A US county is in the process of paying half-a-million dollars to ransomware extorters who locked its local government network, according to reports.
Pennsylvania’s Delaware County revealed the attack last week, claiming in a notice that it had disrupted “portions of its computer network.
“We commenced an immediate investigation that included taking certain systems offline and working with computer forensic specialists to determine the nature and scope of the event. We are working diligently to restore the functionality of our systems,” it said.
“The investigation is ongoing and we are working with computer forensic specialists to understand the full nature and scope of the event and confirm accurate information before sharing the details. County employees have been notified and provided with information and instructions.”
The county said its Bureau of Elections and Emergency Services Department were not affected, as they are served by separate networks.
However, the news comes as the authority, like much of the US, battles a surge in COVID-19 cases. Over the past four weeks it has seen a 131% increase in positive tests for the virus and a 156% increase in hospitalizations.
That will give attackers an extra incentive to attack public sector and healthcare organizations in the country over the coming months. However, it appears as if Delaware County’s decision to pay up was influenced by virtue of its insurance policy, which reportedly covers ransomware outages.
The largest cause of cyber insurance claims in North America in the first half of 2020 was ransomware, accounting for over two-fifths (41%), according to provider Coalition.
However, there are concerns that the growing take-up of such policies also emboldens cyber-criminals as it makes it more likely that victims will pay-up to regain access to networks quickly.
As long as victims keep paying, ransomware groups will keep launching attacks.
The director of a marketing company that made tens of thousands of nuisance calls has been banned from running a business for six years.
Elia Bols was director of AMS Marketing Limited, a firm founded in 2016 which was the subject of scores of complaints between October that year and October 2017.
UK regulator the Information Commissioner’s Office handed Bols a fine of £100,000 after judging that, under his direction, the firm had made over 75,000 nuisance calls. It should first have used the Telephone Preference Service (TPS) list of individuals who choose not to receive unsolicited contact, the ICO said.
AMS Marketing was wound-up in 2019, with the fine still outstanding, and Bols now lives in Australia. However, in his absence, the government has ruled that AMS Marketing broke Regulation 21 of the Privacy and Electronic Communications Regulations (PECR).
As a result, he is now disqualified from acting as director or becoming directly or indirectly involved with running or promoting a company.
“Our work with the Insolvency Service has seen the successful disqualification of 17 directors who have shut their business down to try and avoid paying a fine for illegal marketing activity,” explained Andy Curry, head of investigations at the ICO.
“Nuisance calls, emails and texts can be a huge problem and often cause people real distress. By taking unscrupulous directors out of action, we can help protect the public and their privacy.”
However, despite these successes, the ICO has been found wanting in terms of its collection of outstanding fines from such offenders.
An FOI request last month revealed that £6.6m, or over 39% of total fines, are still outstanding. Just 13% of nuisance calls fines were collected, versus 54% of data breach penalties.
A multibillion-dollar TV production company has become the latest big corporate name caught out by ransomware, it emerged late last week.
French multinational firm Banijay SAS owns over 120 production firms around the world, delivering TV shows ranging from MasterChef and Big Brother to Black Mirror and The Island with Bear Grylls.
In a short update last Thursday, it claimed to be managing a “cyber-incident” affecting the networks of Endemol Shine Group and Endemol Shine International, Dutch firms it acquired in a $2.2bn deal in July.
Although ransomware isn’t named in the notice, previous reports suggest the firm is being extorted.
It admitted that data may have been taken, in what would be a classic “double extortion” attack.
“The business has reason to believe certain personal data of current and ex-employees may have been compromised, as well as commercially sensitive information,” it said.
“We are continuing to take the appropriate steps and remain committed to protecting our employees, past and present, so if we do identify any cases of data being taken or misused, we will contact the affected individuals directly.”
In the meantime, the firm said it is investigating the attack with “independent specialists” and has notified the relevant authorities in the Netherlands and the UK: the two countries affected by the incident.
Banijay would do well not to engage with the extortionists. A recent Coveware report warned that “paying a threat actor not to leak stolen data provides almost no benefit to the victim.”
The vendor claimed that several ransomware groups still publicly dox companies even after payment, while others may demand a second payment to remove any data they may have stolen.
Victim organizations should in any case assume that it has been or will be either sold to other threat actors or used in a future extortion attempt, Coveware claimed.
Steps can be taken to reduce the threat of fake news infiltrating online advertising.
Speaking during the Westminster Forum Conference about tackling fake news and online misinformation, Konrad Shek, deputy director, policy and regulation at the Advertising Association, said the advent of disinformation has had an “enormous impact on trust in the media and politics.”
He said within commercial advertising there have been cases of false claims and promoted stories, and manipulated content, which can appear on social media and news feeds, while some websites that do “propagate false information are supported by adverts and legitimate ads can find themselves on these dubious websites.”
He also explained that there are online fraudsters that use tactics to better promote adverts, including adding clicks for misattribution, which can divert advertisers’ money to the fraudulent actor. “I’d refrain from saying that restricting adverts is a solution, as you have to think about the consequences of an approach and the impact it would have on the free internet,” he said. This calls for four options, he contitinued:
- Try and choke the funds to fake news websites, as brands are already sensitive about the impact of being associated with these websites and this is a good incentive to work towards being placed on such websites. However, he pointed out that the speed of ads in the supply chain mean it may not always be possible to know where the ad has been published
- The use of standards and technology to reduce ad fraud and reduce advertising money in the supply chain. “There are already a number of industry standards that have anti-fraud certification processes,” he said, with technology that can aid in the fight against ad fraud with an ever-increasing number of detection and prevention tools. “To that end, it is really important that the ASA is properly funded and it can continue to invest in technology to help it spot non-compliant ads online”
- Aiding the general public to build resistance and encourage critical thinking skills. “We need to invest more in digital literacy to help people inoculate themselves against scams and misinformation,” he said. “With society as a whole, we need to look at media more critically – look at ads with a more critical eye and ask what the motivation behind it is, and is it too good to be true?”
- Address political advertising, as this is not regulated by the ASA. “Politicians and political parties need to come together to figure out an appropriate solution soon, as in the meantime, unregulated political advertising erodes trust in all advertising”
“There is obviously a lot more to be done,” Shek said. “Economic gain is a significant factor in why disinformation exists as advertising plays a core part in it, but we need to realize there are other factors in play.”
He claimed a solution requires a holistic and proper multi-disciplinary approach, and work needs to be done to ensure like-minded countries are allied on this, as it is hard to discern what is real and what is not.
There needs to be better steps taken by politicians and social media platforms to deal with fake news, especially as the COVID-19 vaccine is created.
Speaking during the Westminster Forum Conference on tackling fake news and online misinformation, event chair Khalid Mahmood MP, shadow defense minister for procurement, said, as we have seen throughout the pandemic, certain misinformation has been passed around and it is effective in getting to people. “That is just in terms of the pandemic that we are seeing at the moment,” he added, pointing out that fake news is published about politicians too.
He said an issue is how responsibility “is totally negated from platforms where someone can put whatever they want and move forward” and trying to trace that back and address that is becoming increasingly difficult as platforms take time to deal with it.
Admitting that this is a very difficult issue to deal with, he said we need to look at some sort of level footing on this, before it is out of control.
Commenting on the role of platform providers, Katie O’Donovan, head of public policy at Google UK, said there is a challenge around freedom of speech where the meaning around the words can vary, depending on how things are said.
She said: “So you cannot regulate words and sentences, you have to understand the context of how they were made, and ask what is the context and hyperbole and is it a threat made to an individual or a group of people?”
Asked by Infosecurity if social media platforms are doing enough to prevent fake news whilst enabling free speech, O’Donovan said there is a need for more legislation and regulation. She argued that government is doing a good job on addressing a broad range of harms, whilst offering the opportunity to engage and to “have a vibrant online debate.” However, platforms have a responsibility not to wait for that regulation, and over the years, that has grown very steadily.
Michael Wendling, editor of the Trending and Anti-Disinformation Unit at BBC News, said there is going to be a massive wave of vaccine disinformation, which is ramping up now, and as the vaccine becomes available for COVID-19 “that will make what happened over the 5G masts look like a minor skirmish.” He said if measures by platforms are effective, there will be a larger take up of the vaccine, and if not, there will be less of a take up and the pandemic may continue.
Also speaking was Oscar Tapp-Scotting, deputy director for security and international at DCMS, who confirmed it has been working with platforms to address disinformation and has seen platforms take steps to reduce “misleading narratives.”
He said: “Each of the platforms is different; each has a different user base and provides information in different ways, so how they tackle this will vary by platform.” He also said that in a recent meeting with social media platforms, they would agree to work with healthcare organizations to publish correct information, so users have the ability to make the right choice.
Mahmood said there is a need for politicians to look at social media and how it deals with fake news, “and this has to be the way for all of us in how we deal with fake news, as ultimately there has to be some sort of responsibility between both us and the platforms and how we get the motion across and how we get them to work together.”
The National Cyber Security Centre (NCSC) is assisting Manchester United in dealing with the cyber-attack which struck the English football club last week.
Last Friday, the Premier League side confirmed in a statement that an incident had taken place, following which affected systems were shut down to “contain the damage and protect data.”
One week later and the club’s internal IT system is not fully back up and running, with staff still unable to access emails alongside other operations. The NCSC is now helping Manchester United as it seeks to secure its network before restoring its IT system to full capacity.
A NCSC spokesperson is quoted as saying: “The NCSC is aware of an incident affecting Manchester United football club and we are working with the organization and partners to understand the impact.”
In its original statement, Manchester United said that its website and app were unaffected by the attack and it was not aware of any breach of personal data belonging to fans or customers, and this was reiterated on Thursday night. Quoted in The Guardian, the new statement read: “This attack was by nature disruptive, but we are not currently aware of any fan data being compromised.
“Critical systems required for matches to take place at Old Trafford remained secure and games have gone ahead as normal.”
Manchester United added that it would not be commenting on who was responsible for the attack or the motives that lay behind it.
Security experts have suggested the attack is likely to be ransomware. Commenting earlier this week, Jon Niccolls, EMEA & APAC incident response lead at Check Point, said: “It isn’t clear what type of attack hit the club, but as its statement mentioned that it ‘shut down affected systems to contain the damage and protect data,’ this suggests ransomware, and possibly a double extortion attack where the attackers both steal data with the threat of leaking it, as well as encrypting it to disrupt operations.”
Commenting on the incident, Adam Enterkin, SVP, EMEA, BlackBerry, told Infosecurity: “The exploitation of sporting giants by cyber-criminals is not a surprise. Amid a pandemic characterized by opportunistic cyber-attackers, and a huge deficit of security professionals in the UK, such an attack was all but inevitable. Manchester United isn’t the first to be hacked, and it won’t be the last.
“These attacks are, however, preventable. The truth is that the entire nation needs better cyber-hygiene. Even national institutions like sports teams can fall prey to simple phishing emails, which are responsible for a large proportion of cyber-attacks. Cyber-criminals are waiting for organizations and the public to drop their guard. We must not give them the opportunity.”
“Ultimately, security teams at football clubs need the same tech as major banks and hospitals, to protect livelihoods and customer data. AI technology can help manage the volume of potential threats, spotting anomalies in data and dealing with menial and repetitive tasks whilst flagging potentially serious situations to the cybersecurity team. Humans and tech must work hand-in-hand, so the professionals are equipped with the right knowledge and skill sets to keep our nation’s much-loved sporting institutions safe.”
Two in five remote workers in the UK are vulnerable to cyber-attacks as they have not received information about how to avoid COVID-19 scams or had any video call security training. This is according to a new report by Fasthosts, which looked at the additional cyber-risks businesses are facing as a result of the shift to home working this year.
The study also found that over half (54%) of remote workers are currently operating without a VPN, potentially increasing the risk of personal and company data getting compromised. Additionally, around a quarter allow others in their household look at confidential documents.
The researchers revealed that those employed in the science and pharmaceutical industry were most likely to allow other members of their household access to their work computer/laptop, while law enforcement and security staff were the biggest culprits in allowing access to confidential data and documents.
Despite recent positive news regarding the development of a vaccine for the virus, it is expected that there will be far more remote working going forward compared to pre-COVID. Fasthosts cited data from the Institute of Directors showing that three quarters (74%) of 958 company directors intend to continue with increased home working after the pandemic. It is therefore vital that organizations provide the tools and training to ensure their staff are more secure whilst operating from home.
Michelle Stark, sales and marketing director at Fasthosts, commented: “It’s sad to see the risks of cybercrime so prevalent whilst many Britons are working from home. Keeping you and the business safe online is critical to keep confidential data secure. We urge all consumers to read our top tips, be more mindful and seek the correct training whilst working from home.”
The UK government has unveiled plans to develop a new statutory code for tech companies that is designed to give customers more choice and control over their data.
The Department for Digital, Culture, Media and Sport (DCMS) said that a dedicated Digital Markets Unit will work alongside regulators such as Ofcom and the Information Commissioners Office (ICO) to create and enforce the code, which will govern the behavior of digital platforms, including those funded by digital advertising currently dominating the market, such as Google and Facebook. Measures are likely to include forcing such firms to be more transparent about how they are using customer data and to offer consumers a choice on whether they’d like to receive personalized advertising.
Another important aim of the code is to harness more competition within the online publishing industry by helping ensure smaller businesses aren’t disadvantaged by tech giants. This could include ensuring small businesses have fair access to platform services that help them grow their online business, such as digital advertising.
The unit, which will be part of the Competitions and Markets Authority (CMA), will begin operating from April 2021, and may have the power to suspend, block and reverse decisions made by tech firms as well as impose financial penalties for non-compliance.
Issues surrounding the use of data online have come into sharper focus this year, with the COVID-19 pandemic leading to a huge rise in digital users, including the sharing of creative content and advertising of small businesses’ products and services.
Digital secretary Oliver Dowden commented: “I’m unashamedly pro-tech and the services of digital platforms are positively transforming the economy, bringing huge benefits to businesses, consumers and society.
“However, there is growing consensus in the UK and abroad that the concentration of power among a small number of tech companies is curtailing growth of the sector, reducing innovation and having negative impacts on the people and businesses that rely on them. It is time to address that and unleash a new age of tech growth.”
Skills gaps and mass remote working are the biggest security challenges facing small- and medium-sized businesses (SMBs) today, according to new research from Infosecurity Europe.
The organizers behind the number one cybersecurity event in the region canvassed opinion from nearly 3700 industry experts via a Twitter poll.
A plurality (42%) cited a lack of security expertise as the number one challenge to cyber-resilience facing SMBs, while COVID-related lockdowns came second top with 34%.
According to the latest global figures, industry skills shortages have come down since last year, from 4.07 million to 3.12 million. However, while many are joining the industry, the narrowing gap can partly be explained by job losses during the pandemic.
SMBs often find it hardest to recruit and have fewer resources to spend on training. That’s a concern considering half (50%) of respondents claimed small firms are mainly responsible for in-house education and training.
SMBs are also often hardest hit by recession. A recent study from O2 and the Center for Economic Business Research (CEBR) claimed that small businesses would be hit six-times harder than after the financial crash of 2008.
Unsurprisingly, a quarter (24%) of small businesses said they are spending less because of the pandemic, with only 18% spending more to improve cyber-resilience. Perhaps reassuringly, over two-fifths (43%) said “little has changed” financially.
“Typical challenges such as lack of budget, staff being stretched thin and a changing threat environment have all been amplified in 2020. For many small businesses, the focus was on making sure they could still operate, and concerns like cyber-resilience were not necessarily a priority,” says Heidi Shey, principal analyst at Forrester Research.
“If business is down, cuts have to come from somewhere. Harder-hit sectors like retail or travel had to make different choices than those in a more fortunate position. Most spending was reactive; to support remote work, many had to make investments in things like laptops, VPNs and collaboration applications.”
More than one in seven emails sent on Black Friday today could be a scam, security experts have warned.
Vade Secure claims to protect one billion inboxes around the world with AI-powered security for Microsoft 365. Its Current Events tracker has detected a predictable spike in malicious messages containing text about the shopping discount extravaganza today.
It said 9% of US emails and 15% in Europe were malicious — spoofing big-name retail brands such as Lidl, Sephora, Target and, most popular, Amazon.
“We are issuing an alert about the Black Friday event in order to warn ISPs and businesses using Microsoft 365 to help them protect customers and clients from malicious emails. Seasonal threats of this nature can be predicted and monitored more easily than surprise attacks, so sysadmins should be aware of the surge in Black Friday email exploits,” explained Vade Secure’s chief product and services officer, Adrien Gendre.
“The rise of online shopping and home working has created new vectors for attackers, so security professionals need to guard carefully against new threats as they emerge. The best way to defeat email threats is to use complementary layers of protection involving both tech and humans.”
The United States Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert today, warning that criminals may be looking to cash-in both online and in-person.
“Malicious people may be able to obtain personal information (such as credit card numbers, phone numbers, account numbers and addresses) by stealing your wallet, overhearing a phone conversation, rummaging through your trash (a practice known as dumpster diving) or picking up a receipt at a restaurant that has your account number on it,” it claimed.
“If a thief has enough information, he or she may be able to impersonate you to purchase items, open new accounts or apply for loans.”
The agency urged shoppers to check company privacy policies, monitor their bank statements, use passwords and other security features where available and to avoid sharing personal information online.
Hundreds of NHS patients and staff have had their personal data exposed to strangers after internal process failures, it has emerged this week.
Human error at NHS Highland earlier this month led to the personal information of 284 patients with diabetes being shared via email with 31 individuals, according to local reports.
Although details of medical history were not in the spreadsheet accidentally sent to the 31 people, it did apparently include names, dates of births, contact information and hospital identification numbers.
That’s more than enough to craft convincing follow-on phishing emails.
The affected patients have been contacted and the Information Commissioner’s Office (ICO) notified, although it is not the first time the trust has been found wanting. In 2018 it apparently exposed the names of over 30 patients with HIV.
“Due to the fact that the information was stored on a spreadsheet and easily emailed out serves as a reminder that even if organizations have good security controls, they will not be effective unless there is a culture of security and staff understand the importance of securing data,” argued KnowBe4 security awareness advocate, Javvad Malik.
“It is an organization’s responsibility to inform staff of the importance of cybersecurity and provide the tools, training and processes needed to keep information secure.”
The second breach was reported at Basingstoke hospital, run by Hampshire Hospitals NHS Foundation Trust in southern England.
Although reported to the ICO in July, it has only just come to light in papers published by the trust, according to local media.
This time a spreadsheet containing personal information on 1000 members of staff at the hospital was shared with senior managers.
The same hospital suffered another breach the following month, after details of a woman who suffered a stillbirth were apparently published online.
The healthcare sector suffered 214 reported data incidents in Q1 2020-21, more than any other and accounting for about 15% of the total for the period, according to the ICO.
Human error accounted for a large number of these incidents. For example, incidents involving data emailed, posted or faxed to incorrect recipients and incorrect use of BCC comprised nearly a third (30%) of the total.
The ways in which CISOs should go about transforming the cybersecurity capabilities of an entire organization was discussed during the DTX Cyber Security Mini Summit by Michael Jenkins MBE, CISO at Brunel University.
Jenkins previously spent a long career in the military including positions in counter-intelligence, and also played a major role in planning security for the 2012 London Olympics. In 2017, he was tasked with turning Brunel University’s cybersecurity capabilities into one of the best in the entire sector, through a five-year strategy. “Ultimately, the goal is taking a business from a low level of maturity in cyber-resilience right the way through to the best in the sector,” he noted.
Around three years into the plan, Jenkins discussed the approach he has taken to try and fulfil this ambitious target. He said the first step was inspiring everyone in the organization, including researchers, staff and students, “to care about data, probably more than the criminal cares to steal it from us.”
This was achieved by engaging in regular conversations with people on campus, helping them to learn about how cyber-criminals operate and “to see that its a very credible goal that we needed to achieve together.” Jenkins added that it was also important for him to understand the work of academics and students at the institution to allow him to “help secure their data in a way that is acceptable to them but is also acceptable to us as a community.” This enables them to understand why particular security measures were in place, and be accepting of it.
The next element was developing the right strategic team and partners, including a small knit of vendors who are well versed with the individual needs of Brunel University and its cybersecurity strategy. This strategy included the development of compartmentalized “safe data havens” and the ability to monitor access control for threats in the network. Jenkins explained: “I had to mould that and balance it to the business that we were – we aren’t a bank, insurer or top end government department, we’re a university, so it’s all about proportionately and sensible risk-based intelligence driven activity.”
Such a capability has now been built, and is leading towards a zero-trust model at the end of the five years. He emphasized how important it has been to ensure everyone understands this end goal, and why it is needed in the face of the threats the university faces. He noted that major universities such as Brunel are a major target of sophisticated threat actors such as organized crime gangs and nation states.
To help get this buy-in from IT staff and the executive board, Jenkins utilizes regular simulated attack exercises to demonstrate just how damaging a successful attack could be. “It all goes back to everybody understanding the why – why do we want to do things this way,” he said. “One of the great things we’ve developed over the last couple of years is providing situational awareness to all our IT practitioners and major leaders and staff in how an attacker enters a network, their lateral movements, how they get the elevated privileges, how they conduct their actions on the objective – the entire end-to-end kill chain.”
There have been many advantages to such simulated exercises, according to Jenkins, and in particular, these are greater buy-in from the staff and board, as well as identifying weaknesses within the business. He added: “It gives confidence to the board that their money is being well spent.”
The success of the GDPR has been praised, but it is in conflict with the amount of data we create and how we do not consider consent.
Speaking during the Westminster Events Conference on data protection, Dr Subhajit Basu, associate professor of information technology (cyber law) at the University of Leeds and chair of the British and Irish Law Education and Technology Association (BILETA), said while technology drives our lives, the amount of data we create “is growing exponentially.”
He claimed that the number of data protection and privacy laws that have been enacted around the world “is a testament to the importance of data protection globally, or a desire by many countries to qualify trade with the European Union to meet its adequacy requirements.” So after Brexit, the opportunity is there for the UK to become a leading role model for a society empowered by data decisions, but to fulfil this ambition “the UK will have to build a robust legal framework in terms of data protection and cybersecurity.”
The Telecommunications Security bill received its latest reading in the House of Commons this week, and Basu called this “a step in the right direction” as it will propose fines on telcos if they fail to tighten security”, but post Brexit, the UK will need to improve its governance structure for handling data.
“In order to meet this potential, we must find a way to balance the flow of user data, whilst at the same ensuring privacy, security, safety and ethical standards,” he said.
Basu called this a “fundamental” step, as he advocated for a continuation of a strong, user centric data protection law. However, he said that “data governance is just plain complicated” as data protection is often seen as separate from the right to privacy, and the focus is on due process and there are moves to find the best solution.
He went on to say that he has “a lot of faith in the GDPR” as this is the right step towards user empowerment for transparency and control to users when it comes to data sharing. “Data subjects are given more choices on how their information is collected, processed and used,” he said. “But hounding users with more rights means you have a role in protecting their data, but most users continue to hand their over data impatiently, causing this paradox where our concerns are not reflected in our behavior.”
Basu also said he has concerns about “consent in data protection law” as he sees that consent gives an “illusion of control, rather than any meaningful control from a data subject’s point of view.” This is because the process of obtaining consent has become more complicated, and will become more complicated as we move towards using more IoT and AI.
This is also paired with data protection fatigue, as users are asked to read privacy documentations and policy before giving consent and this makes the process tedious. “The sheer number of documents that you need to navigate through is beyond any human capacity,” he said.
He concluded by calling a “lacklustre attitude” to GDPR as being alarming, and pointed at the ICO’s supervisory and adjunct role “without proper demarcation as difficult to accept.”
Harmonization of data protection regulation should still be the aim, despite Brexit, to enable companies to trade across Europe.
Speaking during the Westminster Events Conference on data protection, Chris Combemale, CEO of the Data and Marketing Association, said that since the implementation of GDPR in May 2018, the harmonization of data protection “has been put at risk by data protection authorities across Europe” as they applied the legislation “in radically different ways in each country.”
This can affect customer trust, economic growth and job creation in relation to processing and getting to know customers better.
Combemale said data protection authorities (DPAs) should “apply the role as it is written.”
Looking at the code of conduct for GDPR, which he said was intended for relevant sectors and to achieve harmonization across Europe, in the first instance of “co-regulation” by data protection legislation, Combemale explained: “The logic is that a GDPR code of conduct, operated consistently across 27 or 28 countries, via an industry monitoring body, can provide a consistent interpretation of key aspects of GDPR within an industry sector.”
This would be across industry verticals and different types of businesses, as determined by Article 40 of the GDPR. He said the data and marketing industry has been working hard to achieve clarification of GDPR across Europe, through a combination of an EU code of conduct and national codes of conduct.
This has seen a European code of conduct being produced, while the Austrian DPA has approved a code of conduct for the use of third party data, as approved by the Austrian data and marketing association. The Italian DPA has approved a specific code of conduct for business information services, which is in the process of being approved.
In the UK, he said the Data and Marketing Association is working with the ICO to create a data and marketing code of conduct “including recognition of the existing data and marketing commission as the industry monitoring body.
“All these codes of conduct must reflect GDPR text in way it was written and applied through the lens of sector knowledge and expertise,” he said.
The next step is to understand the scope of business legitimate interests and what that is within the text of GDPR. “We will work hard, using our industry expertise, to ensure all approved data and marketing codes of conduct across Europe and for our industry reflect this,” he said, “in order to understand the harmonization and consistency that was intended by GDPR being a regulation rather than a directive.”
If, in a worst case scenario, the UK is denied data adequacy, he concluded that industry codes of conduct can offer a basis for data transfers.
The number of DDoS attacks targeting e-commerce in Europe has increased four-fold over the last eight months.
According to research by Stormwall, between February and October 2020, the number of DDoS attacks targeted at online retail services quadrupled compared to the same period last year.
It claimed the growth in attack number is primarily contributed to the increased competition between online retailers during the global COVID-19 health crisis, and due to attackers extorting money from businesses. “Cyber-criminals use website downtime as a leverage, promising to stop the attack and restore the service operation, once the victim company pays the ransom,” the company said.
Zach Varnell, senior AppSec consultant at nVisium, said: ““DDoS attacks often go hand-in-hand with ransom notes demanding money to stop the attack. If these ransom notes get paid even at a small fraction of their frequency, DDoS operators will be incentivized to continue such schemes. This sometimes includes making good on their promise to attack those who do not pay up.
“Financial services were originally hit hard by these DDoS ransom threats and for obvious reasons as rich targets for cybercrime. Since there are far more online retailers than financial institutions today, and multiplying in their online presence owing to COVID-19, it is highly likely that targeting this industry is now becoming a lucrative source of ransom threats through DDoS attacks.”
He also pointed out that there are more customers shopping online now and therefore plenty of sensitive customer data to breach and exfiltrate, threatening online retailers who have previously not been security savvy.
Asked if he believed attackers are going after online retailers for financial gain, Brandon Hoffman, CISO at Netenrich, said: “They are 100% following the money. There has been a huge surge of online spending due to COVID-19 and a huge surge in furniture and home remodelling purchases. Many speculate that due to COVID-19, people are not able to take vacations so instead they are spending that budget improving their homes where they are essentially stuck more than normal. Coupled with the closing of physical stores worldwide, this explains the attack focus.”
Stormwall also found the number of attacks on online electronics stores had increased five-fold, the number of attacks on online furniture stores increased by eight-fold, while attacks aimed at online renovation stores grew by seven-fold.
“E-commerce has always been an attractive field to cyber-criminals, and during the pandemic, hackers’ interest in the sector developed even more,” said Ramil Khantimirov, CEO and co-founder of StormWall.
“Criminals are actively advancing the methods of DDoS attacks, and retailers are finding it increasingly difficult to defend against them. This is a serious threat. The new trend is that the attackers are attempting to find vulnerabilities that require a small number of requests per second to make a website unavailable. An effective defense system that can shield against this type of campaign needs to have intelligent DDoS protection, like proactive analysis and self-learning.”
Furthermore, the number of DDoS attacks over the HTTP protocol has risen by 296% between February and September 2020, compared to the same period last year.
Cyber-protection firm Acronis has announced that it is collaborating with the World Economic Forum (WEF) Center for Cybersecurity to address rising cybercrime around the globe.
The WEF Center for Cybersecurity is an independent and impartial global platform focused on fostering international dialogues and collaboration to tackle cybersecurity challenges, convening key stakeholders from public and private sectors.
Through the partnership, Acronis will engage in the Cyber-Risk and Corporate Governance project to help establish a baseline understanding of key cybersecurity issues, while providing guidance on strategies for security and cyber-resiliency.
“The Forum’s most recent Global Risk Report noted that the top five global threats were cybersecurity-related, with cyber-attacks and data theft among the most immediate dangers,” said Acronis founder and CEO Serguei “SB” Beloussov. “Having been at the forefront of the new IT discipline of cyber-protection, Acronis brings a unique, comprehensive perspective to the protection challenges facing today’s institutions. By collaborating with our peers, we can ensure business and government leaders have the tools and frameworks needed to meet their cybersecurity obligations of the modern world.”
René Bonvanie, chairman of the board of Acronis, added: “Cybersecurity is critically important in the digital world, yet every day we witness successful breaches. Acronis uniquely offers a cyber-protection platform that natively integrates the five layers of protection into a single offering: prevention, detection, response, recovery and forensics.”
Security experts are warning that a new ransomware group is rapidly escalating threat activity, with double extortion attacks on scores of victims so far in Q4.
The Egregor group first came to light with an attack on Barnes & Noble and video game developers Ubisoft and Crytek back in October, according to Digital Shadows.
In fact, the group has been active since September, when it compromised 15 victims. Then came a massive 240% spike in numbers, with 51 organizations hit the following month. As of November 17, it had added a further 21 victims.
According to the security vendor, a plurality of Egregor victims come from the industrial goods and services sector (38%), and the vast majority so far (83%) have been US-based.
The malware itself has been designed with multiple anti-analysis measures built in, such as code obfuscation and packed payloads, Digital Shadows claimed.
“More specifically, Windows application programming interfaces (APIs) are leveraged to encrypt the payload data. Unless security teams can present the correct command-line argument, then the data cannot be decrypted, and the malware cannot be analyzed,” it added.
“When the correct command-line argument is presented, the malware executes by injecting into iexplore.exe process, encrypting all text files and documents, and enclosing a ransom note within each folder that has an encrypted file. This process includes files on remote machines and servers through checks on LogMeIn event logs.”
Like many groups operating today, the actors behind Egregor maintain a dark web site on which they post data stolen from victims in a bid to force a ransom payment. In this respect it has followed the lead of the infamous Maze group, which ceased operations in October.
For example, it posted 200MB of data on in-game assets from Ubisoft and claimed to have source code from an unreleased title, Watchdogs: Legion. In the case of Crytek, 400MB of data was confirmed stolen related to titles Warface and Arena of Fate, Digital Shadows noted.
UK government security experts are urging organizations to rapidly patch a remote code execution flaw in MobileIron products being actively exploited in the wild by nation state groups.
The notice from GCHQ’s National Cyber Security Centre (NCSC) explained that CVE-2020-15505, which affects the mobile device management company’s MobileIron Core and Connector products, could allow a remote attacker to execute arbitrary code on a system.
It also noted that the US Cybersecurity and Infrastructure Security Agency (CISA) pointed out in October that the vulnerability was being chained with the Zerologon bug CVE-2020-1472 in attacks.
Although the identity of the nation state actors was not disclosed, the vulnerability was recently featured on the NSA’s Top 25 list of the most exploited bugs by Chinese attackers.
“A proof of concept exploit became available in September 2020 and since then both hostile state actors and cyber-criminals have attempted to exploit this vulnerability in the UK,” noted the NCSC alert.
“These actors typically scan victim networks to identify vulnerabilities, including CVE-2020-15505, to be used during targeting (T1505.002). In some cases, when the latest updates are not installed, they have successfully compromised systems. The healthcare, local government, logistics and legal sectors have all been targeted but others could also be affected.”
A patch has been available since June, and the NCSC urged any affected organizations to apply it immediately. Those running vulnerable systems should also undertake regular network scans and audits to identify suspicious activity in case they have already been breached, it added.
“Mobile device management servers are by definition reachable from the public internet making them opportune targets. Offering a gateway to potentially compromise every mobile device in the organization, the attraction to attackers is clear,” argued Tom Davison, international technical director of Lookout.
“This highlights not just the importance of patching open vulnerabilities, but also the criticality of having a dedicated mobile security capability that is distinct from device management infrastructure.”
French IT services giant Sopra Steria has admitted a ransomware attack on its systems last month is likely to cost the company tens of millions of dollars.
The Paris-headquartered firm, which is a supplier to the UK’s NHS, was hit by a new variant of the infamous Ryuk family, forcing systems offline.
In an update yesterday, the firm claimed that the attack would negatively impact its gross operating margin by between €40m ($48m) and €50m ($60m), although €30m will be covered by cyber insurance.
The serious financial impact is due to the extensive remediation and “differing levels of unavailability” of various systems since the attack, it said.
This is despite the company claiming it was able to “rapidly” block the attack on discovery.
“The measures implemented immediately made it possible to contain the virus to only a limited part of the group’s infrastructure and to protect its customers and partners,” it said.
The firm claimed it had not identified any leaked data or damage to customer systems. The slow pace of restoring systems would seem to indicate that it decided not to pay the ransom.
“The secure remediation plan launched on October 26 is nearly complete,” it continued. “Access has progressively been restored to workstations, R&D and production servers, and in-house tools and applications. Customer connections have also been gradually restored.”
The attack is expected to push Sopra Steria’s organic growth for 2020 into negative territory, by between -4.5% and -5%, it said.
This is yet another cautionary tale of the destructive power of human-operated ransomware. It ranks alongside aluminium giant Norsk Hydro ($41m) and IT services firm Cognizant (up to $70m) as one of the most serious from a financial perspective.
Phishing and social media/email hacks are the most frequently reported cybercrimes in the United States and the United Kingdom, respectively, according to new research by cybersecurity company Clario and British cross-party think-tank Demos.
The finding was included in "The Great Cyber Surrender" report, created from the results of a survey of 2,000 people in the UK and the US about cybercrime and its impact.
Other insights provided by the report are that while one in three Brits is worried about phishing scams, this particular cybercrime is only a concern for one in five Americans. Ransomware is a worry for a third of Brits and Americans, while a fifth of UK and US residents worry about their financial data being stolen.
One in five people surveyed had been a victim of a cybercrime, with this fate befalling one in five Americans and one in ten Brits.
Victims of cybercrime rate stress (reported by 75%) and anxiety (reported by 70%) as the most common psychological impacts. Other mental repercussions include fear (52%), shame (51%), anger (48%), and isolation (43%).
More than half (57%) of Brits don't find reporting cybercrime to their government helpful, and just 21% say the legal system does a good job of protecting them from online fraud.
More than half (55%) of Americans feel their legal system is doing a good job of protecting them from online fraud; however, 37% say reporting cybercrime to their government is not helpful.
"Despite cybercrime being a widely spread issue, most people do not know how to protect their digital identities which eventually has a massive impact on their real lives," said Scarlet Jeffers, VP of experience at Clario.
"Clearly, both the US and UK governments aren't doing enough to implement policies that protect consumers, and people have lost faith in these institutions to protect them."
Researchers noted certain differences in attitude toward security among age groups.
"A false sense of security was more apparent among Gen Z-ers, (18- to 25-year-olds), with 50% feeling they aren’t important enough or vulnerable enough to be targeted by hackers.
"In comparison, those aged 65+ were far less likely to have this attitude, with just 15% agreeing with the statement 'I'm not vulnerable enough' and 22% agreeing with 'I’m not important enough' to be targeted by hackers," noted researchers.