Cyber_Bytes - Issue 42
Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.
Another go at Misuse of Private Information - Smith and Others v TalkTalk  EWHC 1311 (QB)
The Claimants issued proceedings against TalkTalk following data breaches in 2014 and 2015, alleging that their personal data was obtained from TalkTalk's IT systems by unknown criminal third parties and then used for fraudulent purposes. They claimed compensation for breach of statutory duty under the Data Protection Act 1998 and damages for the tort of misuse of private information.
The judgment followed the ruling in Warren v DSG Retail Limited, which held that claims were not viable in negligence or misuse of private information where the defendant had not committed any voluntary action leading to the loss of confidentiality in the data.
The Claimants attempted to distinguish Smith from Warren by framing TalkTalk's conduct as positive acts rather than a series of failures. But, as Saini J put it, this argument constituted "a negligence action masquerading as a claim for misuse of private information." Ultimately, it was held that the misuse of private information occurred as a result of the actions of a criminal third party and not TalkTalk.
Nevertheless, in a more concerning development, Saini J dismissed the "unconfirmed breaches" strike out application. Certain Claimants could not determine if they were affected by the 2014 or 2015 breaches or some other breach. However, it was held to be a permissible deduction that, if the personal information used by the scammers was not obtained in the 2014 or 2015 breaches, the trigger may have been some other unlawful accessing of TalkTalk's systems. Even though disclosure could be complex and cumbersome, Saini J refused to strike out the claim.
This decision is a welcome re-iteration of Warren as it relates to misuse of private information. However, it does also show as willingness by the Court to show leniency in data protection pleadings where the Claimants can only infer the occurrence of a breach.
Click here to read the High Court judgment from Bailii.
ICO funding update: Fine income retention agreement
The ICO has announced they will now be able to retain up to £7.5 million per financial year of funds raised through civil monetary policy notices. When issuing a civil monetary policy notice, the ICO will be able to use funds to cover pre-agreed, specific and externally audited litigation costs.
The justification for the agreement has been said to be the increasing quantity and complexity of claims within the digital age. The additional funding will allow the ICO to maintain the technical and legal capacity needed to deal with ongoing and future matters. This change has been agreed to by the Department for Culture, Media and Sports and HM Treasury.
The ICO will be subject to auditing by the National Audit Office each year to ensure that these funds are only recovered where appropriate, and the ICO will report fines and associated costs in its Annual Report and to HM Treasury.
The ICO have called this measure an "appropriate and proportionate regulatory action" and the new funding could help the ICO turn its attention to bigger fish rather than the five-figure PECR fines which have characterised much of its enforcement activity in recent times.
Click here to read the full article as published by the ICO.
Right of access extends to identification of specific recipients to whom personal data are disclosed (AG's opinion)
In RW v Österreichische Post AG, it was determined that a data subject's right of access to information extends to the identification of any recipients of their personal data.
RW made a subject access request to the Österreichische Post (OP), Austria's main postal service, to identify which third parties had received data pertaining to RW from OP. OP provided descriptions of categories of recipients, as well as general information about data sharing, but did not identify specific parties.
Advocate General Pitruzzella (AG) noted that the wording of Article 15(1)(c), GDPR afforded a right to "recipients or categories" and that it was not for the data controller to decide which details to provide the data subject with. Further, Recital 63 of the GDPR provides that data subjects "have the right to know and obtain communication […] with regard to […] the recipients of the personal data".
OP was not in a position to limit RW's right of access to information with respect to their personal data and therefore should have provided specific identification upon request. RW had the right to ensure the lawful use and receipt of its data and to be aware of the ways in which it was being processed.
This ruling clarifies the type of information that data subjects will be entitled to receive from data controllers upon the lodging of a data subject access request. This is an important decision which clarifies data controllers' obligations towards data subjects when similar requests are made.
Click here to read the full opinion of Advocate Pitruzzella from InfoCuria.
People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices
The National Security Agency (NSA), Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency (CISA) have co-authorised a Cybersecurity Advisory detailing how state-sponsored actors of the People's Republic of China (PRC) have engaged in the worldwide targeting of telecommunications companies and network service providers.
PRC cyber actors are known to have participated in the exploitation of publicly identified vulnerabilities. These allow actors to gain access to victims' accounts through publicly available exploit codes. These actors have also been observed to adapt their tactics by monitoring network defenders to continue their systems exploitations undetected.
Known vulnerabilities are exploited through the employing of open-source tools, such as specific software frameworks, to uncover access to small office / home office routers. The actors then leverage these exploitations to identify critical infrastructures, gaining user passwords and access to administrative accounts.
Organisations are encouraged to take mitigating actions such as updating and patching systems/ products, using multi factor authentication, strict password requirements and robust logging and review of network access.
Click here to read the full article published by the Cybersecurity & Infrastructure Security Agency.
Qatar bolsters cyber security in preparation for World Cup
As Qatar prepares to host the 2022 FIFA World Cup, experts are anticipating cyber security issues to arise as a result of wider infrastructure and digital demands. From ticketing to hotels and restaurants, there will be an influx of foreign personal and financial data. Hackers will be hoping to gain the benefit of this data through fake bookings and phishing attempts.
As this is the first event of its kind taking place in Qatar, many have doubts regarding the state's capacity for cyber security defence. Qatar is being faced with a highly concentrated challenge in handling an estimated total of 1.5 million visitors. Interpol hosted cyber security experts on 25 March to analyse potential threats the event would create as part of the wider 'Project Stadia', the Qatar funded security programme.
Qatar will also partner with Morocco, which will be sending a team of cyber security experts to assist with Qatar's existing defences, such as the National Cyber Security Agency (established in 2021). To date, the agency has trained 25,000 employees in aspects of information security and has expressed interest in partnering with global organisations.
Click here to read the full article published by ComputerWeekly.com.
How Cyber Criminals Target Cryptocurrency
The nature of cryptocurrency lends itself to targeting by cyber criminals. Its inherent anonymity and lack of centralised regulation makes cryptocurrency a practical target and medium of exchange.
Researchers have observed a variety of threats, such as traditional fraud targeting individuals and organisations to facilitate storage and transfer of cryptocurrency. The total reported value of cryptocurrency lost due to cybercrime was reported to be around $14 billion in 2021.
Phishing campaigns that target or utilise cryptocurrency can be broken down into three main categories:
- Credential Harvesting – This is typically a URL sent to the potential victim leading to a false landing page, designed to imitate a popular website. This prompts the user to input log-in information or recovery phrases ultimately giving the cyber actor access to their account.
- Cryptocurrency Transfer Solicitation – This is a popular and more traditional form of cybercrime where the threat actor attempts to extort funds from the victim through social engineering. For example, the actor may claim to have sensitive data, pretend to be a business or claim to be collecting for charity. Cryptocurrency is commonly used as the means of transferring these funds due to its anonymity.
- Specific Targeting of Cryptocurrency Data – Malware that targets user data (such as passwords or financial information) has been adapted to target and monitor cryptocurrency activity. These typically fall under the malware family of 'infostealers' that log user inputs, take screenshots and search data for sensitive files.
As an industry of growing interest, it is important to be well-informed of the threats arising from social engineering, exploitation and malware.
Click here to read the full article published by Proofpoint.