Actu
South Wales Fire and Rescue Service staff data breached - expert comment
February 2016 by Richard Cassidy, technical director EMEA at Alert Logic
A story broke on the BBC earlier this afternoon, stating that the security systems at a fire service have been breached, with staff data being accessed in the process. On Friday night, South Wales Fire and Rescue Service was told about an information security breach relating to employees’ personal data.
A 59-year-old woman from Bridgend has been arrested in connection with data protection offences. The fire service did not disclose how many people were affected, but said it was limited to its own employees.
The matter has been reported to the Information Commissioner’s Office and the fire service said it was working with employees and unions to "mitigate any potential risk to its staff and also to assist individuals taking their own actions to mitigate such risk".
Commenting on this, Richard Cassidy, technical director EMEA at Alert Logic, said:
"Public services and utility providers have long been a target for bad actor cells, given both the political nature and gains in media from either a socioeconomic and/or sociopolitical perspective. If, as a bad actor group, you’ve been able to gain access to and/or disrupt/exfiltrate the data housed in a public services network - especially an emergency service - it will draw a great deal of attention and provide a platform for further messaging.
Many consider the data of our emergency services to be highly secure and, for the most part, the networks are entirely segregated, with protected transport networks and airwave communications; however data housed within these environments can be very lucrative in the cyber criminal underground and easily monetised given its sensitive nature. We know from research that key bad actor cells have made it very clear that they will continue to target national utility and infrastructure networks, with some lower profile breaches seen over the past 18 months, largely however these breaches have been limited to employee data. That said however this is always a first step to more serious breaches and should absolutely send a “shot-across-the-bow” to data and security practices, needing a thorough review.
This particular breach seems to be limited to employee data only. Attacks of this kind always follow a distinct pattern that can be identified through collection, correlation and review of data transactions to key assets (servers, databases and applications) that serve our national emergency services networks. This highlights a key need to ensure a more proactive level of monitoring and constant “stress-testing” against threat vectors; in short, it’s important for our emergency services to understand the key data bad actors will target, look at the methods of access to that data and ensure the correct tools are in place to protect it (right across the network framework). Hackers will always favour the path-of-least resistance, so social-engineering or “spear-phishing” attacks given that they can reap rewards in a far shorter time frame, that doesn’t however mitigate the threat of exposing poorly maintained network infrastructure, servers or vulnerable applications, which is why visibility of all data transactions, monitored for threat activity and anomalous activity, reviewed by experts who intrinsically understand how zero-day and complex threats proliferate, is key."
