ICO issues maximum £500,000 fine to Facebook

ICO issues maximum £500,000 fine to Facebook

 

The UK privacy watchdog has confirmed that Facebook has escaped a fine of more than $1bn under the GDPR, but will face the maximum under the DPA for failing to protect users’ personal information

The Information Commissioner’s Office (ICO) has fined Facebook £500,000 for serious breaches of data protection law involving Cambridge Analytica that affected 87 million users, including nearly 1.1 million Britons.

In July, the ICO issued a Notice of Intent to fine Facebook as part of a wide ranging investigation into the use of data analytics for political purposes.

After considering representations from the company, the ICO has issued the fine to Facebook and confirmed the amount, which is the maximum allowable under the laws that applied at the time the incidents occurred.

The ICO’s investigation found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded a quiz app, but were simply “friends” with people who had.

Facebook also failed to keep the personal information secure because it did not make suitable checks on apps and developers using its platform. These failings meant one developer, Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge.

A subset of this data was later shared with other organisations, including SCL Group, the parent company of Cambridge Analytica which was involved in political campaigning in the US, the ICO said.

Even after the misuse of the data was discovered in December 2015, the ICO found that Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. In the case of SCL Group, the ICO said Facebook did not suspend the company from its platform until 2018.

The ICO found that the personal information of at least one million UK users was among the harvested data and consequently put at risk of further misuse.

Elizabeth Denham, information commissioner mentioned that she feels that facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. She felt that a company of its size and expertise should have known better and it should have done better.

This fine was served under the Data Protection Act 1998. It was replaced in May by the new Data Protection Act 2018, alongside the EU’s General Data Protection Regulation (GDPR). These provide a range of new enforcement tools for the ICO, including maximum fines of £17m or 4% of global turnover.

Facebook considered these contraventions to be so serious they imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of their main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.

Facebook’s work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which their society is based.

A further update on the ICO investigation into data analytics for political purposes will be on 6 November, when the information commissioner will give evidence to the Department for Digital, Culture, Media and Sport (DCMS) Select Committee.

In July, the ICO published an interim progress update on its investigation and also published a partner report, Democracy disrupted? Personal information and political influence, looking at the broader policy issues identified during the investigation along with findings and the ICO’s recommendations for future action.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 03333 393 139 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

 

 

Making the UK the safest place to live and work online

Government, industry and individuals all have to play their part in enhancing cyber security practices

We all watched a few weeks ago as the chancellor set the new Budget, pledging an extra £1bn to boost UK defences, including cyber security. Add to that the proposed internet safety laws and new regulations around the collection and use of personal data, and in many ways we are on the right path to keeping the UK as a safe place to live and do business online.

But it is always worth reminding ourselves, whether we represent government, industry or the individual, of the key part we all have to play in creating the skills, practices and expectations of a safe online and working environment.

The objective of government should be to help create an environment in which industry and individuals are encouraged to expect and deliver good cyber security, and where the UK has the cyber skills and workforce it needs. This can be achieved through the levers available to government – legislation, policy and incentives.

One area where the government is leading on such efforts in the UK is in establishing new “secure by design” measures, encouraging manufacturers to embed security into the design of new technology rather than as a bolt-on or afterthought.

The Department for Digital, Culture, Media and Sport (DCMS) says there are expected to be more than 420 million internet-connected devices in use across the UK within the next three years, with the risk of poorly secured devices leaving people exposed to large-scale cyber attacks.

Such secure-by-design codes of practice, developed by the DCMS and the National Cyber Security Centre alongside industry, are not only key in driving innovation in technology, but in creating trust between government, industry and individuals through the development of products and services that keep people safe.

The role of government is also to set an example. According to EY’s 2018-19 Global information security survey, half of all local authorities in England still rely on unsupported server software.

In the face of emerging global cyber threats, and as the gatekeepers to our essential services, effective cyber security can only be tackled with the relevant technology and training rolled out across public sector departments, agencies and bodies to protect our critical assets.

 Cyber security awareness

EY’s survey found that 77% of organisations are still operating with limited cyber security and resilience. Asked what they saw as their top vulnerability, 34% of organisations said careless or unaware employees. This underscores the importance of cyber security awareness and culture as key aspects of the defence against cyber attacks.

So what can be done? Even if the board knows that cyber attacks are on the rise, is it prepared to make the necessary investments in people, processes and technology to tackle these issues? The survey is encouraging in this respect, with 53% of organisations saying they have increased their budgets this year and 65% planning an increase next year.

Despite this, most organisations admit they would be unlikely to step up their cyber security practices or spend more money unless they were hit by a breach or cyber incident. So a breach where no harm was caused would not lead to higher spending for most organisations. The problem is that in most cases, harm has been done – it simply has not come to the surface yet.

But there is an opportunity here. Many organisations now regard emerging technologies as a high priority for business growth, which implies that cyber security could, at last, be designed in. That includes more secure cloud and mobile computing, and also enablers such as cyber security analytics, robotic process automation and machine learning, which can provide early detection, prevention and resilience in the event of an attack.

Ultimately, the role of businesses is to protect their enterprise by building effective lines of defence around their business crown jewels, optimising cyber security by leveraging suitable technologies, and embedding cyber security as an enabler, rather than a barrier, to growth.

In an age when we manage most of our lives online, educating the public to be cautious when it comes to operational security can affect individuals positively, both as employees and consumers.

Finally, it is impossible not to mention the cyber skills deficit. With 30% of surveyed organisations saying they still don’t have the skills they need, cyber security must be promoted more strongly as a growing career path.

Government, industry and the individual all have their role to play in this – government in building the education infrastructure for IT; industry in creating the jobs that will encourage the workforce of the future; and individuals by taking the time to understand cyber security.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 03333 393 139 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

 

 

Increasing value of personal data a 21st century challenge

The increasing value of personal data presents the challenge of managing a personal data economy

 

 The increasing value of personal data presents the challenge of managing a personal data economy

 

 

At the start of the millennium, the value of online services was equated with the number of registered users, but that changed after the dot-com bubble burst, according to Jon Shamah, chairman of EEMA, the European association for e-identity and security.

Jon felt that since 2010, that understanding has evolved, and increasingly the true value has been recognised as data about those registered users. He told the EEMA ISSE 2018 cyber security conference in Brussels.

He want on to say that the reality was that personal data had value for the service providers, but people were blindly throwing information at these companies in exchange for services.

This approach has changed in recent times, he said, particularly after the Facebook – Cambridge Analytica data sharing scandal that highlighted the potential for personal data to be misused.

People are finally waking up to the value of the information they have so willingly given in the past and their eyes have started to open. The evolution of data analysis tools, including the incorporation of artificial intelligence, he said, means that data collected in the past is becoming useful in new ways and therefore even more valuable.

John mentioned that it also means that service providers are able to analyse users’ online activities, largely without users’ knowledge or consent, and use that to tailor advertising on web pages, creating new and direct revenue streams. Something had to be done, and if it has achieved nothing else, the EU’s General Data Protection Regulation has focused people’s minds and got company executives and board members to take this issue seriously because now they have to be accountable and declare breaches.

This means data protection in Europe, said Shamah, is no longer just the concern of technical teams in organisations, but also chief executives and shareholders.

In the light of the recent revelations about the misuse of data, everyone needs to consider what kind of digital footprint they want to leave; a permanent one like those left by the first astronauts on the surface of the moon or temporary like those left in the sand on a beach.

The aim, he said, should be for digital footprints that last only for as long as they are needed and then erased without a trace. In addition to being disposed of properly, personal data also has to be geographically safe because there are a lot of concerns about where data is stored and keeping it in home jurisdictions, and we need the trustees to be accountable and responsible.”

The issue going forward, said Shamah, is how well people and society will be able to adapt to the new reality that there are no free services without giving up personal data.

Perhaps the company will be able to control their own data through the application of things like self-sovereign identity, but ultimately the challenge is attaining a mixed and balanced personal data economy.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 03333 393 139 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

 

DNS attacks cost finance firms millions of pounds a year

Average cost of recovering from a single DNS attack is $924,390 for a large financial services company, survey shows

 Average cost of recovering from a single DNS attack is $924,390 for a large financial services company, survey shows

 

The costs of restoring services after a DNS (Domain Name System) attack are higher for financial services firms than for companies in any other sector.

According to a survey of 1,000 large financial services firms in Europe, North America and Asia Pacific, the average cost of recovering from a single DNS attack is $924,390 for a large financial services company.

The survey, carried out by network automation and security supplier EfficientIP, and its subsequent 2018 Global DNS threat report found that the average cost of recovery for such finance firms had increased by 57% compared with last year.

It also revealed that financial services firms suffered an average of seven attacks each last year, and 19% of them were attacked more than 10 times.

The survey found that finance firms took an average of seven hours to mitigate a DNS attack and 5% of them spent a total of 41 working days mitigating attacks in 2017. More than a quarter (26%) lost business because of the attacks.

The most common problems caused by DNS attacks are cloud service downtime, compromised websites and internal application downtime.

David Williamson, CEO at EfficientIP feels that the DNS threat landscape is continually evolving, impacting the financial sector in particular. This is because many financial organisations rely on security solutions that fail to combat specific DNS threats.

Financial services increasingly operate online and rely on internet availability and the capacity to securely communicate information in real time. Therefore, network service continuity and security is a business imperative and a necessity.

The UK’s Financial Conduct Authority voices concerns about weaknesses in banks’ IT systems.

There was a 48% rise in the amount of money stolen from UK online banks in 2014, as criminals pilfered more than £60m. But IT security teams at large finance firms have to balance their resources in the face of increasing cyber threats. A survey commissioned by VMWare earlier this year showed that 90% of IT security professionals in financial services have to make compromises that could leave other areas of their organisation exposed to cyber threats, and half admitted doing this regularly.

Types of DNS attack include:

  1. Zero day attack – the attacker exploits a previously unknown vulnerability in the DNS protocol stack or DNS server software.
  2. Cache poisoning – the attacker corrupts a DSN server by replacing a legitimate IP address in the server’s cache with that of another, rogue address in order to redirect traffic to a malicious website, collect information or initiate another attack. Cache poisoning may also be referred to as DNS poisoning.
  3. Denial of service – an attack in which a malicious bot sends more traffic to a targeted IP address than the programmers who planned its data buffers anticipated someone might send. The target becomes unable to resolve legitimate requests.
    Distributed denial of service – the attacker uses a botnet to generate huge amounts of resolution requests to a targeted IP address.
  4. DNS amplification – the attacker takes advantage of a DNS server that permits recursive lookups and uses recursion to spread the attack to other DNS servers.
    Fast-flux DNS – the attacker swaps DNS records in and out with extreme frequency in order redirect DNS requests and avoid detection.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 03333 393 139 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

 

Defence minister opens £3m cyber security centre in

UK minister for defence procurement has opened a new cyber security centre aimed at boosting UK cyber defence capability and skills.

UK minister for defence procurement has opened a new cyber security centre aimed at boosting UK cyber defence capability and skills.

The Cyber Works centre, which employs 90 people, will enable Lockheed Martin to work more closely with UK partners to share knowledge and best practice, undertake research and develop new cyber defence capabilities.

In February 2017, Lockheed Martin announced that it would support the UK government’s CyberFirst scheme to inspire and support young people considering roles in cyber security.

The Cyber Works centre is designed to deliver cyber capabilities to UK government as well as support the development of skills and careers in cyber security and intelligence.

Harriett Baldwin, UK minister for defence procurement, said that with its £1.9 billion National Cyber Security Strategy, the country is a world leader in the field.

“The opening of today’s cutting-edge centre is a great example of how partnerships with industry are at the heart of that strategy,” she said. “Together, we are developing solutions to national security risks.”

A key part of the Cyber Security Strategy is partnerships with industry, with £10 million being invested in a new Cyber Innovation Fund to give startups the boost and partners they need

Baldwin said the UK is already leading Nato in its support for offensive and defensive operations in the fight against Islamic State (IS) and complex cyber threats. “This centre will further boost the UK’s cyber capabilities,” she said.

Lockheed Martin is the world’s largest aerospace and defence company and a longstanding leader in the fields of cyber security and intelligence.

The company pioneered the development of the cyber kill chain, an analysis method for cyber network defence that has been broadly adopted across industries and sectors.

Lockheed Martin is also a top provider of capabilities to defence and intelligence communities around the world and operates facilities to defend its own networks across 70 countries.

As well as investing in the new facility, Lockheed Martin plans to take part in the National Cyber Security Centre’s £6.5 million CyberInvest scheme to support cutting-edge cyber security research in the UK.

With National Offensive Cyber Planning allowing the UK to integrate cyber into all of its military operations, defence plays a key role in the country’s cyber security strategy, according to the Ministry of Defence (MoD).

Offensive cyber is being routinely used in the war against IS, not only in Iraq but also in the campaign to liberate Raqqa and other towns on the Euphrates, the MoD said.

In defence, the MoD said the £800m Innovation Initiative has already boosted investment in UK research and business, with multimillion-pound competitions to develop artificial intelligence and automated systems.

In January next year, the ministry will open a dedicated state-of-the-art Defence Cyber School at Shrivenham, bringing together all military joint cyber training into one place.

The MoD also has a key role to play in contributing to a culture of resilience, which is why the Defence Cyber Partnership Programme was set up to ensure its industrial partners protect themselves and meet robust cyber security standards, the ministry said.

 

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

 

UK firms still relying on perimeter defences for cyber security

Despite the increasing number of data breaches, many companies are still relying on perimeter defences and are underinvesting in technologies to keep data safe.

Despite the increasing number of data breaches, many companies are still relying on perimeter defences and are underinvesting in technologies to keep data safe.

Some 96% of UK businesses feel as though their network perimeter security is effective at keeping unauthorised users out of their network, according to the fourth-annual Gemalto Data Security Confidence Index.

The global ransomware attack in May 2017 affected more than 200,000 computers in over 150 countries, including in the UK where the NHS was forced to restrict operations and turn away patients.

Across the 10 global regions surveyed, 94% of the more than 1,000 IT professionals said perimeter security is effective, but only 35% said they were extremely confident their data would be secure if perimeter defences were breached.

However, the survey also revealed that 46% of UK businesses are only protecting their customers’ data with passwords, and when considering their latest data breaches, 75% of the data stolen from businesses on average was not encrypted, with 11% of businesses not encrypting any of their data.

“As a security professional, it feels like I’ve been saying forever that basic perimeter security measures are no longer enough,” said Joe Pindar, director of data protection product strategy at Gemalto.

“So it’s worrying to see the UK is continuing to place ultimate faith in these systems, without thinking about what attackers actually want – their data,” he said.

Without a switch in mentality, and starting to protect the data at its source with robust encryption and two-factor authentication, the UK is like one of the three little pigs.

“Unfortunately, the one sitting in the straw house – not realising that when the time comes, passwords and perimeter security alone will not stand up to attackers,” he said.

The Gemalto report notes that many businesses are continuing to prioritise perimeter security without realising it is largely ineffective against sophisticated cyber attacks.

According to the research findings, 76% of global respondents said their organisation had increased investment in perimeter security technologies such as firewalls, intrusion detection and prevention, antivirus, content filtering, and anomaly detection to protect against external attackers.

Despite this investment, 68% believe unauthorised users could access their network, rendering their perimeter security ineffective.

These findings suggest a lack of confidence in the solutions used, especially when over a quarter (28%) of organisations polled have suffered perimeter security breaches in the past 12 months. The reality of the situation worsens when considering that, on average, only 8% of data breached was encrypted.

Businesses’ confidence is further undermined by over half of respondents (55%) not knowing where their sensitive data is stored. In addition, over a third of businesses do not encrypt valuable information such as payment (32%) or customer (35%) data.

According to the Gemalto report, this means that, should the data be stolen, a hacker would have full access to this information, and could use it for crimes including identify theft, financial fraud or ransomware.

“It is clear there is a divide between organisations’ perceptions of the effectiveness of perimeter security and the reality,” said Jason Hart, vice-president and chief technology officer for data protection at Gemalto.

“By believing that their data is already secure, businesses are failing to prioritise the measures necessary to protect their data, which is a company’s most valuable asset,” he said, adding that it is important to focus on protecting this resource. “Otherwise, reality will inevitably bite those that fail to do so.”

 

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Major cyber incidents accelerating, says NCSC

The UK is seeing an acceleration in major cyber security incidents, according to the country’s cyber security protection agency.

The UK is seeing an acceleration in major cyber security incidents, according to the country’s cyber security protection agency

In the eight months since inception, the UK’s National Cyber Security Centre (NCSC) has recorded 480 major cyber incidents requiring its attention.

However, there has been big rise in these types of incidents in the past few months, in part due to an improved ability to spot them and a greater willingness to report them, according to John Noble, director of incident management at the NCSC.

“This increase in major attacks is mainly being driven by the fact that cyber attack tools are becoming more readily available, in combination with a growing willingness to use them,” he told The Cyber Security Summit in London.

Although the WannaCry ransomware attacks in May 2017 came very close, Noble said there had been no C1-level national cyber security incidents to date.

The majority of the major incidents the NCSC has dealt with were C3-level attacks, typically confined to single organisations. These account for 451 incidents to date.

The remaining 29 major incidents were C2-level attacks, significant attacks that typically require a cross-government response.

Across these nearly 500 incidents, Noble said there were five common themes or lessons to be learned.

1. There is still a need for organisations to get the basics right

“We are still seeing organisations that are not getting the basics right, like software security patching, antivirus updating and putting in basic protections and controls for system administrators, who are typically big targets for attackers to steal their credentials,” said Noble.

2. Failure to get the balance right between usability and security

“In the vast majority of incidents we see, victim organisations have got this balance wrong, leaning too far in the direction of convenience and usability leading to things like logging being turned off to optimise performance,” said Noble.

“The decision-making around where to strike that balance is typically confused because of the complexity of the enterprises being defended, and because of a lack of understanding about what they are trying to prevent and which data really matters,” he said.

3. Legacy systems and equipment

The existence of legacy systems and equipment in the enterprise presents opportunities to attackers, said Noble. “Often, when we investigate incidents, we find it is in the legacy systems that the compromise has begun,” he said.

4. Outsourcing

“In early 2017, we reported on a major compromise of managed service providers, which provide a tremendous opportunity for bad actors,” said Noble, alluding to Operation Cloud Hopper that was uncovered in April.

“MSPs enable attackers to obtain security credentials in one country, traverse across their network, and then compromise a company or series of companies in another country, and exfiltrate the data through a third country,” he said.

In response, Noble said the NCSC had published a list of questions organisations should ask their MSPs in terms of security.

“Similarly, organisations need to understand the security implications of their supply chains, who they are connecting up to, and what risks are involved,” he said.

5. Mergers and acquisitions

In mergers and acquisition, cyber security is often overlooked in the due diligence process, said Noble. “As a result, the cyber risk is not understood and not addressed effectively,” he said.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

The National Cyber Security Centre officially opens for business

The Queen officially opened the National Cyber Security Centre (NCSC) yesterday- the single, central body for cyber security at a national level.

The Queen officially opened the National Cyber Security Centre (NCSC) yesterdayThe NCSC is core to the government’s National Cyber Security Strategy, which was unveiled on 1 October 2016.

Staff in Victoria, central London, will be joined by experts from GCHQ and the private sector to help identify threats.

At the time, Chancellor of the Exchequer Philip Hammond said: “The new National Cyber Security Centre will provide a hub of world-class, user-friendly expertise for businesses and individuals, as well as rapid response to major incidents.”

Hammond said the government’s 2015 Strategic Defence and Security Review classified cyber as a Tier One threat to the UK, and outlined the actions the government needed to take to secure the country.

According to the National Cyber Security 2016-2021 report, NCSC’s role will be to manage national cyber incidents, provide an authoritative voice and centre of expertise on cyber security, and deliver tailored support and advice to government departments, the devolved administrations, regulators and businesses.

“The NCSC will analyse, detect and understand cyber threats, and will also provide its cyber security expertise to support the government’s efforts to foster innovation, support a thriving cyber security industry, and stimulate the development of cyber security skills,” the report said.

There were 188 cyber attacks classed by the NCSC as Category Two or Three during the last three months.

And even though the UK has not experienced a Category One attack – the highest level, an example of which would have been the theft of confidential details of millions of Americans from the Office of Personnel Management – there is no air of complacency at the NCSC’s new headquarters.

Ciaran Martin, the centre’s chief executive, said “We have had significant losses of personal data, significant intrusions by hostile state actors, significant reconnaissance against critical national infrastructure – and our job is to make sure we deal with it in the most effective way possible.”

As well as protecting against and responding to high-end attacks on government and business, the NCSC also aims to protect the economy and wider society.

The UK is one of the most digitally dependent economies, with the digital sector estimated to be worth over £118 billion per year – which means the country has much to lose.

It is not just a crippling cyber-attack on infrastructure that could turn out the lights which worries officials, but also a loss of confidence in the digital economy from consumers and businesses, as a result of criminals exploiting online vulnerabilities.

A sustained effort was required by government and private sector working together to make the UK the hardest possible target, officials say.

Russia has been the focus of recent concern, following claims it used cyber-attacks to interfere with the recent US presidential election.

“I think there has been a significant change in the Russian approach to cyber-attacks and the willingness to carry it out, and clearly that’s something we need to be prepared to deal with,” Mr Martin said.

Yahoo confirms one billion users have had data hacked

Bob Lord, chief information security officer at Yahoo, admits details of the breach in a blog post.

Bob Lord, chief information security officer at Yahoo, admits details of the breach in a blog post.“We believe an unauthorised third party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft,” he said.

Speaking to Computer Weekly, Jonathan Care, a research director at market watcher Gartner, said Yahoo’s lack of clarity on this point was troubling.

“The implication is that Yahoo has overly focused on deploying protective technologies, and has not put in place effective analytics, detection and response systems and processes,” he said.

“From what we do know, the attackers made use of cookie masquerading, pass-the-hash and a state-sponsored actor. This gives strength to the importance of a strong detection plan.”

The incident came to light after US law enforcers shared files with the company that a third-party claimed contained Yahoo user data.

“We analysed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data,” said Lord.

Yahoo admits that staff knew about the data breach two years before it was confirmed publicly, and that the incident could affect the $4.83bn sale deal with Verizon.

“For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”

“We are notifying potentially affected users and have taken steps to secure their accounts, including requiring users to change their passwords,” he said. “We have also invalidated unencrypted security questions and answers so that they cannot be used to access an account.”

Which suggests that many personal questions have been hacked as well.

This latest breach comes several months after Yahoo revealed details of another historic attack on its systems, dating back to 2014, which led to the personal details of at least 500 million users becoming exposed.

At the time, the incident was reported to be the largest publicly reported breach of its kind, but the August 2013 one is understood to be considerably bigger.

After news of the 2014 hack broke, Yahoo confirmed some staff knew about it several years before details were publicly disclosed, and acknowledged that it could lead to Verizon withdrawing its $4.83bn bid to acquire the company.

In light of its latest disclosure, questions are now being raised about how the news may affect the deal, given Verizon went on record in October 2016 to say the previous breach could pave the way for it to drop its bid.

“It also emphasises the importance of purchasers understanding the security risks of target businesses and building in contractual mechanisms to adjust the price, or even allow them to walk away from the deal if breaches like these come to light before completion.”

“Clearly, the upshot of this is that we need to realise that it’s no longer a case of ‘if we’re targeted or unlucky’, but that we are all targets.”

Camelot’s National Lottery accounts are hacked

It could be you- as tens of thousands of online lottery Camelot players’ accounts are hacked.

It could be you- as tens of thousands of online lottery Camelot players' accounts are hacked.National Lottery operator Camelot says the login details of thousands of people who do the lottery online have been stolen.

There are 9.5 million national lottery players registered online, but Camelot said only around 26,500 accounts were accessed. It added that fewer than 50 accounts have had suspicious activity, such as personal details being changed, since the breach.

The company said it unearthed “suspicious activity on a very small proportion of our players’ online National Lottery Accounts” during its online security monitoring on 28 November 2016.

It added that there has been no unauthorised access to core systems. “In addition, no money has been deposited or withdrawn from affected player accounts,” said Camelot.

“However, we do believe that this attack may have resulted in some of the personal information that the affected players hold in their online account being accessed.”

The company said it is now trying to find out what happened, but it believes that “the email address and password used on the National Lottery website may have been stolen from another website where affected players use the same details”.

The affected accounts have been suspended and Camelot will contact the account holders to re-activate them. Camelot added that it is working with the National Cyber Security Centre on the incident.

Are you an online lottery player?

If so, just crossing your fingers is not enough. To mitigate risks in the short term, account holders should update passwords and avoid using the same password across multiple sites.