email clients, collectively dubbed Mailspoilt, which allows an attacker to spoof the email sender identities without actually being picked up by DMARC.
Mailspoilt allows cyber criminals to launch cross-site scripting (XSS) and code-injection attacks.
According to Sabri Haddouche, A security researcher and programmer, the issue is that the spoofing is not detected by email servers so it can circumvent email security protocols such as DMARC and spam filters.
Whilst 24% of vendors have implemented fixes for the problem staff should be made aware of the threats posed from phishing through training and awareness sessions. Policies in regard to the acceptable use of computer equipment, handling data and payment processes should be implemented and adhered to. Prevention advice for Phishing can be found here.
PayPal admits acquired company suffered major breach
PayPal has been forced to admit that a massive data breach has recently hit TIO networks that have affected 1.6 million customers. In a statement, PayPal have said that TIO’s operations have been suspended since 10 November, whilst security vulnerabilities are being investigated in the firm’s platform.
However, PayPal have quickly pointed out that its own platform was not affected in any way and that all PayPal customer data remains secure.
Data breaches can affect any size of the company, large or small, reporting data breaches will be a key part of the coming General Data Protection Regulation. Organisations of all sizes will have to comply to the coming of GDPR or be at risk of punitive fines. A support pack and compliance guide can be found here. Large data breaches reinforce the need to have strong and separate passwords for each account. Using separate passwords limits your exposure to third-party data breaches. Where possible companies and individuals should deploy technical controls to support authentication, such as Two Factor Authentication (2FA).
Morrisons found liable for insider data leak
Morrisons has been found liable for a 2014 data breach that exposed the details of 100,000 staff, this has left the organisation open to compensation claims from those affected.
Andrew Skelton, who was a senior internal auditor at the Morrisons head office in Bradford had leaked the details of nearly 100,000 employees, after harbouring a grudge against his employer. The leaked data included National Insurance (NI) numbers, birth dates and bank account details. Skelton had been jailed for eight years in 2015.
Protecting customer and staff data is a legal duty. Cyber Essentials provides a framework, backed by the UK government, for businesses to improve their information security. More information can be found here.
Also, Organisations should ensure that staff are appropriately trained in regard to regulations such as the Data Protection Act (a checklist can be found here. Data breaches can affect any size of company, large or small, reporting data breaches will be a key part of the coming General Data Protection Regulation. Organisations of all sizes will have to comply to the coming of GDPR or be at risk of punitive fines. A support pack and compliance guide can be found here.