This week:
3 – UK Tax Authority loses £47 million in phishing scams
2 – Cyber attackers are targeting Salesforce users
1 – A day late and a dollar short: The DPC’s investigation into the Public Services Card
3 – UK Tax Authority loses £47 million in phishing scams
“A phishing scam has cost [the UK’s] HM Revenue and Customs (HMRC) £47 million”
Source: Reuters
What’s the story?
Fraudsters pretending to be ‘customers’ of the UK tax authority have managed to steal GBP £47 million from [the UK’s] HM Revenue and Customs (HMRC). This is according to the Chief Executive of the HMRC at at a recent House of Commons committee hearing into the workings of the tax office.
According to a separate statement from HMRC, this was not because of a cyber attack on the HMRC. It was criminals “using phishing tactics” to gain access to the HMRC online accounts of taxpayers, change their bank details, and then claim tax refunds.
Apparently, 100,000 taxpayers’ accounts were accessed.
So what?
It sounds like the criminals fooled 100,000 individuals with emails that were designed to look like they came from HMRC.
2 – Cyber attackers are targeting Salesforce accounts
“the attacks target English-speaking employees with voice phishing attacks”
Source: Bleeping Computer (via Secure The Village)
What’s the story?
Google security researchers have noticed an increase in the number of cyber attackers targeting Salesforce accounts. The attackers, pretending to be IT Support, are phoning employees and trying to trick them into ‘accepting a connection’ into their Salesforce account.
If the employee accepts the connection request, the attackers gain immediate access to any data that this employee can access in Salesforce.
The attackers can download copies of this data, change it, or delete it.
So what?
This type of ‘connection request’ attack has been a significant problem for Microsoft 365 users for many years. It is now becoming a serious problem for Salesforce users.
Fortunately, there’s an easy solution to the problem: On both platforms, you can block these connections*, so even if an employee is fooled, the connection will fail.
Unfortunately, Microsoft and Salesforce live in a world where everyone on the internet can be trusted, so they are not blocked by default.
(* If you want the specific steps to do this, let me know and I’ll send you the instructions.)
1 – A day late and a dollar short: The DPC’s investigation into the Public Services Card
“[Ireland’s] Data Protection Commission (DPC) has fined the Department of Social Protection (DSP) €550,000 for breaches of privacy rules relating to the use of facial recognition technology in the registration process for the Public Services Card.”
Source: RTE News
What’s the story?
Ireland’s data protection regulator has completed a 4 year investigation into a government department’s use of (facial recognition) facial templates and associated facial matching technology.
As a result of the investigation, the DPC has issued a reprimand and a €550k fine. And a press release.
In response, the government department has said it disagrees with the DPC finding and will consult with the Attorney General’s Office before deciding to either appeal the decision or rectify the issues “as perceived by the DPC“.
In other words, nothing has changed and this is not the end of the story.
So what?
If you don’t live in Ireland, you may not know about the ongoing circus surrounding the ‘Public Services Card’ (PSC). For example, if you want to know the difference between ‘mandatory‘ and ‘compulsory‘, older news reports may not help you, but they are entertaining.
This particular finding from the DPC relates to the processing of ‘facial templates‘ (i.e. biometric data that has ‘special category’ protection under GDPR). According to the DPC investigation, this government department has been processing this biometric data for at least 15 years without a lawful basis for doing so.
I’m not a legal eagle, but this sounds like a government department has been breaking the law for 15 years.
And the DPC has now told it to stop breaking the law .. in 9 months’ time.. unless it can find a lawful basis in the meantime.
They are currently searching for this lawful basis down the back of the sofa.
And as for that €550k fine? That’ll be a transfer between cost centres on the SAP system.