Monthly cyber security review: December 2019

We’re back with another round-up of some of the most notable information security stories of the past month.

In this edition, we discuss a hospital employee who abused their power to contact patients, an update on last year’s Ticketmaster data breach and an upsetting incident at a Scottish high school assembly.

1. NHS radiographer used medical record info to pester female patients

Stories of hospital workers snooping into patients’ files illegally are unfortunately common, but a recently disclosed breach at Hairmyres Hospital in East Kilbride is particularly egregious for what the employee did with the information.

The Hamilton Sheriff Court heard this month of a radiographer who gathered female patients’ contact details and hounded them for dates.

Using fake names, Andrew Stewart contacted more than 200 women – some of whom were domestic abuse victims – via Facebook and WhatsApp “in a desperate bid to get into relationships with them”.

He sent them pictures of himself, told them he was mature “when it comes to pleasing women in bed” and said the women were “hot”, “gorgeous” and had “nice boobs”.

Stewart even offered to tell one patient the results of her MRI scan before she had spoken to her consultant.

His actions were revealed when a woman he had been messaging recognised him at University Hospital Crosshouse in Kilmarnock and reported them.

The NHS launched an enquiry, which led to 2 charges of obtaining personal data illegally and 16 charges of acting in a threatening and abusive manner.

2. Victims of Ticketmaster breach file lawsuit

Those affected by last year’s Ticketmaster data breach could soon receive financial compensation, after several legal cases were launched in the Irish courts.

As many as 40,000 customers – including those who use Ticketmaster International, GET ME IN! and TicketWeb websites – had their personal and financial information stolen as a result of a malware infection.

There was some disagreement at the time about who was responsible. Ticketmaster said that the breach stemmed from a vulnerability in a third-party support product hosted by Inbenta Technologies.

However, Inbenta countered by saying that “the source of the breach was a single piece of JavaScript code, that was customized by Inbenta to meet Ticketmaster’s particular requirements. This code is not part of any of Inbenta’s products or present in any of our other implementations.

“Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability.”

The lawsuits against Ticketmaster suggest that this is the case, although it remains to be seen whether the organisation will protest its innocence in court. It could take a year or more for a decision to be made.

3. High school exposes students’ health conditions during assembly

Pupils at Brechin High School in Scotland were left stunned this month after an assembly presentation revealed the names of 52 students with autism spectrum disorder and other health conditions.

The presentation, intended as an exam preparation for senior students, contained a slide titled “what if you have ASD or a medical condition?”, followed by a list of students.

Speaking to The Scottish Sun, one furious parent said he feared the children whose data was exposed may be bullied.

“Today pupils were getting a talk about exam preparation, when a slide appeared listing the names of 52 people with autistic spectrum disorder and other medical conditions. My child’s name was on the list,” he said.

“It was a bit of a shock to my child. Their medical condition had been kept among family, and they didn’t want to tell friends.

He added: “My child’s initial response was that they wouldn’t be able to go back to school. But they’ve gotten support on social media, and people asking how they feel.

“But you always worry there’ll be other pupils who take the opportunity to bully your child as a result.

Manage your cyber security threats with Vigilant Software

These incidents show that security threats can come in any number of ways – whether it’s a cyber attack, a malicious insider or an error of judgement.

It can be tough to manage them all, but Vigilant Software’s CyberComply platform makes things much easier.

Its combination of Cloud-based software enables you to take control of your cyber risk requirements by helping you:

  • Conduct risk assessments or DPIAs (data protection impact assessments);
  • Track regulatory requirements; and
  • Map the flow of data through your organisation.

Available on a monthly or annual subscription basis, CyberComply ensures that you stay on top of your cyber security needs in a way that suits you.

The post Monthly cyber security review: December 2019 appeared first on Vigilant Software – Compliance Software Blog.

*** This is a Security Bloggers Network syndicated blog from Vigilant Software – Compliance Software Blog authored by Luke Irwin. Read the original post at: https://www.vigilantsoftware.co.uk/blog/monthly-cyber-security-review-december-2019