Cyber_Bytes - Issue 48

Published on 04 January 2023

Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.

ICO fines reach £15 million in 2022 - triple the value of 2021 penalties

A recent analysis by RPC revealed a three-fold increase in the value of ICO fines, from a figure of £4,848,000 in 2021 to a figure of £15,249,200 between 1st November 2021 and 31st October 2022. This increase is partly attributable to larger one-off fines, such as the ones levied against Clearview AI for £7.5m due to a violation of privacy laws and Interserve for £4.4m for failing to protect employee data in the wake of a data breach.

Clearview AI was fined in May for using images of people in the UK and other countries without permission to build a global online facial recognition database. As part of Clearview's sanctions, the ICO issued an enforcement notice requiring Clearview to stop collecting and to remove all readily accessible online personal information relating to UK citizens. Construction business Interserve was fined £4.4m for failing to take reasonable precautions to safeguard the data of its customers in the wake of a data breach in 2020.

RPC's analysis also revealed a four-fold increase in fines related to personal data stolen via a cyber-attack. This figure rose from £1,285,000 in 2021 to £4,998,000 in November this year. Richard Breavington, RPC's Head of Cyber & Tech Insurance Team, commented that the increase in fines could be reflective of a tougher stance by the ICO post-COVID on businesses in respect of taking appropriate measures to protect customer and employee data. As the value of ICO fines creep up, the regulator's "measured approach to sanctions seen in the pandemic, and the attitude of forbearance seems to be changing".

Click here to read the full article from Law360.

Key points from the UK Online Safety Bill

The UK Online Safety Bill is the UK Government's ambitious attempt to regulate the internet. If the Bill becomes law it will apply to any service or site that has users in the UK or targets the UK as a market, even if not based in the UK. Failures to comply with the new bill will lead to potential fines of up to 10% of global turnover or £18m whichever is higher.

Ofcom will be the appointed regulator with powers to enforce the Online Safety regime. The Bill particularly focuses on preventing children from accessing potentially harmful material and places enhanced requirements on how online platforms assess and delete illegal material deemed to be injurious. The Bill would be applicable to search engines, hosting platforms, social media platforms, some online gaming sites, and pornographic sites.

Currently, intermediary hosting platforms have a liability shield when users post illegal or harmful content online until they are made aware of the content. The Bill contains a proposed requirement on companies to actively look for illegal content, rather than waiting for someone to report it before acting. If Ofcom take regulatory action against a service provider, details of that disciplinary measure would be made public.

Critics remain sceptical about the proposed backdoors into private content such as encrypted messaging. These backdoors could also be exploited by threat actors, said Matthew Hodgson, co-founder of Element, a decentralized British messaging app. Hodgson argues that the UK Government should not facilitate the introduction of privacy-eroding infrastructure, but rather prevent it from becoming a reality which could potentially be adopted by authoritarian regimes around the world.

Click here to read the full article from Computerworld.

ICO sheds light on how it ensures enforcement certainty

The ICO's John Edwards comments that "members of the public, and those affected by a breach or infringement, are entitled to know that we have held the business or organisation to account, and that they have changed their practices as a result”. As of 6 December 2022, in addition to publishing enforcement notices, the ICO has committed to publishing all reprimands going forward including historic reprimands issued from January 2022, unless there is good reason not to (such as national security, or potentially jeopardising an ongoing investigation).

The ICO's Director of Investigations, Stephen Eckersley, praised reprimands as a way of showing action to raise data protection standards in addition to issuing fines. Example of when reprimands have been used include helping a local council improve its cyber security, warning a telecommunications company to improve its responses to the public when asked for personal information held about them, and ordering the police to improve how they handle victims’ personal information. Publishing reprimands is hoped to improve public transparency and provide more certainty to businesses as to how to improve and stay compliant.

Ultimately the ICO's goal for private and public bodies is to adopt privacy by design putting people at the heart of all their practices.

Click here to read the full ICO blog post.

Increase in cost of phishing attacks

A recent report by Acronis has revealed that phishing and malicious email threats have gone up by 60%. The use of phishing methods such as multi-factor authentication fatigue attacks is on the rise. Social engineering attacks have also increased, accounting for 3% of all attacks.

Candid Wüest, Acronis VP of Cyber Protection Research, commented that malicious actors continue to use the same proven playbook for big pay-outs, and "organisations must prioritise all-encompassing solutions when looking to mitigate phishing and other hacking attempts in the new year". Businesses need to re-evaluate their security strategies as the technologies used by threat actors keep evolving.

The report found that ransomware retained the top spot as the biggest threat to businesses including government, healthcare, and education. Phishing and malicious emails also remain successful. Between July 2022 and October 2022, phishing emails accounted for 76% of all email attacks, up from 58% in the first half of 2022. The most email-borne-attacked industries are construction, retail, real estate, professional services (computers & IT), and finance.

The Acronis Cyberthreat Report also highlighted that malicious actors continue to target unpatched systems. Zero-day vulnerabilities and old unpatched vulnerabilities still carry the highest system compromise risk.

Click here to read the full article from Acronis.

Global law enforcement operation shuts down around 50 DDoS attack platforms

Around 50 of the most popular platforms available for hire to launch distributed denial-of-service (DDoS) attacks have been shut down during an international law enforcement crackdown called Operation Power Off. The takedown saw international participation from Europol, UK, US, Netherlands, Poland, and Germany. Europol announced that just one of the services shut down by Operation Power Off was responsible for more than 30 million DDoS attacks. Seven website administrators have also been arrested. This is a welcome development as the Europol announcement flagged that DDoS booter services have effectively lowered the entry barrier into cybercrime. For a fee as low as Euro 10, any low-skilled individual can launch DDoS attacks with one click, knocking offline whole websites and networks by barraging them with traffic.

Click here to read the full article from Dark Reading.

Stay connected and subscribe to our latest insights and views 

Subscribe Here