Misconfigured Server costs firm £80,000

Question: How do cost your company £80,000 with one relatively small computer error?

(Short) Answer: You misconfigure an FTP (file transfer protocol) server . . . and forget and leave it running.

This was the lesson Life at Parliament View Limited recently learned when the Information Commissioner’s Office (https://ico.org.uk) fined it £80,000 for violating the 7th principle of the Data Protection Act 1998 (“DPA”). See https://ico.org.uk/media/action-weve-taken/mpns/2615396/mpn-life-at-parliament-view-limited-20190717.pdf. ICO could have fined it £500,000 (the maximum under that act) – but chose to only implement 16% of the maximum fine.

What happened? Life at Parliament needed to mass transfer personal data – though not particularly sensitive data (note1) – to a data processor, and chose to use an FTP server. They intended to use a feature of this server to require a username and password, but the technicians misunderstood the server documentation from Microsoft, and ended up putting the server in Anonymous Authentication mode. In addition, “The FTP server was further misconfigured in that whilst approved data transfers were encrypted, personal data transmitted to non-approved parties was not. As such, transfers of personal data over FTP to non- approved parties had the potential to be compromised or intercepted in transit.” (Though not explained in the opinion, this was likely a fallback setting that allowed the server to transmit over a non encrypted channel if the receiving party did not have a secure channel available). The server was left in this condition for just shy of 2 years. Computer logs showed over 500,000 anonymous data requests. Eventually a hacker (well, really a person with ordinary computer skill who located the open FTP server) who had obtained the data, began extorting Life at Parliament.

While the failure of basic computer security is plain in this case, it is noteworthy that ICO also found the following violations:

  1. Post configuration of the server, LVPL failed to monitor access logs, conduct penetration testing or implement any system to alert LPVL of downloads from the FTP server, which would have facilitated early detection and containment of the breach;
  2. Failure to provide staff with adequate and timely training, policies or guidance either in relation to setting up the FTP server, or information handling and security generally.

ICO has been very active in the general data protection space and issuing fines, and this decision – while an easy one in light of the poor computer security practices – is telling because ICO found secondary violations in post implementation failures to detect and train.

The same tendency is happening in the US – the FTC and State Attorney Generals are increasing their oversight of data protection, and several states (e.g. California’s CCPA) are enacting new data protection and data oversight requirements. While the FTC has had some wins (see a recent order against a car dealer, no fine but consent order, where unencrypted data was exposed for 10 days – https://www.ftc.gov/news-events/press-releases/2019/06/auto-dealer-software-provider-settles-ftc-data-security), and at least one major set back in its efforts against LabMD (http://media.ca11.uscourts.gov/opinions/pub/files/201616270.pdf), it is likely that the government regulators will start going after companies that have engaged in less egregious data security violations, but nevertheless have lax training or monitoring set up, and probably also pursue smaller businesses who may not have the resources to have a robust security system and training.

For more information on our data security and privacy practice contact Mike Oliver.


(note 1): The data consisted of “The types of personal data potentially compromised included names, phone numbers, e-mail addresses, postal addresses (current and previous), dates of birth, income/salary, employer details (position, company, salary, payroll number start date, employer address & contact details), accountant’s details (name, email address & phone number). It also contained images of passports, bank statements, tax details, utility bills and driving licences of both tenants and landlords.”

More countries join Madrid Protocol – Next Up India

More Countries Join the Madrid Protocol – Next Up: India

Effective July 8, 2013, India will join the Madrid Protocol – the international registration trademark system.  This is on the heels of Colombia, Mexico, New Zealand and Philippines, which have all joined the Madrid Protocol within the past 12 months.

The Madrid Protocol is one of the two treatises of the Madrid System (or the International Trademark System), which allows a trademark owner to seek international registration with one filing.  Businesses are growing worldwide today and as such, more and more businesses are finding they need international protection.  Under the Madrid Protocol, international registration is a more simplistic and cost-effective means of providing trademark owners with the ability to obtain trademark protection in up to 90 designated countries with only one trademark application filing. Registration under the Madrid Protocol is beneficial from a management standpoint as well as the international trademark registration can be managed more easily since only one step will serve to record any changes in the trademark registration, such as a change in ownership or even the address of the owner.

Thus, if your company wants to obtain trademark protection in fifteen15 countries, rather than having to file, pay for and manage 15 trademark filings in various countries, a trademark owner can obtain trademark protection in 15 countries with simply one application filing.  Not only is this cost effective in filing fees, but also it is also cost-effective in the time spent in preparing and filing the trademark application.  Although filing under Madrid Protocol is beneficial to all trademark owners no matter how small or large the company may be, smaller businesses that once thought international trademark protection was just not feasible from a cost perspective can now realistically move toward international trademark registration and protection on a global basis under the Madrid Protocol.

For more information, please contact Kim Grimsley at kim@olivergrimsley.com.