"and by making sure employee behavior is driven towards best practices."
Of which the primary best practice is not opening the blasted attachment from somebody you don't know.
A water company in the drought-hit UK was recently compromised by a ransomware gang, though initially it was unclear exactly which water company was the victim. Clop, a prolific Russian-speaking gang known for extorting industrial organizations, claimed on its website that it had broken into and stolen data from Thames Water …
a 100% watertight .. environment
The water companies think a little leakage is OK, this year they're crowing about how they've got it down to 1,078,210,000,000 litres of water a year. That's 3.2 trillion cans of coke, 431,284 olympic swimming pools, or the average discharge of the river Thames in London for 189 days*
* Someone might have to check my maths on that one. Thames average discharge at London is 66m³/s, so (2954 * 1000000 * 365) / (1000 * 66) / (60 * 60 * 24) = 189.08
?
And for as long as it's been reported in the news, as far back as I can remember, Thames Water have consistently been at the top of the list. When the customers can't choose the supplier, reputation matters little.
I think I read somewhere that Thames Water was not just top of the list, but b y a large margin, losing over 40% more water through leaks than the company ion 2nd place.
*ONLY* regulation can do anything, but that means a properly funded regulator with real powers. Maybe we could start by freezing the executive pay (up 21% in the last year for CEOs) and freezing shareholders dividends for a couple of years, re-investing it back into the leaking pipes problem. My local water company came out top of the dividend league, paying out over £123m, money that could have gone into repairing the pipes.
What ever happened to Anti-Virus software scraping this stuff into quarantine ??
All I seem to get these days is a semi-literate and wildly inconsistent accumulation or useful stuff and obvious spam quietly pushed into Junk…. and an Anti-Phish submission button on my corporate Outlook.
Come back, Dr Solomon’s AVTK for Exchange Server !!
It is all "Next-Generation" cloud-based stuff that automagically provides perfect protection, requires zero management and has no impact on the system.
That they are all useless is irrelevant. If something cannot detect eicar or a test script payload, how do I know it is working?
The answer is you don't but as long as there is a little symbol somewhere on a task bar or service running all is well with the work and YOU ARE PROTECTED!!!!!
That is if you believe all the sales hype.
My experience is that they are all shite but have fantastic sales teams.
>If something cannot detect eicar or a test script payload, how do I know it is working?
That's only the beginning...
I'm p***ed off with a major provider of cloud security to businesses, their product seems to be doing its job, however, it keeps sending me "you are under attack" alerts, go to the dashboard to investigate and find there is no detailed information, not even the IP address'es of where "the attack" is originating from. So I'm unable to do anything to mitigate "the attack". For one "attack" I did do some legwork, only to find (and subsequently confirmed by reproducing the alert) the source was myself having finger problems logging on as admin, so taking a few attempts to get the password right in quick succession; I decided to ignore the advice to set up a VPN...
"we take the security of our networks and systems very seriously"
They may as well not bother putting any wording resembling that phrase in any announcement they make. Principally because:
A) They feel they have to include it because they like to think it's reassuring to their customers shareholders and the relevant regulator, even if they don't really believe it
B) No-one else believes it anyway
Well, to be fair, Thames Water have been trying to invest in a new reservoir in Oxfordshire for the past 30 years but the local NIMBYS have repeatedly blocked it. Those same NIMBYS are the first to complain about hosepipe bans, of course.
They've been trying to force their customers to "invest" instead of fixing their notoriously leaky and under-maintained pipes, which they'd have to pay for themselves, or linking up with other suppliers. Wasn't it also Thames Water who sold a bunch of reservoirs to housing developers? I may be thinking of a different water company but it wouldn't surprise me if it was TW.
>but the local NIMBYS have repeatedly blocked it.
A quick google indicates the NIMBYs were a long way down the list of reasons to block the application:
"To date, it’s always fallen down with Ofwat [the regulator] on the grounds of value vs need and local opposition in planning."
"OXFORDSHIRE County Council has torn apart Thames Water's case for building a reservoir the size of Heathrow Airport south of Abingdon." ie. Thames Water couldn't do maths.
Additionally, Londoners need to understand, the rest of the country isn't there just to serve their needs.
This post has been deleted by its author
>What have Londoners got to do with it?
From the reports, it seems to satisfy the London demand was the key reason for this reservoir.(*) Interestingly, one of the reasons why the local planning rejected the application was that it did not take into consideration local development and needs.
(*)London demand is a reason why there are so many London overspill housing development. Also it wasn't that long ago that various (Conservative controlled) London boroughs hit on the wheeze to export their people in need of social housing to outside London and thereby alter the voting demographic of their borough.
Whilst not siding with the water companies here, fixing the leaks is rather more challenging that most people realise.
The leaks that hit the news are actually catastrophic failures of large water mains, often caused by subsidence in the surrounding soil or traffic. Yes these do spew a lot of water all over the place but by their very nature, once it has failed it has to be fixed.
Most of the leakage that is complained about is occurring in small, lower pressure pipes. In this situation the leak can be seepage from a joint or crack into the surrounding soil with no indication that it is happening. It is only when the water finally starts oozing to the surface of the road/pavement/lawn that it becomes apparent.
One the leak has been found, they they have to go through all the process of obtaining the work orders from the local authorities, possibly road closures etc to schedule the work. Again, this is where it is different to the large bursts. Those have usually closed roads already and stopped people's water supply.
This is near where my parent's live and the size of the holes was spectacular.
Many lorry loads of aggregate had to be brought in to fix the worst break as the water has blown so much of the ground away. Yes, the main is old and is only now being replaced completely but it is on a major feeder road to the M25 so chaos all round as it covers about 5 miles of road.
https://www.getsurrey.co.uk/news/surrey-news/7-times-burst-water-mains-11611187
Even if you could send something down the pipe with a camera it is unlikely to find the leaks. This in itself is a challenge compared to fixing your sewer because it is under pressure.
Note that the complaints here aren't about "water companies", they're specifically about Thames Water. Yes, leaks are difficult to find and fix. That does not explain why Thames Water finds it so much more difficult to find and fix them than any other water company in the country. And it doesn't explain why they're able to pay out millions in bonuses and dividends while being repeatedly fined for not fixing leaks and for continuously dumping raw sewerage into the environment. There are water companies that haven't been fined for incompetence at all; with Thames Water, the only question is how big the annual fine will be compared to the CEO's bonus.
I dont see how it can be so hard to find a leak. You just measure the water going in one end of the pipe and compare with the amount coming out the other. Then keep moving the location of your measuring rig. I imagine some kind of expandable plug that travels down the pipe.
Why are a water company keeping copies of passport scans and driving licenses?
Yes, I can see that they might be some need to verify them at some point (there shouldn't be - it is none of their business who I am as long as the bills are being paid, but that is a separate battle). But they should keep a record of having done so, not the data itself! What possible excuse is there for a utility company or other business keeping such critical personal security data on their systems?
Whatever the tiny benefit, it is completely outweighed by the massive risk to society of large quantities of important security information being exposed.
That makes more sense, but it clearly shows that the policy is wrong. The tiny value to society from proof of doing right-to-work checks is less than the risks to society of having copies of passports and driving licenses lying all over the internet!
"probably staff rather than customers?"
Doesn't matter. They still only need to keep a record that the data has been verified, eg passport could relate the Right To Work, drivers licence for any employ required to drive a vehicle on behalf of the company, but neither need to be kept in their entirety, especially as scans. Even a driving licence should only really need a record of what classes of vehicle are covered against the named employee.
Being a remote worker, my employer requires an annual driving licence check. I send them a scan, they confirm the details, they delete the file. (I actually send them the same scan each year, since nothing changes and no one ever notices or complains :-))
Although now I come to think of it, it's entirely likely that those scans might still be in some email archive. I must ask about that on Monday. Most of our emails default to auto-delete in 2027/8 or thereabouts (5 years autodelete??)so just deleting it Outlook obviously isn't enough.
I've worked with companies that need to comply with Anti Money Laundering and other regulatory checks*. Quite simply they are scared that some kind of compliance audit or investigation asks for the underlying proof of existence of data. They balance this risk against the cost of storage and cost of falling foul of GDPR regulations and say "uh oh, let's keep it."
What is needed (with caveats) is a government system-generated hash that proves the underlying document has been eyeballed and this is all that needs to be recorded apart from the textual information contained therein. I know that something like that exists for UK Certificates (the System No. at bottom left), but is everyone that needs to know this aware of it, and can all regulatory bodies unlock that data to double-check it? (Many sources quote the top right hand alpha-numeric code, which is different). Against this, a ne'er-do-well artist can probably hack this data and bluff their way through with it. The GRO System No. is 9 digits long. It must have redundancy checks buit into it to prevent hacks, surely?
These questions, until definitively addressed, mean that staff will cover their backsides by scanning everything they think may be relevant.
===
I have a suspicion that the reason that a lot of unencrypted image files are out there is due to the use of databases where, yes, the data is encrypted, but the designers have decided that the storage cost and speed of access of incorporating the image files into the actual database is too great, and instead coded in a url to the image file itself.
*In reality, that is all companies!
>This will be for staff...
So either the company's secure HR system, where such documents should be retained, has been breached; so the hackers also know salary, bank details and other information that would facilitate identity theft... Or GDPR information is being kept in emails or on company internally open storage.
Why are a water company keeping copies of passport scans and driving licenses?
.
Recently, via the miracle of Mailsort * I received some vouchers from JUUL vaping. I never respond to advertising if at all possible, but I decided that as it was a good cause, being smoking-related, I would give it a go.
Finally after much dreary website form-filling, I was confronted with a demand to upload my Passport, Government I.D, and a self photograph to verify my claimed age.
At which point I closed the website.
.
.
* In Britain delivered mass advertising that comes with the normal post --- for Usaians and other non-British people, who may not get this glossy junk cluttering their mail-boxes
> Within a couple of days, Clop updated its website, saying it was South Staffordshire that it attacked, and not Thames.
I would have liked to be a fly on the wall in those ransom negotiations. :-)
"Pay us £100,000" ... "No" ... "I'm deleting C:\*.* - soon you will be crippled" ... "I'm waiting" ... NO CARRIER
Initially South Staffordshire Water and their subsidiary Cambridge Water claimed the leaked data was limited to staff.
However, at end of November 2022, Cambridge Water, finally, admitted that all customers who paid their water bill by direct debit have had all the information stored by Cambridge Water taken ...
Customer details - account number, name, address, water bill amounts, monthly payment amount.
Customers' bank details - branch address, sort code and account number.
I.E. everything needed for ID theft.
Further, independent checks have shown the data taken is now being traded on the darkweb.
There have already been reports of Cambridge Water staff having suffered from identity theft.
What are South Staffordshire Water and Cambridge Water offering to their affected customers ?
Well there is a FAQ page on their web site.
A years (just a year) free use of TransUnion's TrueIdentity online monitoring service.
The usual stock, standard, boilerplate apology.
However, they are NOT going to pay for customers to register with CIFAS, UK's fraud prevention service. Even though, the administration fee is only £25 for 2yrs.
Yes I am affected.