Category Archives: national security

February 11, 2023 · 12:07 pm

SNP MP private email hack

UPDATE 13.02.23: it’s been drawn to my attention that Mr McDonald says that his private account is “not used for constituency or parliamentary business” END UPDATE

It was reported last week that the email account of Stewart McDonald, an SNP MP, had been compromised in what he described as a “sophisticated and targeted spear phishing hack”. The BBC appeared to agree with him, describing it as a “highly targeted and sophisticated attack”.

Maybe it was, although surely MPs are told to be wary of unexpected email attachments, and not to put enter system passwords when asked to in palpably suspicious circumstances (McDonald had attempted to open a document apparently sent by a member of his staff, with a military update on Ukraine, and clicking on it brought up a login page for the email account he was using).

But what I haven’t seen raised much in the media is the fact that the account which was compromised appears to have been McDonald’s private email account, and that the offending attachment was sent (or was spoofed to make it look like it was sent) from his staffer’s private email account. The reporting has referred to “personal” email account, from which it is reasonable to infer that these are not official accounts (such as McDonald’s one given on his parliamentary page).

Only last year the Information Commissioner presented a report to Parliament on the use of private communications channels in government. Although the report was prompted by concerns about the use of such private channels within the Department for Health and Social Care, it made clear that it had general application in relation to the “adopting [of] new ways of working without sufficient consideration of the risks and issues they may present for information management”. The report stresses throughout the importance of “maintaining the security of personal and official information” and the risks that private channels present to such security.

Did Mr McDonald and his staff read it? If not, this tweet he made only a couple of years ago is ironic, to say the least.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under data security, Information Commissioner, national security, parliament, security

Tagged as , ,

July 29, 2020 · 11:37 am

Schrems II – what now?

A piece I have written with my Mishcon colleague Adam Rose, looking at the issues for businesses involved in international transfers (esp. to the US).

Make no mistake – the effect of Schrems II is to make bulk/regular transfers of personal data to the US problematic (putting it at its lowest). It arguably has the same effect in respect of transfers to most, if not all, third countries.

Leave a comment

Filed under adequacy, Data Protection, data security, Europe, facebook, GDPR, Information Commissioner, national security, privacy shield

Tagged as , ,

July 16, 2020 · 1:35 pm

Schrems II – this time it’s serious

As soon as judgment came out, my Mishcon de Reya colleague Adam Rose and I recorded our initial reactions to the CJEU’s decision in Schrems II. Here’s the link to the recording. Excuse my lockdown locks.

Some takeaways

  • The EU-US Privacy Shield arrangement for transferring personal data to the US is declared invalid.
  • Parties using Standard Contractual Clauses to transfer personal data from the EEA to countries outside must not do so if, in their assessment, the recipient country doesn’t provide an adequate level of protection. There must now be serious questions as to whether any transfers to the US can be valid.
  • The Binding Corporate Rules regime used by some of the world’s biggest international groups must now also be open to challenge.
  • Data Protection Authorities (such as the ICO) must intervene to stop transfers under SCCs which are made to countries without an adequate level of protection.
  • Post-Brexit UK may be seen as an attractive place for US companies to base operations, but there may well be further legal challenges to such arrangements.

Leave a comment

Filed under adequacy, Data Protection, Directive 95/46/EC, Europe, facebook, GDPR, Information Commissioner, Ireland, national security, privacy shield, surveillance

September 25, 2015 · 2:46 pm

When data security = national security

One of the options open to the Information Commissioner’s Office (ICO), when considering whether to take enforcement action under the Data Protection Act 1998 (DPA) is – as an alternative to such action – to invite an offending data controller to sign an “undertaking”, which will in effect informally commit it to taking, or desisting from, specified actions. An undertaking is a relatively common event (there have been fifty over the last year) – so much so that the ICO has largely stopped publicising them (other than uploading them to its website) – very rarely is there a press release or even a tweet.

There is a separate story to be explored about both ICO’s approach to enforcement in general, and to its approach to publicity, but I thought it was worth highlighting a rather remarkable undertaking uploaded to the ICO’s site yesterday. It appears that the airline Flybe reported itself to the ICO last November, after a temporary employee managed to scan another individual’s passport, and email it to his (the employee’s) personal email account. The employee in question was in possession of an “air side pass”. Such a pass allows an individual to work unescorted in restricted areas of airports and clearly implies a level of security clearance. The ICO noted, however, that

Flybe did not provide data protection training for all staff members who process personal data. This included the temporary member of staff involved in this particular incident…

This is standard stuff for DPA enforcement: lack of training for staff handling personal data will almost always land the data controller in hot water if something goes wrong. But it’s what follows that strikes me as remarkable

the employee accessed various forms of personal data as part of the process to issue air side passes to Flybe’s permanent staff. This data included copies of passports, banking details and some information needed for criminal record background checks. The Commissioner was concerned that such access had been granted without due consideration to carrying out similar background checks to those afforded to permanent employees. Given the nature of the data to which the temporary employee had access, the Commissioner would have expected the data controller to have had some basic checking controls in place.

Surely this raises concerns beyond the data protection arena? Data protection does not exist in isolation from a broader security context. If it was really the case that basic checking controls were not in place regarding Flybe’s temporary employees and data protection, might it raise concerns about how that impacts on national security?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, national security, undertaking

Tagged as ,