Skip to main content

Preparing staff messaging around WannaCrypt/WCry

In the spirit of my ongoing InfoSec openness, here's the messaging I've prepared around our Group's education and call to action around WannaCrypt:



Many of you will have read about last week’s Global cyber attack that caused a number of organisations to be seriously impacted including the National Health Service in the UK and Telefonica in Spain. Over 70 countries were affected in total.

The attack took the form of ‘ransomware’ that caused computer-held files to be made unreadable (encrypted) unless a payment was made to the attackers via the 'Bitcoin' online currency.

Currently we have no reports of any impact to Group services or systems from this attack.

The attack relied upon a combination of malicious software being run, poor IT configuration practices, and the exploit of older, unpatched/out-of-support systems such as Windows XP and 2003.

The Group have a large and complex IT infrastructure that is continually being improved, strengthened and made more secure. The Group Security Team has been working across our brands to ensure this effort gains pace in an ever-increasing threat landscape.

I would ask that each of you please continue your already-brilliant support to the Group’s cyber defences by following these four simple best practices:

  • Be vigilant when opening unsolicited emails, and avoid opening or saving any related attachments unless certain of their trusted origin;
  • Avoid plugging personal or other USB storage devices into Group computer systems unless they have been recently scanned for malware and viruses by using an up-to-date security product;
  • Avoid downloading and running software from the Internet to your workstations unless part of your normal Group role;
  • Immediately report suspicious activity you witness on any computer system that you suspect may be under attack to [internal email address redacted] Unusual activity can include windows appearing and then vanishing spontaneously, the keyboard appearing to type by itself onscreen, or unusual flickering of your computer display.
The Group Security Team [internal email address redacted] are here to support and answer any questions you may have about the attack or any other aspect of security. We are based on the 1st floor of the Southwark, UK office, and I can be reached via Slack (@anders).

Thank you for your time, interest and ongoing support.


Best regards,



Photobox Group CISO, Dinis Cruz, has also posted his own advisory to our Group Tech teams.


Popular posts from this blog

The 'Big Five' behaviours - Building and maintaining a values-led business culture

Business culture is a topic that I frequently see popping up on my LinkedIn feed, and something I'm deeply passionate about.

Many of us have read the famous Netflix slide deck that describes their own business culture, and even last night whilst digesting the day's technology news I read an analysis of Bezos' meeting culture in a digital broadsheet.

For my business - Conosco - the culture I joined and the culture I knew that I would be proud to lead and be associated with, have maintained a high position in my everyday thoughts whether on my morning drive to work, walking through the streets of London at lunchtime or sitting with my young children as they fall asleep at night after their bedtime story.

Having just spent a week with our teams based in South Africa, it's become ever more apparent to me that a relatively small number of leadership values and habits can help to drive what I feel are the most valuable team member behaviours to support our business culture.

Designing a GDPR-compliant consent workflow for eCommerce

It's been quite a journey for me, to date, as I find my way along the twisty path that is understanding GDPR.

Through attempting to better understand what 'compliance' for the Photobox Group looks like, and in a renewed attempt to better understand its likely impact upon us, something I've found hard to find are good examples of 'GDPR compliant' user interfaces for eCommerce around the provision of user consent.

Ultimately we need to ensure that for each and every GDPR-relevant interaction our brands have with our customer's data, we have their appropriate consent.

The question is, how granular the explicit Opt-In requirements need to be?

The ICO does a good job of publishing high-level 'consent guidelines' as below:
Explicit consent requires a very clear and specific statement of consent. Keep your consent requests separate from other terms and conditions.Be specific and granular. Vague or blanket consent is not enough.Name any third parties who wi…