Archive for Data Security

AI Mimics CEO’s Voice To Steal Over £200,000

A recent Wall Street Journal report has highlighted how, in March this year, a group of hackers were able to use AI software to mimic an energy company CEO’s voice in order to steal £201,000.

What Happened?

Reports indicate that the CEO of an unnamed UK-based energy company received a phone call from someone that he believed to be the German chief executive of the parent company.  The person on the end of the phone ordered the CEO of the UK-based energy company to immediately transfer €220,000 (£201,000) into the bank account of a Hungarian supplier.

The voice was reported to have been so accurate in its sound, that the CEO of the energy company even recognised what he thought was the subtleties of the German accent of his boss, and even “melody” of the accent.

The call was so convincing that the energy company made the transfer of funds as requested.

Fraudster Using AI Software

The caller, who was later discovered to have been a fraudster using AI-base voice-altering software to simulate the voice of the German boss, called 3 times.  In the first call, the fraudster requested the transfer, in the second call they (falsely) claimed that the transfer had been reimbursed, and in the third call the fraudster requested an additional payment. It was this third call that aroused suspicion, partly based on the fact that the telephone number appeared to indicate that the caller was in Austria and not Hungary.

Money To Hungary, Mexico and Beyond

Unfortunately, the money had already been transferred to a Hungarian account after the first call, and it has since been discovered that money was immediately transferred from the alleged supplier’s Hungarian bank account to an account in Mexico, and then further disbursed to accounts in other locations, thereby making it very difficult for authorities to follow the trail.

What Sort of Software?

The kind of software used in this attack may have been similar in its output to that demonstrated by researchers from Dessa, an AI company based in Toronto.  Dessa has produced a video of how this kind of software has been able to produce a relatively accurate simulation of the voice of popular podcaster and comedian Joe Rogan – see: https://www.youtube.com/watch?time_continue=1&v=DWK_iYBl8cA

What Does This Mean For Your Business?

It is known that cybercriminals, deterred by improved and more robust enterprise security practices have decided to look for human error and concentrate more on social engineering attacks, a category that this voice simulation attack (via phone calls) fits into. The fact that this attack has taken place and been successful shows that some cybercriminals are already equipped with the computing power and most up-to-date machine-learning AI technology that they are clearly capable of using.

This means that companies and organisations (particularly larger ones), may now be at risk of facing more sophisticated deception and phishing attacks. The AI company Dessa has suggested that organisations and even individuals could expect to face future threats such as  spam callers impersonating relatives or spouses to obtain personal information, impersonations intended to bully or harass, persons trying to gain entrance to high security clearance areas by impersonating a government officials, and even an ‘audio deepfake’ of a politician being used to manipulate election results or cause a social uprising.

Companies should try to guard against social engineering attacks by educating all staff to the risks and having clear verification procedures (and not just relying on phone calls), tests, and chain of command authorisation in place for any requests for funds.

Report Shows That 99% of Cyber Attacks Now Involve Social Engineering

The Human Factor report from Proofpoint shows that almost all cyber-attacks, at some stage, involve the exploitation of human error in the form of social engineering.

What Are Social Engineering Attacks?

Social engineering attacks involve the manipulation and deception of people into performing actions such as transferring money to criminal accounts or divulging confidential information.

What Kind of Attacks?

The Proofpoint Human Factor report makes the point that as many as 99% of cyber-attacks now involve social engineering through cloud applications, email or social media.  Social engineering attacks can also involve cybercriminals making phone calls to key persons in an organisation.

Easier and More Profitable

These attacks are designed to enable a macro, or trick people into opening a malicious file or follow a malicious link through human error, rather than the cyber attacker having to face the considerable and time-consuming challenge of trying to hack into the (often well-defended) systems and infrastructure of enterprises and other organisations. Social engineering attacks are, therefore, easier, less costly, more profitable, and more likely to be successful than having to create an exploit to try and gain access to company systems.

Targets – “Very Attacked People”

Cybercriminals are looking for money and valuable data and information. The Proofpoint report, which was based on 18 months of data analysis collated from across the company’s global customer base, highlights the fact that the gatekeepers of money and data in target organisations become the “very attacked people” (VAP) i.e. the most often approached targets. These VAPs are often identified by attackers using information from sources such as corporate websites, social media, trade publications, and search engines.

Patterns & Routines

The report also revealed how attacks involving email messages can be made to mimic standard business routines and legitimate email traffic patterns e.g. downtime at weekends and spikes on Mondays.  Also, malware tends to be evenly distributed over the first three days of the working week, and attacks in the Middle East and Europe appear to be more likely to succeed after lunch.

What Does This Mean For Your Business?

The fact that many businesses and organisations are taking cyber defence seriously and have improved their system defences means that cybercriminals are moving into social engineering attacks.

Businesses and organisations can protect themselves against such attacks through staff training (particularly for guardians of funds and data), keeping anti-virus and online filtering up to date, using encryption e.g. VPNs for certain employees, having clear policies and procedures in place with built-in verification and authorisation for money and data requests, and being careful about publicly-visible employee information that could be used to target key staff members.

Leaving Your Job? Don’t Take Personal Data With You Warns ICO

The Information Commissioner’s Office (ICO) has warned those retiring or taking a new job that under the Data Protection Act 2018, employees can face regulatory action if they are found to have retained information collected as part of their previous employment.

Old Investigation

The renewed warning was issued following the regulator concluding its dealings in an old investigation of two (former) police officers interviewed (by the media) about an historic case they’d worked on as serving officers involving an MP, and had been accused of disclosing details about the case to the media.

In this case, the investigation appears to have related to police handling of personal data such as notebooks and the fact that measures need to be put in place to ensure that these are not retained when officers leave the service.

The ICO investigation, brought about under the previous Data Protection Act 1998 legislation (because the alleged disclosure occurred before the DPA 2018 and GDPR’s introduction) may have resulted in no enforcement action being taken against the two officers, but prompted the ICO to issue a reminder that data protection laws have been toughened in this area.

“Knowingly or Recklessly Retaining Personal Data”

The warning in the ICO’s recent statement is that the Data Protection Act 1998 has since been strengthened through the Data Protection Act 2018, to include a new element of knowingly or recklessly retaining personal data without the consent of the data controller (see section 170 of the DPA 2018).

The only exceptions to this new part of the new Act are when it is necessary for the purposes of preventing or detecting crime, is required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or whether it is justified as being in the public interest.

Retiring or Taking a New Job

The ICO has warned that anyone who deals with the personal details of others in the course of their work, private or public sector, should take note of this update to the law, especially when employees are retiring or taking on a new job. Those leaving or retiring should also take note that they will be held responsible if the breach of personal data from their previous employer can be traced to their individual actions.

Examples

Examples of where the ICO has prosecuted for this type of breach of the law include a charity worker who, without the knowledge of the data controller, Rochdale Connections Trust, sent emails from his work email account (in February 2017) containing sensitive personal information of 183 people.  Also, a former Council schools admission department apprentice was found guilty of screen-shotting a spreadsheet that contained information about children and eligibility for free school meals and then sending it to a parent via Snapchat.

What Does This Mean For Your Business?

This latest statement from the ICO should remind all businesses and organisations, whether in the private or public sectors, that reasonable measures or procedures need to be put in place to ensure that anyone retiring or leaving for another job cannot take personal details with them that should be under the care of the data controller i.e. you and your company/organisation.

Failure to take this facet of current data law into account could result in fines from the regulator for those individuals responsible, potential legal action from the victims of any breach against your organisation, some bad and potentially damaging publicity, and costly and long-lasting damage to reputation.

Student Textbooks Malware Threat

Kaspersky’s blog is warning students who are about to go back after the summer holidays to beware of the risk of malware that’s masked as textbooks and essays online.

Students Targeted

According to Kaspersky, K-12 and college students who may want to save money on textbooks by seeking online essays and study materials may end up unwittingly downloading malware instead.

A study by the security company of school and student-related filenames over the past academic year has revealed that out of 356,000 attempted attacks on Kaspersky users, 233,000 cases involved malicious essays that were downloaded to computers owned by more than 74,000 people (which the company claims its software blocked).

Kaspersky’s figures indicate that 122,000 of those attacks were by malware disguised as textbooks which more than 30,000 users tried to open.

Targeted Popular and Less Popular Subjects

The study revealed that cybercriminals haven’t just been focusing on popular subjects for attacks. For example, even though English textbooks hiding malware had 2,080 attempted downloads and maths textbooks hiding malware had 1,213 downloads, malicious textbooks for natural sciences also manage to fool 18 users.

The Four Most Popular Types of Malware

Kaspersky lists the four most popular types of Malware attacks disguised as online study materials as:

1. School spamming using the Stalk worm

This has claimed the greatest number of victims and is the preferred method by which the Worm.Win32 Stalk.a worm is spread.  Once downloaded to a school computer Stalk penetrates all devices that are connected to it, will infect USB sticks used by students, will spread across the whole network, can spread to the email contacts of students, and can download other malicious applications to the infected device

2. Win32.Agent.ifdx malware downloader

This downloader program is disguised as textbooks or essays in DOC, DOCX or PDF formats. Once launched it opens a text file so that the victim does not realise that anything suspicious is going on, but it is designed to download many other bad things onto the victim’s computer which can be modified to become cryptominers, banking trojans (to steal; bank details) and ransomware.

3. The WinLNK.Agent.gen downloader

WinLNK.Agent.gen downloader is hidden in archives e.g. zip or rar files and uses a shortcut to a text file to open the document itself and launch the attached malware components. This can result in cryptominers, adware, and more damaging programs being loaded onto and slowing down the victim’s computer.

4. The MediaGet torrent application downloader

This is disguised by ‘Free Download’ buttons and will download a torrent client that the user does not need.

What Does This Mean For Your Business?

Colleges and schools are known to be popular targets for cybercriminals because they have large numbers of users spread across many different departments, and sometimes across different facilities, making admin and IT security very complicated.  Also, valuable intellectual property, student and staff personal data, and the chance to use the processing power of many computers within their systems can make schools and colleges tempting targets for cybercriminals.

Part of the prevention of the kinds of attacks identified by Kaspersky can be achieved by educating students (and staff) about threats, and how to spot them and deal with them, as well as making sure that antivirus protection and patches are all up to date across school and college systems.

Kaspersky’s advice to students for avoiding the malware threat includes searching for in books you need in physical or online libraries, paying attention to what type of site is hosting the textbook download, not using outdated versions of operating systems and other software, being wary of email attachments (even those sent from acquaintances), and paying attention to the download file extensions e.g. don’t open .exe files.

iPhone Attack Lasting More Than 2 Years Discovered

A Google security researcher has discovered a sustained and indiscriminate hacking attack on iPhones that is believed to have been going on for more than two years.

Google Project Zero

Details of the attack are outlined on Google’s ‘Project Zero’ blog (https://googleprojectzero.blogspot.com) by security researcher Ian Beer.

Using Hacked Websites For The Attack

On the blog, Mr Beer highlights how Google’s Threat Analysis Group (TAG) discovered a small collection of hacked websites that were being used in indiscriminate ‘watering hole’ attacks against their visitors, using iPhone 0-day.  Watering hole attacks are where the browsing patterns of particular groups are observed in order to lay a trap e.g. hack a website that the particular group visits and 0-day vulnerabilities in software are those that are either unknown or known and not patched.

Mr Beer’s TAG team noted that there has been no target discrimination for the attack but a simple visit to a hacked website appears to be enough for the exploit server to attack a person’s device, leading to the installation of a monitoring implant.

How Many iPhone Users Have Been Affected?

Mr Beer’s team estimate that the hacked websites receive thousands of visitors per week.  Also, given that the hack has been operating for more than two years, and that TAG was able to identify five separate, complete and unique iPhone exploit chains that cover almost every version from iOS 10 through to the latest version of iOS 12, large numbers of iPhone users could potentially be affected.

12 Security Flaws

Mr Beer’s team identified 12 separate security flaws (mostly bugs within the Safari default web browser on Apple products) that could be used to compromise the Apple devices.

Reported To Apple – Patch Released

The TAG researchers reported the issues to Apple with a 7-day deadline on 1 February 2019 and shared the complete details of the research with Apple.  This led to the release of the security update iOS 12.1.4 on 7 Feb 2019.

What Does This Mean For Your Business?

It is worrying to think that this kind of hack has been going on for years before it was discovered, and owners of Apple devices may be particularly surprised given the security features of their phones and Apple’s reputation for offering relative safety from concerns about viruses and hacking.

If you have an iPhone, the advice is to make sure that it is running the latest version of iOS. Go to ‘Settings’, tap ‘General’, and under ‘Software Update’ check that you are be running iOS 12.4.1. which has the fix.

Your Password Can Be Guessed By An App Listening To Your Keystrokes

Researchers from SMU’s (Southern Methodist University) Darwin Deason Institute for Cyber-security have found that the sound waves produced when we type on a computer keyboard can be picked up by a smartphone and a skilled hacker could decipher which keys were struck.

Why?

The research was carried out to test whether the ‘always-on’ sensors in devices such as smartphones could be used to eavesdrop on people who use laptops in public places (if the phones were on the same table as the laptop) e.g. coffee shops and libraries, and whether there was a way to successfully decipher what was being typed from just the acoustic signals.

Where?

The experiment took place in a simulated noisy Conference Room at SMU where the researchers arranged several people, talking to each other and taking notes on a laptop. As many as eight mobile phones were placed on the same table as the laptops or computers, anywhere from three inches to several feet away. The study participants were not given scripts of what to say when talking, could use shorthand or full sentences when typing and could either correct typewritten errors or leave them.

What Happened?

Eric C. Larson, one of the two lead authors and an assistant professor in SMU Lyle School’s Department of Computer Science reported that the researchers were able to pick up what people were typing at an amazing 41 per cent word accuracy rate and that that this could probably be extended above 41 per cent if what researchers figured out what the top 10 words might be.

Sensors In Smart Phones

The researchers highlighted the fact that there are several sensors in smartphones that are used for orientation and although some require permission to be switched on, some are always on.  It was the sensors that were always switched on that the researchers were able to develop a specialised app for which could process the sensor output and, therefore, predict the key that was pressed by a typist.

What Does This Mean For Your Business?

Most of us may be aware of the dangers of using public Wi-Fi and how to take precautions such as using a VPN.  It is much less well-known, however, that smartphones have sensors that are always on and could potentially be used (with a special app) to eavesdrop.

Mobile device manufacturers may want to take note of this research and how their products may need to be modified to prevent this kind of hack.

Also, users of laptops may wish to consider the benefits of using a password manager for auto-filling instead of typing in passwords and potentially giving those passwords away.

Over A Million Fingerprints Exposed In Data Breach

It has been reported that more than one million fingerprints have been exposed online by biometric security firm Suprema which appears to have installed its standard Biostar 2 product on an open network.

Suprema and Biostar 2

Suprema is a South Korea-based biometric technology company and is one of the world’s top 50 security manufacturers.  Suprema offers products including biometric access control systems, time and attendance solutions, fingerprint live scanners, mobile authentication solutions and embedded fingerprint modules.

Biostar 2 is a web-based, open, and integrated security platform for access control and time and attendance, manage user permissions, integrate with 3rd party security apps, and record activity logs.  Biostar 2 is used by many thousands of companies and organisations worldwide, including the UK’s Metropolitan Police as a tool to control access to parts of secure facilities. Biostar 2 uses fingerprint scanning and recognition as part of this access control system.

What Happened?

Researchers working with cyber-security firm VPNMentor have reported that they were able to access data from Biostar 2 from 5 August until it was made private again on 13 August (Suprema were contacted by VPNMentor about the problem on 7th August).  It is not clear how long before 5 August the data had been exposed online.  The exposure of personal data to public access is believed to have been caused by the Biostar 2 product being placed on an open network.

In addition to more than one million fingerprint records being exposed, the VPNMentor researchers also claim to have found photographs of people, facial recognition data, names, addresses, unencrypted usernames and passwords, employment history details, mobile device and OS information, and even records of when employees had accessed secure areas.

VPNMentor claims that its team was able to access over 27.8 million records, a total of 23 gigabytes of data,

Affected

VPNMentor claims that many businesses worldwide were affected.  In the UK, for example, VPNMentor claims that Associated Polymer Resources (a plastics recycling company), Tile Mountain (a home decor and DIY supplier), and Medical supply store Farla Medical were among those affected.

It has been reported that the UK’s data protection watchdog, the Information Commissioner’s Office (ICO) has said that it was aware of reports about Biostar 2 and would be making enquiries.

What Does This Mean For Your Business?

For companies and organisations using Biostar 2, this is very worrying and is a reminder of how data breaches can occur through third-party routes.

In this case, fingerprint records were exposed, and the worry is that this kind of data can never be secured again once it has been stolen. Also, the large amount of other personal employee data that was taken could not only affect individual businesses but could also mean that employees and clients could be targeted for fraud and other crimes e.g. phishing campaigns and even blackmail and extortion.

The breach may have been avoided had Suprema secured its servers with better protection measures, not saved actual fingerprints but a version that couldn’t be reverse engineered instead, implemented better rules on databases, and not left a system that didn’t require authentication open to the internet.  Those companies that are still using and have concerns about Biostar2 may now wish to contact Suprema for assurances about security.

Facial Recognition at King’s Cross Prompts ICO Investigation

The UK’s data protection watchdog (the Information Commissioner’s Office  i.e. the ICO) has said that it will be investigating the use of facial recognition cameras at King’s Cross by Property Development Company Argent.

What Happened?

Following reports in the Financial Times newspaper, the ICO says that it is launching an investigation into the use of live facial recognition in the King’s Cross area of central London.  It appears that the Property Development Company, Argent, had been using the technology for an as-yet-undisclosed period, and using an as-yet-undisclosed number of cameras. A reported statement by Argent (in the Financial Times) says that Argent had been using the system to “ensure public safety”, and that facial recognition is one of several methods that the company employs to this aim.

ICO

The ICO has said that, as part of its enquiry, as well requiring detailed information from the relevant organisations (Argent in this case) about how the technology is used, it will also inspect the system and its operation on-site to assess whether or not it complies with data protection law.

The data protection watchdog has made it clear in a statement on its website that if organisations want to use facial recognition technology they must comply with the law and they do so in a fair, transparent and accountable way. The ICO will also require those companies to document how and why they believe their use of the technology is legal, proportionate and justified.

Privacy

The main concern for the ICO and for privacy groups such as Big Brother Watch is that people’s faces are being scanned to identify them as they lawfully go about their daily lives, and all without their knowledge or understanding. This could be considered a threat to their privacy.  Also, with GDPR in force, it is important to remember that if a person’s face (if filmed e.g. with CCTV) is part of their personal data, and the handling, sharing, and security of that data also becomes an issue.

Private Companies

An important area of concern to the ICO, in this case, is the fact that a private company is using facial recognition becasuse the use of this technology by private companies is difficult to monitor and control.

Problems With Police Use

Following criticism of the Police use of facial recognition technology in terms of privacy, accuracy, bias, and management of the image database, the House of Commons Science and Technology Committee has recently called for a temporary halt in the use of the facial recognition systems.  This follows an announcement in December 2018 by the ICO’s head, Elizabeth Dunham, that a formal investigation was being launched into how police forces use facial recognition technology (FRT) after high failure rates, misidentifications and worries about legality, bias, and privacy.

What Does This Mean For Your Business?

The use of facial recognition technology is being investigated by the ICO and a government committee has even called for a halt in its use over several concerns. The fact that a private company (Argent) was found, in this case, to be using the technology has therefore caused even more concern and has highlighted the possible need for more regulation and control in this area.

Companies and organisations that want to use facial recognition technology should, therefore, take note that the ICO will require them to document how and why they believe their use of the technology is legal, proportionate and justified, and make sure that they comply with the law in a fair, transparent and accountable way.

Is Your Website Sending Scammers’ Emails

Research by Kaspersky Labs has discovered that cyber-criminals are now hijacking and using the confirmation emails from registration, subscription and feedback forms of legitimate company websites to distribute phishing links and spam content.

How?

Kaspersky has reported that scammers are exploiting the fact that many websites require users to register their details in order to receive content. Some cyber-criminals are now using stolen email addresses to register victims via the contact forms of legitimate websites.  This allows the cyber-criminals to add their own content to the form that will then be sent to the victim in the confirmation email from the legitimate website.

For example, according to Kaspersky, a cyber-criminal uses the victim’s e-mail address as the registration address, and then enters their own advertising message in the name field e.g. “we sell discount electrical goods. Go to http://discountelectricalgoods.uk.” This means that the victim receives a confirmation message that opens with “Hello, we sell discount electrical goods. Go to http:// discountelectricalgoods.uk Please confirm your registration request”.

Where a victim is asked by a website form to confirm their email address, cyber-criminals are also able to exploit this part of the process by ensuring that victims receive an email with a malicious link.

Advantages

The main advantages to cyber-criminals of using messages sent as a response to forms from legitimate websites are that the messages can pass through anti-spam filters and have the status of official messages from a reputable company, thereby making them more likely to be noticed, opened, and responded to.  Also, as well as the technical headers in the messages being legitimate, the amount of actual spam content carried in the message (which is what the filters react to) is relatively small. The spam rating assigned to messages by anti-spam filters is based on a variety of factors, but these kinds of messages command a prevailing overall authenticity which allows them to beat filters, thereby giving cyber-criminals a more credible-looking and effective way to reach their victims.

What Does This Mean For Your Business?

Most businesses and organisations are likely to have a variety of forms on their website which could mean that they are open to having their reputation damaged if cyber-criminals are able to target the forms as a way to initiate attacks or send spam.

The advice of Kaspersky is that companies and organisations should, therefore, consider testing their own forms to see if they could be compromised.  For example, registering on your own company form with your own personal e-mail address and entering a message in the name field such as “I am selling electrical equipment” as well as including a website address and a phone number, and then checking what appears in your e-mail inbox will show if there are any verification mechanisms for that type of information.  If the message you receive begins “Hello, I am selling electrical equipment”, you should contact the people who maintain your website and ask them to create simple input checks that will generate an error if a user tries to register under a name with invalid characters or invalid parts. Kaspersky also suggests that companies and organisations could consider having their websites audited for vulnerabilities.

Using GDPR To Get Partner’s Personal Data

A University of Oxford researcher, James Pavur, has explained how (with the consent of his partner) he was able to exploit rights granted under GDPR to obtain a large amount of his partner’s personal data from a variety of companies.

Right of Access

Mr Pavur reported that he was able to send out 75 Right of Access Requests/Subject Access Requests (SAR) in order to get the first pieces of information from companies, such as his partner’s full name, some email addresses and phone numbers. Mr Pavur reported using a fake email address to make the SARs.

SAR

A Subject Access Request (SAR), which is a legal right for everyone in the UK, is where an individual can ask a company or organisation, verbally or in writing, to confirm whether they are processing their personal data and, if so, can ask the company or organisation for a copy of that data e.g. paper copy or spreadsheet.  With a SAR, individuals have the legal right to know the specific purpose of any processing of their data, what type of data is being processed, who the recipients of that processed data are, how long that data stored, how the data was obtained from them in the first place, and for information about how that processed and stored data is being safeguarded. Under GDPR, individuals can make a SAR for free, although companies and organisations can charge “reasonable fees” if requests are unfounded, excessive (in scope), or where additional copies of data are requested to the original request.

Another 75 Requests

Mr Pavur reported that he was able to use the information that he received back from the first 75 requests to send out another 75 requests.  From the second batch of requests Mr Pavur was able to obtain a large amount of personal data about his partner including her social security number, date of birth, mother’s maiden name, previous home addresses, travel and hotel logs, her high school grades, passwords, partial credit card numbers, and some details about her online dating.

The Results

In fact, Mr Pavur reported that 24% of the targeted firms who responded (72%) accepted an email address (a false one) and a phone number as proof of identity and revealed his partner’s personal details on the strength of these.  One company even revealed the results of a historic criminal background check.

Who?

According to Mr Pavur, the prevailing pattern was that large (technology) companies responded well the requests, small companies ignored the requests, and mid-sized companies showed a lack of knowledge about how to handle and verify the requests.

What Does This Mean For Your Business?

The ICO recognises on its website that GDPR does not specify how to make a valid request and that individuals can make a SAR to a company verbally or in writing, or to any part of your organisation (including by social media) and it doesn’t have to be made to a specific person or contact point.  Such a request also doesn’t have to include the phrase ‘subject access request’ or Article 15 of the GDPR, but any request must be clear that the individual is asking for their own personal data.  This means that although there may be some confusion about whether a request has actually been made, companies should at least ensure that they have identity verification and checking procedures in place before they send out personal data anyone. Sadly, in the case of this experiment, the researcher was able to obtain a large amount of personal and sensitive data about his (very understanding) partner using a fake email address.

Businesses may benefit from looking at which members of staff regularly interact with individuals and from offering specific training to help those staff members identify requests.

Also, the ICO points out that it is good practice to have a policy for recording details of the requests that businesses receive, particularly those made by telephone or in person, so that businesses can check with the requester that their request has been understood.  Businesses should also keep a log of verbal requests.