Author: Tim Wright
Tim Wright, Partner, Fladgate LLP (email@example.com)
Cybersecurity blog Krebs On Security recently broke the news of a sophisticated cyber attack carried out on Wipro, one of India’s largest IT outsourcing providers. The blog tastes that the attack appears to have been orchestrated over a number of months – although the exact period is disputed, with Wipro claiming the attack only lasted “a matter of weeks”.
Apparently, the attackers gained access via phishing emails sent to employees and then used Wipro’s own networks and systems to launch attacks against its customers, which Krebs suggest may have included Sears, Rackspace, Avanade and CapGemini, as well as leading prepaid card vendor Green Dot and payments processor Elavon, amongst others. Avanade and CapGemini have each confirmed that employee accounts were compromised but both say that clients were not impacted. The blog also suggests that competing providers including Infosys and Cognizant were targeted by the same criminals, a seemingly experienced crime group seeking to carry out gift card fraud on a large scale.
Wipro is said to be investigating the attack and has hired an independent forensic firm to assist. It told reporters at Forbes that it had “detected a potentially abnormal activity in a few employee accounts on [Wipro’s] network due to an advanced phishing campaign” and that it has taken remedial steps to contain and mitigate the potential impact, as well as building a new private email network in reposes to the attack. It is not yet clear whether the Wipro hack has affected EU personal data – the customer’s said to be affected are all US companies although off course many operate globally.
This is not the first major security incident involving Wipro in recent years, with TalkTalk Telecom Group fined £100,000 by the ICO after rogue Wipro employees in the customer complaints team used customer data to conduct scam phone calls designed to harvest banking details. Three employees were subsequently arrested. This took place on 2015. CEO Dido Harding subsequently resigned although she denied that her departure was linked to the incident. The ICO found TalkTalk in breach of the old Data Protection Act because it allowed staff to have access to large quantities of customers’ data. A lack of adequate security measures left the data open to exploitation by rogue employees, which breached the seventh principle of the Data Protection Act, since TalkTalk did not have appropriate technical or organisational measures in place to keep personal data secure.
TalkTalk itself was subject to an even more serious security incident in 2015, leading to an even larger ICO fine of £400,000. In this case the hacker carried out an SQL injection attack against three web pages, accessing nearly 16,000 bank account details, by-passing security measures via an easily fixable software bug. Information Commissioner, Elizabeth Denham, said that “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.” At the time, the fine was the largest issued by the ICO in the UK – of course, with the advent of the GDPR, the ICO’s fining powers have increased significantly.
From a UK perspective, the regulatory framework covering data security and standards comes primarily from EU directives and regulations in particular GDPR (covering personal data), PSD2 (covering payment services), the NIS Directive (covering critical infrastructure), and the Privacy and eCommunications Directive (covering telecommunications providers). There is also sector specific regulation and guidance, particularly in the financial services arena (e.g. FCA Handbook, MiFID II). As well as setting out obligations around minimum security standards and requirements, they also impose breach reporting notifications and related requirements.
The Wipro data breach is another reminder of the dangers of supply chain and third party risk. Ponemon Institute recently published a cyber risk report which found misuse or unauthorised sharing of confidential data by third parties to be the second biggest security concern for 2019.
And Carbon Black recently published its global incident response threat report which found that half of all cyber attacks leverage supply chains. Hacks like the one suffered by Wipro create significant risk to companies and their supply chains. The GDPR makes it clear that this is a risk which cannot be outsourced and includes a number of requirements where data controllers outsource the handling of their personal data to a processor. Article 28(3) in particular sets out detailed requirements which must be included in any contract between controller and processor, including where sub processing is to take place.
Beyond this basic contractual block and tackling, enterprises of all sizes which outsource data processing are advised to look beyond contractual protections through the adoption of policies and systems designed to mitigate third party security risk, including:
Other best practices include data flow mapping; inventorying third party access to confidential information and data; staff training, and data breach response planning/war gaming.