United Kingdom Office for National Statistics Releases Latest Data on Cybercrime

On Halloween, it seems especially timely to focus on a risk topic that has been described as “frightening,” even “terrifying”: cybercrime statistics. On October 18, the United Kingdom Office for National Statistics (ONS) released the latest estimates from the Crime Survey for England and Wales (CSEW) on fraud and computer misuse, as well as referrals of potential offenses to the City of London Police’s National Fraud Intelligence Bureau (NFIB) by Action Fraud, the United Kingdom’s public-facing national fraud and cybercrime reporting center.

The ONS’s summary bulletin summarized the cybercrime data as follows:

  • “In the year ending June 2018, the CSEW estimated that offences involving computer misuse showed a 30% decrease from the previous year (down to 1.1 million offences . . . ). This decrease was largely owing to a fall in “computer viruses” (down 43% to 606,000 offences).
  • “Incidents involving ‘unauthorised access to personal information (including hacking)’ (515,000 offences) did not show a significant change from the previous year.”
  • “All ‘computer misuse crime’ referred to the NFIB by Action Fraud increased by 4% in the latest year (up to 21,947 offences). This rise was less pronounced than that seen in year ending June 2017, due in part to a notable decrease of 24% for the latest year in computer viruses (down to 6,260 offences).
  • “This fall in computer viruses is consistent with the latest CSEW fall in this type of crime. It follows a previous substantial rise where a high number of such offences were reported to Action Fraud in the first part of 2017.
  • “The overall rise in computer misuse recorded by Action Fraud was driven by an increase in ‘hacking – social media and email’ over the last year (up 42% to 8,834 offences). This is thought to reflect an increasing awareness of social media scams among the public, leading to a greater likelihood of incidents being reported.”

Because the CSEW computer-misuse survey questions date only from October 2015, the ONS cautioned that it has only two data points from which to draw conclusions.  It stated, however, that the CSEW “provides the best indication of the volume of computer misuse offences,” as Action Fraud data on computer misuse “represent only a small fraction of all computer misuse crime” since many incidents are not reported.

Note: The most substantial problem with this ONS cybercrime reporting is the ONS’s characterizations of those data.  While survey data – assuming the survey methodology is sound — can have value in measuring the incidences (and changes in those incidences) of behavior over time, users of such data must take care to refrain from inferring that survey responses necessarily reflect the actual incidences of behavior in the whole population under consideration.

In this case, the ONS stated, without qualification, its “estimate” that computer-misuse offenses – to be clear, not reports of such offenses, but the actual offenses – “showed a 30% decrease” from the prior reporting period.  Nothing in the CSEW’s explanation of its methodology explains the basis for the ONS’s “estimate” regarding the actual number of computer-misuse offenses.  For the other cybercrime categories, the ONS did not even characterize its statements as estimates of the incidence of those cybercrimes, but stated categorically that “unauthorized-access” offenses (as opposed to the survey-measured incidence of such offenses) “did not show a significant decrease” and referred to the “fall in computer viruses” (as opposed to the fall in computer-virus reports).  These categorical statements by the ONS immediately prompted some critical comments in computer-related media.

A second concern is the limited options for response to the CSEW’s cybercrime questions.  The current survey asks about only two categories of computer misuse: “Computer virus” and “Unauthorised access to personal information (including hacking).”  The problem is that these categories are not mutually exclusive.  Viruses are just one type of exploit that hackers have long used to obtain unauthorized access to computers and networks and to acquire personally identifying information.  Moreover, as indicated in a recent Computer Business Review article, survey respondents who lack sophisticated understanding of hacking and current exploits may not understand the differences between various cybercrime-related terms such as “hacking,” “exploit kits,” and viruses, and may not even know that their computers have been subject to cyberattacks and compromises.

A third concern is the limited population to which the CSEW cybercrime survey questions are directed.  The ONS, to its credit, acknowledges in its bulletin that “[w]hile questions on computer misuse in the CSEW provide fuller coverage of computer misuse crimes against the household population, they do not generally include offences committed against businesses and other organisations.”  Nonetheless, that is a significant gap in the survey’s coverage. A recent report by Malwarebytes, for example, found, according to TechTarget, that total business threat detections were trending upward by 55 percent, while consumer detections increased by only 4 percent quarter over quarter, and that attacks in the third quarter of 2018 “were targeting businesses in full force through exploit kits, ransomware and banking Trojans alike.”

The ONS deserves support for seeking to compile and disseminate national statistics on cybercrime trends.  It needs, however, to refine its methodology to capture more meaningful data about cyberattacks directed at businesses, to revise its questions to compile more data about distinct categories of cybercrime that a lay survey respondent can understand,, and – above all – to characterize its survey and referral data accurately and refrain from inferring actual incidences of cybercrime from survey responses those data.  In the meantime, compliance and information-security officers should treat these ONS data with circumspection – though hardly with terror.

McAfee Report Highlights Significant Weaknesses in Cloud Security

On October 29, McAfee released its Cloud Adoption and Risk Report 2019.  Beginning with the fact that 83 percent of organizations worldwide store sensitive data in the cloud, the Report first discussed the major sources of cloud data risk:

  • Growth of Sensitive Data in the Cloud: Not only has the absolute number of files stored in the cloud “increased rapidly,” but “the percentage of files that contain sensitive data has also grown”: now at 21 percent, but with a dramatic increase of 17 percent over the last two years.
  • Growth of Confidential Data: “Confidential data” now constitutes the largest share of all sensitive data in the cloud, at percent – an increase of 28 percent over the last two years..
  • Growth of Email: 20 percent of all sensitive data in the cloud runs through email services such as Exchange Online in Office 365 – an increase of 59 percent in the past two years.
  • Decline of PII: Personally Identifiable Information (PII) has declined by 20 percent year over year.

The Report next focused on the role of Amazon Web Services (AWS), stating that AWS

has been not-so-quietly driving the transformation of server and data center infrastructure to cloud-based services, classified as Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS – think serverless computing like AWS Lambda). Today, 65% of organizations around the world use some form of IaaS, 52% for PaaS.

With these important services, however, comes the risk of data theft.  The Report sets out several critical findings about the relationship between misconfiguration and data theft:

  • “[O]n average, enterprises using IaaS/PaaS have 14 misconfigured services running at any given time, resulting in an average of 2,269 misconfiguration incidents per month.”
  • The top AWS misconfigurations include: (1) Certain data encryption not being turned on; (2) Unrestricted outbound access; (3) Access to resources not being provisioned using Identity and Access Management roles; (4) Misconfiguration of the Amazon Elastic Compute Cloud (EC2) security group port; (5) Misconfiguration of EC2 security group inbound access; (6) Discovery of unencrypted Amazon Machine Images; (7) Discovery of unused security groups; (8) Disabling of Amazon Virtual Private Cloud flow logs; (9) failure to enable multi-factor authentication for IAM users; and (10) failure to turn on Amazon S3 object storage bucket encryption.
  • When organizations with which McAfee works “turn on Data Loss Prevention (DLP), they see an average of 1,527 DLP incidents in their IaaS/PaaS storage per month. That means they detected sensitive data that either shouldn’t be there, or that requires additional monitoring and security controls. All told, 27% of organizations using PaaS have experienced data theft from their cloud infrastructure.”

The Report also identified leading internal and external threats relating to cloud-stored corporate data:

  • “The average enterprise organization experiences 31.3 cloud-related security threats each month, a 27.7% increase over [the] same period last year.” These include threats arising from potentially compromised accounts. insider threats, and privileged user threats:
    • Compromised Accounts: “On average, organizations experience 12.2 incidents each month in which an unauthorized third-party exploits stolen account credentials to gain access to corporate data stored in a cloud service. These incidents affect 80.3% of organizations at least once a month. Additionally, 92% of companies have cloud credentials for sale on the Dark Web.”
    • Insider Threats: “Organizations experience an average of 14.8 insider threat incidents each month, and 94.3% of organizations experience at least one per month on average.”
    • Privileged User Threats: “Privileged user threats occur monthly at 58.2% of organizations, with organizations experiencing an average of 4.3 each month.”

The Report also identified several concerns relating to security controls for cloud service providers:

  • “[G]iven the prevalence of data breaches caused by stolen credentials, it is alarming to find that only 19.2% of cloud services support multi-factor authentication.”
  • “Due to the general lack of critical security controls across cloud services, employees will inevitably (and inadvertently) select risky cloud services to use.” The Report calculated that 173 of the 1,935 cloud services in use at the average organization (8.9 percent) rank as high risk services.

Finally, the Report summarized the results of a survey it conducted to find out how much respondents trusted their cloud providers to keep their organization’s data secure.  Even though cloud security is a shared responsibility and no cloud provider “delivers 100% security,” 69 percent of the respondents said “that they trusted the cloud providers to keep their data secure,” and 12 percent of respondents claimed that the service provider is solely responsible for securing their data.

Note: Each of the key findings summarized above should be the focus of a sustained discussion between compliance officers concerned with cybersecurity and their information security counterparts.  A number of the points of vulnerability, such as misconfigurations, can be addressed with relative ease.  Failure to establish suitable robust internal controls for cloud security, and failure to understand that companies must play a significant role in maintaining cloud security, are issues that require more sustained attention, and not just at CCO or CISO levels.  Corporate dependency on cloud services can only continue to increase in the next several years, which makes continued vigilance about cloud security all the more important.

UK, U.S. Courts Hand Down Sentences in Prosecutions of Former Afren, Julius Baer Executives

On October 29, two significant sentencings took place in the United Kingdom and the United States for former corporate executives with Afren and Julius Baer, respectively.  In the United Kingdom, the Southwark Criminal Court (Judge Michael Gledhill QC) sentenced Osman Shahenshah, former co-founder and Chief Executive Officer of Afren, was sentenced to 6 years’ imprisonment to be served (16 years’ total imprisonment), as follows according to the Serious Fraud Office:

  • “6 years jail for one count of fraud, contrary to section 1 of the Fraud Act 2006”;
  • “6 years concurrent for one count of money laundering, contrary to section 329 of the Proceeds of Crime Act 2002”; and
  • “4 years concurrent for one count of money laundering, contrary to section 328 of the Proceeds of Crime Act 2002.”

In sentencing Shahenshah, Judge Gledhill reportedly stated in part: “You believed that you were above the law, you believed that you were so clever that no one would ever discover your offending.”

Shahid Ullah, former Chief Operating Officer of Afren, was sentenced to a total of five years’ imprisonment to be served (ten years’ total imprisonment), as follows:

  • “5 years jail for one count of fraud, contrary to section 1 of the Fraud Act 2006”;
  • “5 years concurrent for one count of money laundering, contrary to section 329 of the Proceeds of Crime Act 2002”; and
  • “4 years concurrent for one count of money laundering, contrary to section 328 of the Proceeds of Crime Act 2002.”

Both men had been involved in making a secret side deal, undisclosed to their own board, with a Nigerian oil field partner of Afren that enabled them to divert $45 million from a $300 million payment to the partner.

In the United States, the United States District Court for the Southern District of Florida (Judge Cecilia M. Altonaga) sentenced Matthias Krull, a former managing director and vice chairman of the Swiss bank Julius Baer, to ten years’ imprisonment, a $50,000 fine, and a $600,000 forfeiture money judgment, on his guilty plea to conspiracy to commit money laundering.  Krull admitted his participation in a conspiracy to launder $1.2 billion worth of funds that were embezzled from the Venezuelan state-owned oil company Petróleos de Venezuela, S.A. (PDVSA).

Note:  If one ignores the SFO’s literally true but misleading headline that Shahenshah and Ullah were “sentenced to 30 years,” the two men’s sentences are respectable, if hardly draconian.  Under the revised Sentencing Council Guidelines for fraud, bribery, and money laundering that have been in effect since 2014, each Fraud Act section 1 offense has a maximum of 10 years’ custody and an offence range from discharge to eight years’ custody, while each section 328 or 329 Proceeds of Crime Act offense has a maximum of 14 years’ custody and an offence range from a Band B fine (the second lowest of the Sentencing Council’s fine categories) to 13 years’ custody.

Krull’s sentence, though substantially higher, bears watching, given his reported cooperation with U.S. investigators.  That cooperation could implicate a wider circle of participants in the conspiracy, including former PDVSA officials, professional third-party money launderers, and members of the Venezuelan elite that may include Venezuelan President Nicolas Maduro, his three stepsons, and Raul Gorrin, owner of the Venezuelan television network Globovision.

Under section 5K1.1 of the U.S. Sentencing Guidelines, a federal prosecutor may move, prior to sentencing, for a reduction of a convicted defendant’s sentence if the defendant “has provided substantial assistance in the investigation or prosecution of another person who has committed an offense.”  Because Krull was arrested on July 24 and pleaded guilty on August 22, he likely did not have enough time to earn a so-called “5K motion” if he has information on criminal involvement by high-ranking members of Venezuela’s economic and political elite.

Under Rule 35 of the Federal Rules of Criminal Procedure, however, a defendant who has been sentenced may still be eligible for a sentence reduction “if the defendant, after sentencing, provided substantial assistance in investigating or prosecuting another person.”  Although Rule 35 generally limits to one year the time within which the government would have to move for a sentence reduction, the Rule permits Rule 35 motions to be made more than one year after sentencing if, for example, the defendant’s substantial assistance involved “information provided by the defendant to the government within one year of sentencing, but which did not become useful to the government until more than one year after sentencing.”  Krull’s ten-year sentence would seem to provide ample motivation for him to cooperate fully with U.S. agents and prosecutors in the ongoing investigation.

London Jury Convicts Two Former Afren Oil Executives of Fraud and Money Laundering

On October 24, a jury in London’s Southwark Criminal Court, after a seven-week trial, convicted two former officials of the defunct oil and gas producer Afren Plc of fraud and money laundering charges stemming from their secret diversion of $45 million from a $300 million payment to Afren’s oil field partner in Nigeria.

Former Afren Chief Executive Officer (CEO) Osman Shahenshah and former Afren head of operations Shahid Ullah were each convicted on one count of fraud by abuse of position, contrary to sections 1 and 4 of the Fraud Act 2006, and two counts of money laundering, contrary to sections 328 and 329 of the Proceeds of Crime Act 2002.  Both men were acquitted on one count of fraud by abuse of position, contrary to sections 1 and 4 of the Fraud Act 2006, relating to a management buyout of another of Afren’s business partners.

At trial, which began September 3, the jury heard evidence that Shahenshah, who was being paid £6.6 million as CEO, and Ullah, who was being paid £3.8 million, were faced with possible reduction of their salaries in the wake of shareholder opposition.  The defendants then created a scheme to increase their compensation without disclosing that fact to the Afren Board.  According to the Serious Fraud Office (SFO), which prosecuted the case, both defendants

recommended that the Afren Board agree to a $300 [million] payment to Oriental Energy Resources Ltd, the company’s oil field partner in Nigeria. Unknown to the Afren board, Shahenshah and Ullah had struck a side deal with Oriental which led to 15% of the $300 [million] . . . then [being] paid out to a Caribbean shell company controlled by the defendants. The men then used the $45 [million] to purchase luxury properties in Mustique and the British Virgin Islands. A smaller portion of the $45 [million] laundered was split between Oriental employees and a close network of Afren staff dubbed ‘The A Team’.

After Afren fired Shahenshah and Ullah in 2014, an internal investigation by KPMG and the Willkie Farr & Gallagher law firm reportedly uncovered evidence of the secret deal.  In 2015, after “a combination of alleged corporate governance abuses and a slumping oil price” left it unable to service its substantial debts, Afren, which once had been valued at $2.6 billion and had ranked in the FTSE 250, collapsed.

The sentencing hearing in the case is scheduled for next Monday, October 29.

Note: The convictions are significant for two reasons.  First, the facts at trial demonstrate, for corporate boards and chief compliance officers, the importance of conducting enhanced due diligence in major corporate transactions, to guard against the kind of secret deals and diversion of corporate funds in which the defendants engaged.

Second, these convictions represent a significant trial victory for the SFO.  Although complex fraud and money laundering cases always pose challenges for even the most experienced prosecutors, the SFO has not always fared well in some of its more prominent cases at trial.   A victory of this type should bolster the SFO’s credibility in dealing with defense attorneys in future investigations.

Securities and Exchange Commission Brings First Enforcement Action Under Identity Theft Red Flags Rule

On September 26, the Securities and Exchange Commission (SEC) announced that it had brought its first enforcement action under Rule 201 of Regulation S-ID (the Identity Theft Red Flags Rule), against broker-dealer and investment adviser Voya Financial Advisors Inc. (VFA).  The SEC’s Identity Theft Red Flags Rule was adopted in 2010, pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010.  The rule, as summarized by the SEC, requires certain SEC-regulated entities to adopt a written identity theft program that includes policies and procedures designed to accomplish four objectives: (1) “Identify relevant types of identity theft red flags”; (2) “Detect the occurrence of those red flags”; (3) “Respond appropriately to the detected red flags”; and (4) “Periodically update the identity theft program.”  Those entities “also must provide for the administration of the program, including staff training and oversight of service providers.”

In VFA’s case, the SEC brought an enforcement action under Rule 30(a) of Regulation S-P (the Safeguards Rule) and the Identity Theft Red Flags Rule.  The SEC Order stated that over six days in April 2016,

one or more persons impersonating VFA contractor representatives called VFA’s technical support line and requested a reset of three representatives’ passwords for the web portal used to access VFA customer information, in two instances using phone numbers Voya had previously identified as associated with prior fraudulent activity. The prior activity also involved attempts to impersonate VFA contractor representatives in calls to Voya’s technical and customer support lines. Voya’s technical support staff reset the passwords and provided temporary passwords over the phone, and on two of the three occasions, they also provided the representative’s username.

Thereafter, despite certain steps by VFA to respond to the intrusion, the intruders obtained passwords and gained access to VFA’s portal over the next several days.  They impersonated two additional representatives’ accounts “due to deficient cybersecurity controls and an erroneous understanding of the operation of the portal.”  The intruders used the VFA representatives’ usernames and passwords to log in to the portal and gain access to personal identifying information (PII) for at least 5,600 of VFA’s customers, and to obtain account documents containing PII of at least one Voya customer. The intruders “also used customer information to create new Voya.com customer profiles, which gave them access to PII and account information of two additional customers.”

The Order stated that VFA violated the Safeguards Rule

because its policies and procedures to protect customer information and to prevent and respond to cybersecurity incidents were not reasonably designed to meet these objectives. Among other things, VFA’s policies and procedures with respect to resetting VFA contractor representatives’ passwords, terminating web sessions in its proprietary gateway system for VFA contractor representatives, identifying higher-risk representatives and customer accounts for additional security measures, and creation and alteration of Voya.com customer profiles, were not reasonably designed. In addition, a number of VFA’s cybersecurity policies and procedures were not reasonably designed to be applied to its contractor representatives.

It also stated that VFA violated the Identity Theft Red Flags Rule because “it did not review and update the Identity Theft Prevention Program in response to changes in risks to its customers or provide adequate training to its employees, and because its Program “did not include reasonable policies and procedures to respond to identity theft red flags, such as those that were detected by VFA during the April 2016 intrusion.”

The Order specifically took note of VFA’s prompt undertaking of certain remedial acts after the intrusion.  Those acts included “(a) blocking the malicious IP addresses; (b) revising its user authentication policy to prohibit provision of a temporary password by phone; (c) issuing breach notices to the affected customers, describing the intrusion and offering one year of free credit monitoring; and (d) implementing effective [multifactor authentication] for [VFA’s proprietary web portal].”  It also named a new Chief Information Security Officer responsible for creating and maintaining cybersecurity policies and procedures and an incident response plan that was tailored to VFA’s business.”

As part of the resolution of the case, the Order stated that VFA had agreed to certain specific undertakings that included:

  • Retention, at its own expense, of an independent compliance consultant (“Consultant”) to conduct a comprehensive review of Respondent’s policies and procedures the Safeguards Rule and the Identity Theft Red Flags Rule;
  • Full cooperation with the Consultant;
  • Within three months after September 26 (the date of the issuance of this Order), requiring the Consultant to submit to VFA and to the Commission staff a written Initial Report, which is to “describe the review performed [and], the conclusions reached,” and “include any recommendations deemed necessary to make the policies and procedures and their implementation comply with applicable requirements.”
  • Adoption of all recommendations contained in the Initial Report within 90 days of the date of its issuance, unless within 30 days of the issuance of the Initial Report, VFA advises, in writing, the Consultant and the Commission staff of any recommendations that VFA considers to be unduly burdensome, impractical, or inappropriate.
  • Within nine months after September 26, requiring the Consultant to complete its review and issue to VFA and the Commission staff a written Final Report that is to describe the review performed, the conclusions reached, the recommendations made by the Consultant, any recommendations not adopted by VFA pursuant to the preceding undertaking, any proposals made by Respondent, any alternative policies, procedures or systems adopted by VFA pursuant to the preceding undertaking, and how VFA is implementing the Consultant’s final recommendations.

In addition to those undertakings, VFA agreed to be censured and to pay a $1 million penalty.

Note: This case deserves wider attention from chief compliance officers and chief information security officers, and not only because it is the first SEC action under the Identity Theft Red Flags Rule.  Since Dodd-Frank’s enactment, the SEC has repeatedly made clear – in part through its guidance on disclosure obligations and its Cybersecurity  1 and 2 Initiatives – that firms under its authority need to pay attention to their cybersecurity preparedness.  In VFA’s case, even though the SEC order stated that there were no known unauthorized transfers of funds or securities from VFA customer accounts as a result of the attack, the number and variety of significant weaknesses that the SEC identified in its cybersecurity policies and procedures made VFA a prime candidate for the SEC’s first Identity Theft Red Flags Rule enforcement action.

Moreover, subsequent action by the SEC’s Enforcement Division sends an additional signal that the SEC will have little patience with companies that give their cybersecurity measures short shrift.  On October 16, the SEC issued a report of an investigation by the Enforcement Division, in consultation with the Division of Corporation Finance and the Office of the Chief Accountant into whether certain public issuers (from numerous industries) “that were victims of cyber-related frauds may have violated the federal securities laws by failing to have a sufficient system of internal accounting controls.”  Although the Commission determined not to pursue an enforcement action in these matters, it stated that it issued the Report of Investigation “to make issuers and other market participants aware that these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws.”  This report sends a strong signal that in the future, the Commission expects to use internal-controls requirements, either alone or in conjunction with the Safeguards Rule and the Identity Theft Red Flags Rule, as a basis for sanctioning companies that fail to establish and maintain robust cybersecurity programs.