Cyber Bytes banner RPC law
  1. Home >
  2. Perspectives >
  3. Data and privacy >
  4. Cyber_Bytes - Issue 59

SHARE:

Subscribe

Cyber_Bytes - Issue 59

Published on 08 December 2023

Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.

NCSC Annual Review: UK's critical infrastructure faces enduring cyber threats

The National Cyber Security Centre (NCSC) has issued its seventh Annual Review, underscoring key developments, achievements and trends from the past year.

The first chapter of the report discusses threats and risks. This chapter describes an increase in state-aligned groups and aggressive cyber activities, emphasising the need for enhanced cyber resilience in state infrastructure. The NCSC's Incident Management team, who deal with incidents of national significance to the UK, have experienced an increase in reports of cyber incidents in the UK last year of over 64%.

The second chapter of the report discusses resilience and how the NCSC supports the public and private sector to raise awareness about cyber threats and improve resilience generally. This chapter includes an interesting case study about work that has been carried out to bolster the security of the UK's Critical National Infrastructure. There is another case study on the threat of cyber interference that could influence democratic processes such as the next general election. This case study notes that the government has established the Joint Election Security Preparedness Unit to be responsible for coordinating electoral security.

The third chapter of the report discusses the growth of the cyber security market and the NCSC's initiatives to accommodate this.

The fourth chapter of the report discusses the development of technology and the risks associated with such developments. While AI is discussed, the NCSC highlights other advancements that have not been in the headlines as often such as semiconductors, quantum computing, cryptography and radio frequency transmissions.

The NCSC's CEO, Lindy Cameron notes in her foreword that the five main areas of specific interest to the NCSC over the past year has been:

  1. AI cyber security
  2. Securing the UK's critical national infrastructure
  3. Defending the UK's democratic processes
  4. The future of UK cyber security services (including the NCSC's role in their provision)
  5. Lessons learned from the invasion of Ukraine

The NCSC's focus over the coming year will be:

  1. Improving the UK's cyber resilience by improving understanding of threats for both businesses and national infrastructure
  2. Ensuring that future technology shifts are deployed securely to counteract threats that take advantage of such developments
  3. Growing the NCSC's expertise

Click here to read the full 2023 Annual Review published by the NCSC.

Booking.com scam emails threaten hotel reservations

Travellers using Booking.com faced a new threat this month as scam emails were circulated, falsely claiming to be from the popular hotel booking platform. Users report receiving convincing emails, allegedly from noreply@booking.com, urging them to confirm hotel payments or risk reservation cancellations. The emails contain personal details, which add to their apparent authenticity.

There have been instances of compromised reservations and unauthorised charges raising concerns. Some customers who followed instructions contained in scam emails might also have unknowingly exposed their bank card details in the process.

Booking.com denies that the issue originates from their systems and emphasises its commitment to safety. The company attributes the issue to sophisticated phishing tactics affecting partner hotels. Users are urged to verify emails, contact Booking.com directly, and scrutinise payment policies of the accommodation that they have booked.

Click here to read the Guardian's full news article.

Ransomware group reports victim to SEC for non-compliance

In a surprising move, the prolific ransomware group AlphV has escalated pressure on one of its victims in the US, publicly traded digital lending company MeridianLink, by reporting the breach to the US Securities and Exchange Commission (SEC). AlphV claims MeridianLink failed to comply with upcoming SEC rules mandating disclosure of cybersecurity incidents within four days of discovery. AlphV's complaint to the SEC was posted on the dark web after it had been made. Although the rules are not yet in effect, the ransomware group accuses MeridianLink of a "material misstatement" for not disclosing a significant breach compromising customer data and operational information.

The tactic is an attempt to exploit industry-wide anxiety following the SEC's recent enforcement action against SolarWinds' Chief Information Security Officer. While MeridianLink confirms a "cybersecurity incident," it asserts that there has been no evidence of unauthorised access to production platforms and minimal business interruption. This incident highlights the evolving strategies of ransomware groups.

Click here to read Ars Technica's news article.

Information Commissioner seeks appeal in Clearview AI case

The UK Information Commissioner is seeking permission to appeal the 2022 judgment by the First Tier Tribunal relating to Clearview AI Inc. That tribunal decision overturned the ICO's decision to issue a fine of £7.5 million and enforcement notice to the company.

The principal point of contention concerned the ICO's jurisdiction to issue the enforcement and penalty notices to Clearview. Clearview succeeded in appealing against the ICO's fines and enforcement action because it was used by law enforcement outside the UK. The three-member tribunal hearing the appeal concluded that although Clearview did carry out data processing related to monitoring behaviour of people in the UK, this fell outside of the ICO's jurisdiction.

The ICO are appealing the decision on the basis that the law was misinterpreted. The ICO's view is that Clearview was not processing for foreign law enforcement purposes and should not be considered as outside the scope of UK law.

John Edwards, UK Information Commissioner, emphasised the need to protect the data rights of UK citizens amid the alleged widespread impact of Clearview's mass scraping of personal information. The appeal aims to address whether commercial enterprises, profiting from processing digital images of UK individuals, can rightfully claim engagement in "law enforcement."

Click here for the full judgment and for more on the appeal here.

ICO and EDPS strengthen collaboration with Memorandum of Understanding

The UK ICO and the European Data Protection Supervisor (EDPS) have formalised their collaboration through a Memorandum of Understanding (MoU).
This agreement solidifies their joint commitment to protecting individuals' data rights and privacy, emphasising international cooperation. The MoU outlines how the authorities will share experiences, best practices, and information, promoting dialogue among data protection authorities and digital regulators. The collaboration builds on their active participation in global forums. John Edwards, UK Information Commissioner, sees the MoU as enhancing existing collaboration, offering pragmatic solutions to support organisations while upholding individuals' information rights. Wojciech Wiewiórowski, European Data Protection Supervisor, emphasises the concrete plans to prioritise fundamental rights across the EU and the UK. The MoU aligns with legal responsibilities and underscores the commitment to safeguarding personal data amidst digital innovation.

Click here to read the ICO's news story.

Former NHS secretary fined for illegally accessing patient records

Loretta Alborghetti, a former NHS medical secretary, has been found guilty and fined for unlawfully accessing the medical records of over 150 people. The breach occurred during her tenure in the Ophthalmology department at Worcestershire Acute Hospitals NHS Trust.

An investigation revealed Alborghetti's unauthorised access to patient records, with 156 records viewed over 1800 times within three months. Despite her role requiring access to specific patient information, the accessed records pertained to individuals unrelated to ophthalmology. Alborghetti pleaded guilty to unlawfully obtaining personal data, resulting in a fine of £648 following the ICO's investigation.

Click here to read the ICO's news story.