Cyber Bytes banner RPC law

Cyber_Bytes - Issue 6 2020

29 January 2020. Published by Richard Breavington, Partner and Christopher Ashton, Associate and Rachel Ford, Associate

Welcome to Cyber_Bytes, a round up of key developments in cyber, tech and evolving risks over the first month of 2020.

New year, same challenge

Regular readers will be familiar with the phishing quiz created by Google that we circulated last year. As 2020 develops, we have already seen several victims to phishing attacks, making it all the more important for companies to remain vigilant. We circulate the quiz in this issue as a reminder to be on guard against phishing attacks, and for our new readers to take on the challenge. 

To access the quiz, please click here

ICO issues guidance on subject access requests

The ICO has issued new guidance on dealing with subject access requests, which is open for consultation until 12 Feb 2020. Readers will be aware that a subject access request is a right provided to individuals under the GDPR which allows them to find out what personal data a data controller holds about them. The guidance provides further details on subject access requests and the rights they offer to individuals. 

15 City law firms including RPC will submit their comments before the consultation closes.

To read more, please click here

Ransomware developer plans on creating leaked data site

Ransomware developer Nemty has announced plans to create a website which will be used to publish stolen data if ransoms are not paid by its victims. The latest plans highlight the risk of personal data being downloaded by the attackers, before a victim's systems are encrypted with the ransomware. The developments could potentially increase the number of notifications to the ICO and to individuals being necessary as a result of a ransomware attack. 

To read more, please click here

Citrix vulnerability revealed

Key vulnerabilities in software provided by the technology supplier Citrix have been identified. The vulnerabilities enable unauthorised third parties to gain direct access into a company's local network without needing log in credentials.  Citrix has started to roll out security patches to permanently fix the vulnerabilities, but they will apparently not be fully patched until the end of January. 

To read more, please click here

ICO issues first fine under GDPR

The ICO has issued its first fine under the GDPR, fining a pharmacy £275,000 for failing to ensure the security of medical details. 

The incident was brought to the ICO's attention by a third party, who reported that the pharmacy had left approximately 500,000 documents in unlocked containers on site. 

The ICO has published its intention to issue far higher fines,  in particular to British Airways and Marriott International, but these have not been formally issued yet.  

To read more, please click here  

Travelex data breach

Readers may be aware of the ransomware attack suffered by Travelex on New Year's Eve. The foreign exchange company was forced to take down its websites across roughly 30 countries in order to contain the incident. It now comes under scrutiny in how it has dealt with the attack and how it was communicated to third parties. 

The latest press coverage highlights the key importance for companies to have an incident response plan in place for when a cyber incident does occur, including ways to correctly manage communications with the ICO, affected individuals, and in some cases the media.

To read more, please click here 

Possible new laws for internet connected devices 

In May last year, the government announced plans to launch a consultation to ensure that internet connected devices, such as smart watches and home voice speakers, are better protected from cyber attacks. In latest news, the results of the consultation will apparently be published in the next month or so. It is said that the results will contain proposals for mandatory industry requirements that could lead to potential new regulation.

To read more, please click here.