In the UK, the Safer Internet Centre focusses on internet safety for children and young people providing a range of resources and information for people aged from 3 to 19. At the younger end of the spectrum, Smartie the Penguin gets a new tablet and runs into all sorts of bother, whilst at the older end, the emphasis is on handling inappropriate behaviour such as sexting. A common theme across all of these resources is cyberbullying. But the internet presents risks for people of all ages, young, old and those in between – both in the workplace and private lives. Identity theft, online shopping fraud, phishing-style attacks, etc. etc. have the potential to affect all of us; employers, employees, and private individuals.
A week or so ago the French Data Protection Authority, the CNIL announced that it had fined a data controller and its data processor €150,000 and €75,000 respectively for inadequate security measures which left users of their online market place susceptible to personal data breaches through credential stuffing attacks – attacks when a malicious person uses lists of login credentials from previous attacks to access other websites. This type of attack relies on the fact that website users often use the same password and username on different online services. Users of the Chrome browser may have seen alerts popping up advising them that a particular user name and password combination is known in the public domain and available to attackers. In credential stuffing attacks, the attacker uses computer programs to attempt multiple login requests across various sites for all the user name and password combinations on a particular list. The message from the CNIL is clear – that controllers and processors are responsible for recognising this risk and mitigating against such attacks through multi-factor authentication for example when a website won’t accept a user name and password without another form of authentication such as an SMS code, a QR code reader or a YubiKey.
The Outsourced DPO remains staggered by the number of websites and online platforms that have terribly basic access controls. Even platforms we’ve been reviewing in the PrivacyTech space have no email verification on sign-up and flaky-looking front-end security.
So, on Safer Internet Day, it would be useful to carve out some time to take stock of internet security risks for both staff and customers and to set in place a plan of action to upgrade anything that is not state-of-the-art.
In the recording above we discuss Safer Internet Day and how to promote the safe and positive use of digital technology within our organisations.
Philip Brining – Director (DPP), Oliver Rear – Support Desk Consultant and David Holmes – Senior Data Protection Consultant join together to discuss some of the topical issues in our first Lunchtime Takeaway Session of the month.
If you would like to join us on future sessions and tune-in live, contact [email protected]
For more information on Safer Internet Day visit https://www.saferinternetday.org/