Catches of the Month: Phishing Scams for August 2023
Welcome to the latest Security Spotlight. This week, we examine the most recent phishing scams and the methods cyber criminals use to manipulate people into giving away their personal information.
We delve into an unsettling surge in phishing scams that impersonate Microsoft, plus a new security feature that’s designed to protect users from password compromise.
Elsewhere, our listener question looks into what counts as personal data in an email thread, while our podcast discusses a data breach at the Electoral Commission that has potentially affected over 45 million UK voters.
Plus, we have our usual selection of industry news, including why the ICO (Information Commissioner’s Office) is threatening enforcement action against websites with 'harmful' cookie banners and 5 ways to beef up your cyber defence.
Catches of the Month: phishing scams for August 2023
Welcome to our Catches of the Month feature, in which we explore the latest phishing scams and the tactics that cyber criminals use to trick people into handing over personal data.
This month, we have a pair of stories about Microsoft. The first looks at an alarming rise in phishing scams that impersonate the tech firm, while the second discusses a new security feature that’s designed to protect users from password compromise. Continue reading >>
As ever, we’re here to answer your questions about the information security industry. This week’s question comes from Peter, via our blog. He asks:
“If a school has an email thread that expresses an opinion about me – e.g. “That parent can be really challenging” – does this count as personal data, and should it be disclosed under an DSAR (data subject access request)?”
Thanks for your question, Peter. We can see why you might think this was personal data; it’s recorded data that’s about you. Moreover, it’s stored in a filing system – which is a key part of the GDPR (General Data Protection Regulation) that catches many people out. Personal data is only subject to the Regulation’s rules if it is subject to automated processing or if it is kept, or is intended to be kept, in some form of filing system. This could be a physical file, such as a teacher’s records on pupils and their parents, or a digital database.
If you submitted a DSAR, that record would be part of the files that the organisation would be required to share with you. However, organisations are permitted to redact any information that they believe isn’t pertinent to the request.
In this case, any comments such as this would probably be redacted – and there’s a good reason for that. For a start, the organisation might argue that an opinion about a parent isn’t personal data as it doesn’t identify or help identify you.
If the records don’t meet the GDPR’s definition of personal data, a separate process might apply: an FOI (Freedom of Information) request. But, again, the school may well be entitled to redact this record. According to an Information Commissioner’s Office advisory, such remarks are personal opinions of the person who wrote it rather than personal data about the subject.
We hope that answers your question, Peter. We will be back again next week with another question. If you have an issue you’d like our team to answer, you can contact us via LinkedIn, Twitter or email.
Recommended by LinkedIn
Free webinar recording: ISO 27001:2022 – Transition Policies and Staff Awareness Training
Transitioning to the latest version of the international standard for information security management – ISO 27001:2022 – involves developing robust policies, establishing effective communication systems and providing comprehensive staff awareness training.
Watch this webinar to gain valuable insights and practical guidance on adapting your organisation’s processes to meet the Standard’s requirements. Watch now >>
Electoral Commission attack potentially affects over 45 million UK voters
The Electoral Commission has issued a public notification of a “complex cyber-attack” in which “hostile actors” gained access to the UK’s electoral registers. According to the statement, the Commission identified the incident in October 2022 after detecting suspicious activity on its systems that dated back to August 2021.
Attackers were able to access Electoral Commission servers that held emails, control systems and reference copies of the electoral registers of those registered to vote in the UK between 2014 and 2022, as well as overseas voters. Listen to our podcast for more information >>
ICO threatens enforcement action against websites with 'harmful' cookie banners
The UK’s ICO (Information Commissioner's Office) is calling for organisations to stop using website design techniques that could negatively affect users.
The regulatory body specifically highlights cookie consent banners as an instance where it intends to intervene if there is evidence of users being adversely affected by design practices, stating that it would take enforcement action in cases where design decisions are likely to lead to risk or harm. Continue reading >>
A Cybersecurity Expert Reveals Why You're a Cybercriminal's Next Target — and 5 Things You Can Do to Beef Up Your Defense
Implementing well-structured processes can make all the difference in preventing a cyber attack and avoid attracting unwanted media attention. Continue reading >>
Free webinar: Cyber Incident Response Tabletop Exercises
Tabletop exercises are vital when implementing a robust CIR (cyber incident response) plan. These simulations train your team to respond to real cyber incidents swiftly and effectively by identifying vulnerabilities and weaknesses in your defences.
Joins us on Wednesday, 13 September to go through the key stages in the incident response process using the NIST SP 800-61 Revision 2 framework. We’ll also run a live CIR tabletop ransomware and phishing attack exercise with audience participation, sharing responses and techniques to mitigate the impact of cyber security incidents. Register now >>