IDA security flaws left sensitive data vulnerable
Newly released documents show that a Deloitte report criticised the FDI body's online security policies
Published 03/05/2015 | 02:30
Lax information technology systems at the IDA left sensitive information more vulnerable to hackers, the Sunday Independent can reveal.
An audit of the foreign direct investment body's information security controls carried out by Deloitte found that accounts belonging to people who had left were still active on a server.
"There is an increased risk of attempted unauthorised access to systems and data being undetected, with consequent disclosure of sensitive information," the report, released to this newspaper under Freedom of Information, says.
The report also criticised the password systems.
"Two key settings observed were not in line with good practice. The minimum password age is currently 30 days. The password history size (the frequency with which passwords can be re-used) is five.
"Weak logical security settings present a risk to the network that unauthorised access could occur."
An IDA Ireland spokeswoman said no confidential information had been disclosed. She said staff members lose access to the overall network immediately on leaving the agency, meaning they could not have accessed the server on which former employees' accounts were active.
"In relation to password protections, at no point was IDA compromised by existing settings, however the recommendation from Deloitte was implemented," she added.
The flaws emerged in the week that Ryanair had close to €4.5m lifted from one of its bank accounts by hackers.
"The airline has been working with its banks and the relevant authorities and understands that the funds (less than €4.5m) have now been frozen," it said.
It's the highest-profile data breach at an Irish company since Ennis-based Loyaltybuild had 90,000 Irish customers' credit/debit card details hacked from its systems in 2013.
Cyber security experts told the Sunday Independent that cyberattacks are rampant.
"It's no longer just a scary story, it's a matter of when, rather than if," Lan.ie managing director Tom O'Connor told the Sunday Independent.
A report recently released by Norton anti-virus maker Symantec said that 60pc of all targeted cyber attacks were aimed at SMEs. Sonrai security director Cillian Hogan said businesses needed to take steps to protect their systems, their bottom line, and their reputation.
"Education about the type of attacks that a determined adversary can bring to bear is of great importance. Companies and individuals should be aware of the amount and type of information they share online as this can be used to gain trust.
"If you are not sure about a link or attachment, query it. Do not automatically trust an individual is who they say they are. Explain politely that you need to verify their identity or make some other excuse you are comfortable with.
"Use a third party directory or other source to contact them, do not use phone numbers, links, or email addresses from suspicious emails, ID badges, etc.
Symantec Ireland principal security response manager Peter Coogan said companies should consider using "two-factor authentication" for access to sensitive data. That requires users to submit two passwords - one in the normal way and another that is sent to a device in the physical possession of the user.
Sunday Indo Business