Cyber_Bytes - Issue 46
Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.
ICO highlights complacency as major cyber risk for UK CompaniesInformation Commissioner John Edwards warns that organisational complacency poses a greater risk to UK businesses than the actions of cyber criminals. As an example, construction company Interserve was recently fined £4.4m over a 2020 ransomware incident that saw the data of 113,000 employees being stolen.
During the pandemic, a phishing email slipped through Interserve's secure internet gateway system. This led to an attack that compromised two employee accounts exposing 283 systems and 16 company accounts. The threat actors were then able to uninstall the company's antivirus software. It transpired that one of the initial phishing victims had not undertaken any IT training and the company had operated on outdated software systems. Further, Interserve's IT teams were notified of some suspicious activity on the servers but took no further action.
By issuing such a large fine, the ICO has sent a strong message to businesses that may be reluctant to monitor suspicious activity, fail to act on warnings, defer software updates, and/or shelve recommended IT training. Interserve's actions (or inactions) resulted in a breach of data protection law by “failing to put appropriate technical and organisational measures in place to prevent the unauthorised access of people’s information”. Even though Interserve was in administration shortly before the incident, the ICO will levy the fine against the successor parent company in an approach it describes as "robust and fair".
Click here to read the ICO's penalty notice and here to read the Computerweek article.
High Court offers helpful guidance on damages for claimants in data disputes
The latest judgement of Knowles J in Driver v Crown Prosecution Service [2022] EWHC 2500 (KB) has provided some clarification as to the awards which claimants can receive when seeking damages for distress.
The Claimant was a local politician in Lancaster. An email was sent to a member of the public in relation to an ongoing police investigation in which the Claimant was a known suspect. That member of the public was a political opponent who allegedly had a grievance against the Claimant and subsequently leaked the email to the press. The fact that the Claimant was a suspect in police investigations was already in the public domain at the time of the disclosure to the press.
The Court found that this was not a GDPR claim, but that it did fall within the law enforcement provisions of the Data Protection Act 2018 (Section 31). The leak was seen as a limited disclosure as people would have been likely to have already known this information due to previous widespread media reporting. The claimant sought damages of up to £2,000 but was awarded £250 for a “lowest end of spectrum” data breach that did not involve information with any privacy connotations. The judge concluded that the disclosure would not have changed the outcome of the police investigation and could not "reasonably or properly have caused the claimant anything like the level of anguish which he claimed".
Click here to read the full article published by 11 King's Bench Walk Panopticon blog.
New UK version of GDPR is on the horizon
UK's Culture Secretary Michelle Donelan announced that the UK will have its own version of the GDPR. The Government announced a Data Protection and Digital Information Bill to replace GDPR last June, but that has been put on hold and reconsidered. Donelan has stated that the new UK version of the GDPR will give British businesses a say and will be built on “common sense, helping to prevent losses from cyberattacks and data breaches, while protecting data privacy”.
Tina McKenzie, Policy and Advocacy chair at the Federation of Small Businesses (FSB) notes that "small firms are looking for more support and flexibility in compliance, easy-to-use and accessible guidance, and fewer prescriptive requirements. Divergence from the EU GDPR must both work domestically, as well as protecting small businesses’ ability to trade". She added that: “The UK GDPR in its current form is notoriously bureaucratic and is disproportionately onerous on small businesses, where there is often excessive caution in handling data at the expense of growth and innovation".
The core principles of data protection law and current data security requirements are expected to remain in the new bill. However, more peripheral areas such as EU Cookie policy and data retention could be simplified.
Click here to read the full Small Business article.
Supply chain cyber-attacks are on the rise – NCSC offers fresh guidance
The National Cyber Security Centre (NCSC) has offered new guidance on ways organisations can work with suppliers to identify weaknesses and boost resilience in the wake of growing numbers of supply chain attacks. It aims to help cyber security professionals, risk managers and procurement specialists put into practice the NCSC’s 12 supply chain security principles.
Government research has found only one in ten businesses consider their immediate supply chain risks and vulnerabilities as part of their wider data risk review. The guidance is designed to help medium and larger organisations better assess the cyber risks of working with their suppliers. It describes typical supplier relationships, and ways that organisations are exposed to vulnerabilities and cyber-attacks via the supply chain.
Ian McCormack, NCSC Deputy Director for Government Cyber Resilience commented that supply chain attacks are a "major cyber threat facing organisations, with profound long-lasting impacts on businesses and customers". A collaborative effort between organisations and stakeholders is therefore needed to ensure appropriate security measures.
Click here to read the guidance published by the NCSC.
EvilProxy expands advanced phishing options for threat actors
EvilProxy is the new service promising to provide a reverse-proxy phishing-as-a-service platform (PaaS) to help users steal authentication tokens to defeat multi-factor authentication processes of large organisations. The service allows low-skill cyber criminals a low-cost option for stealing otherwise well-protected internet facing accounts.
The process of reverse proxy phishing involves intercepting session cookies on servers between the intended victim and a genuine authentication endpoint, such as a company’s login form. Threat actors can then utilize this intercepted authentication cookie to log in to the site as the user, circumventing multi-factor authentication measures that have been enabled.
EvilProxy is promoted on darkweb forums and appears to be intended as a service directly to hackers, even offering user friendly instructional videos. Payments for the PaaS services are made individually using the Telegram app. The service promises to steal usernames, passwords, and session cookies, for a cost of $150 for ten days, $250 for 20 days, or $400 for a month-long campaign.
As MFA adoption continues to increase, and is even mandated in some cyber insurance policies, the growth of a platform that automates advanced options for low skilled threat actors is an unwelcome development and is one to watch.
Click here to read the full article by Bleeping Computer.
Internet of Things (IoT) and global smart cities hinge on security by design models
Lindy Cameron, NCSC CEO, calls for international standards to improve the cybersecurity of IoT, connected devices, and smart cities. At the Singapore International Cyber Week, Cameron encouraged swift action to ensure connected devices are designed, built, deployed, and managed securely to prevent attacks from cyber criminals.
Consumers have a growing dependency on connected devices and now is the time to make sure they are designed and built properly. Cameron stated that "connected places are an evolving ecosystem, comprising a range of systems that exchange, process, and store sensitive data, as well as controlling critical operational technology. Unfortunately, this makes these systems an attractive target for a range of threat actors”.
State sponsored cyber-attacks may succeed in stealing sensitive commercial and personal data from other nations, including the UK. Nations may also try to influence specific suppliers or compromise overseas services to disrupt nations by exfiltrating data.
The upcoming UK Product Security and Telecommunications Infrastructure Bill seeks to enshrine security by design principles in law. The bill places new cybersecurity standards on manufacturers, importers, and distributors of internet-connectable devices, along with ensuring the security of connected devices on the market.
NCSC comments that the effectiveness and enforcement of the proposed Bill, coupled with new international IoT standards, will depend on global collaboration from governments and manufacturers. Delayed action may only prove more expensive down the line considering the rate of dependence on insecure connected devices.
Click here to read the full article by CSO.