Security Update 24th April 2019


The latest news from the sector sees Bounty UK fined £400,000 from the ICO, NCSC launch a venture capital drive for new cybersecurity start-ups, this month’s patch Tuesday updates …

New Mums Service Bounty Fined £400,000 For Unlawfully Sharing Personal Data

Bounty (UK) Ltd, the pregnancy and parenthood support service, has been fined by the Information Commissioner’s Office for illegally sharing the personal information of approximately 14 million people.

An investigation by the ICO found that the company had collected the information for the overarching purpose of membership lead generation – predominantly through its digital products online and via their app. However, they also collated information from merchandise packs given to new mothers at their bedside which came without marketing opt-in consent forms.

The information was then shared with numerous organisations – from Equifax to Sky – without being fully clear about the type of campaigns these organisations were going to undertake. The company breached the Data Protection Act of 1998 by sharing personal information without being wholly clear about the end-result usage and therein having the correct opt-in consent from the individual.

According to the ICO:

“The number of personal records and people affected in this case is unprecedented in the history of the ICO’s investigations into data broking industry and organisations linked to this.

Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organisations. Any consent given by these people was clearly not informed. Bounty’s actions appear to have been motivated by financial gain, given that data sharing was an integral part of their business model at the time. 

Such careless data sharing is likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organisations, including information about their pregnancy status and their children” 

The moral of the story? Always make sure you follow data protection rules (especially in this post-GDPR landscape) and that you get opt-in agreement from your customers to use the information in whatever way you have agreed on consent. If you need to find out more about opt-in marketing consent, the ICO has this great marketing guide for SMEs looking to stay on the right side of the law!

National Cyber Security Centre Wants to Invest In Cyber Security Start-ups

The National Cyber Security Centre (NCSC) a sub-division of GCHQ (the ‘spy’ agency) wants to invest in start-ups and is creating, in collaboration with Wayra UK, an accelerator programme to help 10 lucky start-ups achieve business success.

The scheme, backed by £20 million in funding, will help entrepreneurs build brands that have strong market penetration due to the NCSC link to help drive a new culture of cybersecurity resilience in the UK information technology landscape.

An NCSC statement:

“The NCSC is looking for hopeful start-ups with a focus on enhancing security, techniques for anticipating the early stages of a cyber attack, enabling action to be taken on real-time threats, vulnerability information and more.”

Chris Ensor, NCSC Deputy Director for Skills and Growth, said:

“This call will allow us to cast the widest net possible for attracting start-ups developing technologies that will better protect us now and in the future.

We’ve worked with 23 companies over the past few years, offering them unique technical insights that have helped them grow their ideas and business.

The Accelerator has already seen 16 start-ups graduate from the programme which runs for nine months and includes a robust acceleration package including, exclusive access to experts from the NCSC and GCHQ, a £25,000 grant, access to Wayra’s investor network and potential pathway to security experts from Telefónica brands such as O2.”

To sign up, head to Wayra’s NCSC sign-up page found here.

Human Powered AI? Amazon’s Secret Human Speaker AI Review System Revealed

Amazon is “reviewing” audio clips from Alexa AI devices to help assist in the development of voice-activated responses according to Bloomberg. Millions have purchased the smart devices but concerns that people might be listening in on such devices has created a negative coterie within the consumer marketplace. These consumers fear someone could be listening to their search queries and that makes them afraid. However, in Alexa’s case, someone is actually listening to audio clips from real Alexa search requests.

Amazon has hired thousands of people to help improve Alexa services – these human audio transcribers feed back their findings to the Alexa database thus improving the spectrum of search results given back to users. Amazon is using human feedback to help train the AI software algorithms to better understand human search result queries.

Bloomberg states:

“The team comprises a mix of contractors and full-time Amazon employees who work in outposts from Boston to Costa Rica, India and Romania, according to the people, who signed nondisclosure agreements barring them from speaking publicly about the program. They work nine hours a day, with each reviewer parsing as many as 1,000 audio clips per shift, according to two workers based at Amazon’s Bucharest office, which takes up the top three floors of the Globalworth building in the Romanian capital’s up-and-coming Pipera district. The modern facility stands out amid the crumbling infrastructure and bears no exterior sign advertising Amazon’s presence.”

Amazon’s response:

“We have strict technical and operational safeguards, and have a zero tolerance policy for the abuse of our system. Employees do not have direct access to information that can identify the person or account as part of this workflow. All information is treated with high confidentiality and we use multi-factor authentication to restrict access, service encryption and audits of our control environment to protect it.”

Cyber Attacks “Damaging” National Infrastructure Daily, According to Survey

The growing threat of cyber attacks on critical infrastructure has found 90% of major infrastructure services being hit by a successful attack which could have damaged or seriously created loss-of-life outcomes. The report, published by The Ponemon Institute, surveyed security practitioners in six countries – including the UK – and the results are shocking!

According to the BBC:

“The Ponemon Institute, which specialises in cyber-security and privacy issues, used an anonymous poll to quiz more than 700 security professionals in the US, UK, Germany, Australia, Mexico and Japan who work to protect critical infrastructure.

Of those responding, nine out of 10 said the organisation they worked for had been damaged by a successful cyber-attack in the last two years. Many reported being hit by between three and six such incidents.

Respondents said around half of the successful attacks had resulted in downtime of critical systems. This was because essential systems were knocked out as part of the attack or operators had to turn off systems to repair the damage done.”

“These are multiple, successful attacks on the physical world using cyber-technologies,” Eitan Goldstein, from security firm Tenable, which commissioned the report, told the BBC.

If you want to know more about improving your cybersecurity systems, the National Cyber Security Centre has a range of useful guides and support documentation that can help you protect your business’s critical infrastructure.

April’s Patch Tuesday Update

An update on Microsoft’s April Patch Tuesday Update – with 34 new and individual security updates which corrected 75 unique Microsoft-related issues across the entirety of the Microsoft operating system landscape. What these patches do is help correct errors in how Microsoft Windows runs and by fixing these issues they help make the OS more secure!

This month singular highlights include:

  • Adobe Flash Player
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • ChakraCore
  • Microsoft Exchange Server
  • Team Foundation Server
  • Azure DevOps Server
  • Open Enclave SDK
  • Windows Admin Center

Some of these updates correct serious issues that, in extreme circumstances, allow remote access to your IT system without your permission. These are designated as critical patch updates. So, if you haven’t done so already please take a moment to update your IT estate with the latest Patch Tuesday updates.

RUSI Outlines UK’s Cyber Security Strategy Post-2021

As the cybersecurity threat continues to evolve as state and non-state actors continue to shift and morph as threats diversify, the Royal United Services Institute (RUSI) is exploring the next period in the UK’s national cyber security programme.

As the UK is currently operating on the National Cyber Security Programme 2017-21, the next stage will require a radical overhaul to help fix the many shortcomings that are hampering the UK’s continual effort to stem cybercrime activities.

RUSI believes more investment in STEM, greater academic focus with more Academic Centres of Excellence along with greater powers for the National Cyber Security Centre are a good start but more is required.

According to RUSI:

“While it may seem an indulgence to focus on norms and not purely on technology, the reasoning lies not in pure abstraction, but in the recognition that the liberal view is under direct challenge from a competing political belief set, Cyber Sovereignty. Championed by Russia and China, this view directly disputes the multi-stakeholder model that has so far been effective in governing cyberspace, calling instead for direct and exclusive management of cyberspace by nation states.

This viewpoint poses a direct threat to the type of cyberspace that was not only originally created by liberal states and underpinned by liberal values, but also any future cyberspace. A cyberspace that seeks to preserve open access to information and be used as a tool not only of economic prosperity but also of human enrichment through connection, education, creativity and expression is now under severe challenge by other political actors; the next cybersecurity strategy needs to acknowledge not simply a state of uncertainty – as it did in 2011 – but that the liberal view for cyberspace is now undoubtedly under threat.

For a cybersecurity strategy beyond 2021 to be fit for purpose necessitates not only building on the resiliency efforts established this decade, it will also require a recognition of the threat that Cyber Sovereignty poses to the stability of cyberspace itself. Tackling this international dynamic could well prove the biggest dynamic to reconcile in UK policy circles.”

Until next time … get in touch here:
and/or leave a review here:


Ready to find out more?

Drop us a line today for a free quote!

Posted in

Mike Knight