Risky Business: Hacking, data theft, rogue employees and Corporate Protection in a Digital Age

For companies, there is no longer a question of whether a company or corporation will have to deal with computer hacking and Cyber Crime, but rather a question of when. In 2015, “Cyber crime” was first included in the annual Crime Survey for England and Wales. In July 2016, The Office of National Statistics (“ONS”) estimated that there were 2.46 million cyber incidents in that year and over 2.11 million victims of Cyber Crime in the UK in the same year.[1]

Cyber crime is defined and tracked in two ways:

  1. “Cyber-dependent crime”: can only be committed using computers, computer networks or other forms of information communication technology (“ICT”). They include:
  • the creation and spread of malware for financial gain,
  • hacking to steal sensitive personal or industry data, and
  • denial of service attacks to cause reputational damage.
  1. “Cyber-enabled crimes”: these are offences such as fraud, the purchasing of illegal drugs and child sexual exploitation and:
    1. can be conducted on or offline,
    2. If online, may take place at unprecedented scale and speed

Cyber Crime includes:

  • Bank and credit account fraud – meaning criminals accessing bank accounts, credit cards or fraudulently using plastic card details
  • “Advance fee fraud” – crimes where the victim has been tricked into handing over cash after a communication, such as a lottery scam
  • “Non-investment fraud” – criminals conning a victim into buying something, often online, perhaps through a bogus phone call or email.
  • Other frauds including investment or fake charity scams

There are two broad categories of “computer misuse” crimes:

  • Unauthorised access to personal information, including hacking
  • Computer virus, malware or other incidents such as “DDoS” attacks aimed at online services

Terrifyingly, in 2015-2016, Cyber Crime accounted for 36% of all crime committed in the UK. However, 17% of all crimes committed in the UK related to computer misuse- which is classified separately. Therefore, in 2015-2016, computer related crime made up some 53% of all crimes committed in the UK and the view is that Cyber Crime is under-reported.

Recent figures revealed in the Annual Crime Survey of England and Wales (CSEW) which seeks to accurately assess the number of offences by interviewing people about their personal experience of crime, surveyed that:

  • From September 2015- September 2016, there were 3.6 million cases of fraud; and
  • 2 million of those offences were related to computer misuse.

Other interesting findings included:

  • There were 1.9 million cases of frauds on UK-issued cards (an increase of 39% from the previous year)
  • The police recorded 4.7 million offences in the year ending September 2016, an annual rise of 8%.

Feeling concerned yet?

If not, these are some factors that indicate why this area will be, in our opinion, the fastest growing area of criminality for years to come:

  • Speed of offending: It can happen with a scan and click.
  • Anonymity of Offending: These crimes can be committed by an anonymous individual or group. An offender does not have to leave his or her bedroom (wherever that might be).
  • Jurisdiction of Offending: Offenders are often outside of the jurisdiction but are targeting UK Nationals due to the comparative wealth of the victims.
  • The increased understanding of the worth of data and the ability to easily locate those who can monetise the data (i.e. via the dark web and chat rooms): For example, in 2016, MNH Platinum’s scary story- the company was the victim of a virus which encrypted over 12,000 files on its company network. A ransom demand followed – the criminals would decrypt the company’s files in exchange for more than £3,000[2].
  • The anonymity afforded to those who can request assistance in obtaining personal data by reaching out to your employees and data custodians.
  • Relatively easy access to data (personal and corporate).
  • Cheap and easy to commit the crime but often difficult and expensive for the police to trace.

It is clear that swift action is required: But what can stop the onslaught?

How about new laws and more funding?

Some progress was made by The Directive on security of network and information systems (NIS Directive), adopted by the European Parliament on 6 July 2016 and which came into force in August 2016. The Member States have 21 months to adopt the Directive. The Directive is intended to ensure a ‘high common level of network and information security across the Union’. Interesting developments include:

  • The requirement of Member States to be appropriately equipped to respond to any incidents of hacking or cybercrime by having a competent Computer Security Incident Response Team on hand; and
  • The necessity for companies to report incidents of hacking and cybercrime to the authorities[3].

In the UK, no such necessity currently exists and considering the negative ramifications on client confidence and share prices, all too often, such crimes are not reported.

It is the first EU-wide legislation on cybersecurity and is intended to support and facilitate strategic cooperation between Member States as well as the exchange of information. It also came with a partnership with the private sector which triggered some €1.8 billion of investment to foster cross-border research and development cooperation of the cybersecurity industrial players in Europe[4].

Whether Britain will benefit from any such funding is, of course, about as certain as whether progress will be made against cyber criminals in the near term.

More Regulation: The General Data Protection Regulation

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). Whilst it has similarities with the existing UK Data Protection Act 1998 (DPA) it also has some new and different requirements, particularly for those who have day-to-day responsibility for data protection. The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR[5].

The Regulation deals with personal data and sensitive personal data. The most significant addition is the “accountability principle”. The GDPR requires companies to show how they comply with the principles – for example, by showing the processes adopted by the company for dealing with data processing.

Article 5 of the GDPR sets out the requirements that companies must abide by when collecting personal data, including the provision that data must be processed ‘lawfully, fairly and in a transparent manner in relation to individuals’ and ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’.

The regulation also identifies eight main “Key Rights” for individuals whose personal data is being collected. These include the right for individuals to know what data, the way it will be stored and how one can restrict the right to processing. It is intended that individuals will have the right to block or supress the processing of their personal data.

What if data theft occurs in your organisation?

Well, it could not come at a better time. A company’s duties and responsibilities for both prevention and reporting will only increase in the next few years.

However, identifying the relevant risks and being able to move quickly when something does go wrong are key strategies to being able to minimise the threat of hacking and data theft. It is important to stop the hacking of multiple parts of a business’ system and to wrestle back material if possible.

Unfortunately, there is an added concern for corporates – that is how smaller companies they contract with and third party suppliers manage and control their data.  In 2016, according to the latest statistics released by cyber security firm Symantec, more than half (52.4%) of spear phishing attacks (carried out using fake emails) in December 2016 were against SMEs, with November showing a massive spike[6].

Some of the steps companies can take are as follows:

  • Making sure those people and systems in place to safeguard important data are reliable- people is just as important to get right as the system;
  • Make sure encryption and security passwords are taken seriously;
  • Make sure access to data is very limited (or sets of data ring-fenced) – this will help in knowing who’s responsible quickly in case of an emergency;
  • If you think you are the subject of an internal data breach, monitor it immediately (without necessarily announcing it within the company) and see what can be done to gather data on the mode of theft and identity of individuals involved;
  • Report it to a lawyer or security advisor with the relevant expertise as soon as possible- this is an area where speed is of paramount importance and take immediate advice;
  • Once you have realised and identified what has occurred, you may wish to report the matter to police;
  • A company must consider its reporting obligations- such as a report to the Information Commissioner’s Office (“ICO”) – only currently obligatory for certain companies such as telecoms – but watch this space;[7]
  • A criminal prosecution, public or private can go a long way to deterring hackers from targeting your organisation again. Hackers are generally very reluctant to be identified and disturbed!

Kate McMahon and Chloe Salter

[1] NCA: Cyber Crime Assessment 2016 http://www.nationalcrimeagency.gov.uk/publications/709-cyber-crime-assessment-2016/file

[2] https://www.theguardian.com/small-business-network/2016/feb/08/huge-rise-hack-attacks-cyber-criminals-target-small-businesses

[3] The USA is already required to report instances of hacking under the Notice of Security Breach Act 2003; both to the authorities and consumers whose personal data has been obtained.

[4] Statement by Vice-President Ansip and Commissioner Oettinger welcoming the adoption of the first EU-wide rules on cybersecurity, Brussels, 6 July 2016, http://europa.eu/rapid/press-release_STATEMENT-16-2424_en.htm

[5] https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/introduction/

[6] https://www.theguardian.com/small-business-network/2016/feb/08/huge-rise-hack-attacks-cyber-criminals-target-small-businesses

[7] https://ico.org.uk/for-organisations/report-a-breach/