Cyber Monthly Wrap-up (UK, EMEA and the US) – December 2024 - January 2025

Welcome to HSF's summary of top picks for cyber-related news in the UK, EMEA and US, this time covering both December 2024 and January 2025. 

In a world overflowing with individual incidents and long-form analysis, our short articles are aimed at cutting through the noise, pointing you to key developments, providing you with learning points at a glance and signposting you to longer form content. If you would like to find out more, do reach out to one of our international team. 

UK updates:

NCSC Annual Review 2024

National Cyber Security Centre (NCSC) – 3 December 2024

The NCSC released its 2024 Annual Review which provides critical insights into the UK’s cyber threat landscape, the evolving risks, and measures taken to strengthen national resilience. The review highlights that severe cyber incidents have increased significantly, with the NCSC responding to 430 incidents over the past year, including 12 of the most severe cases (a threefold increase from previous years). Ransomware remains the most immediate and disruptive threat particularly to critical national infrastructure (CNI), with some state-linked cyber groups now targeting the industrial control systems that infrastructure relies on. Additionally, third-party risk remains a major concern, with the report emphasizing the need for stronger security scrutiny of suppliers amid rising supply chain compromises. The NCSC further underscores the urgency of board-level cyber resilience, calling for proactive incident response planning and regulatory alignment while reinforcing the need for secure-by-design principles in software and cloud services, in line with broader frameworks like the NIS2 Directive.

AI Cyber Security Code of Practice: a new baseline for ai risk management

Department of Science, Innovation & Technology (DSIT) – 31 January 2025

The DSIT published a new AI Cyber Security Code of Practice, a voluntary framework aimed at addressing the cyber risks associated with AI systems at every stage of the AI lifecycle, which will be submitted to the European Telecommunications Standard Institute (ESTI) with the intention that it will be used as the basis for a new global standard. The Code outlines cybersecurity requirements across 5 lifecycle phases: secure design, development, deployment, maintenance, and end-of-life; the scope of this voluntary Code is focused on AI systems, including systems that incorporate deep neural networks e.g. generative AI. According to the government, a voluntary AI Cyber Security Code of Practice is needed due to the unique security risks AI poses compared to traditional software, including “data poisoning, model obfuscation, indirect prompt injection and operational differences associated with data management”, and stresses the importance of secure-by-design principles and clear baseline security requirements across AI supply chains. The publication also includes the response to a call for views, which showed 80% respondents supporting DSIT's approach, as well as an accompanying implementation guide to support organisations in complying with the requirements of the voluntary Code and the future global standard.

UK's "world-leading" counter-ransomware proposals

Home Office – 14 January 2025

The UK government has recently unveiled a series of counter-ransomware proposals, which it has described as "world-leading", aiming to reduce the financial incentives for attackers and strengthening national cyber resilience. The proposals include a ban on ransomware payments by public bodies and critical national infrastructure (CNI), a broader ransomware payment prevention framework, and a mandatory incident reporting regime. Notably, the government is considering criminal sanctions for non-compliance and an “economy-wide” application of the proposed measures, potentially covering all UK individuals and organizations, regardless of size or sector. The final scope and proportionality of these proposals will be shaped by the ongoing public consultation open until 8 April 2025, as the government seeks input on their implementation. See our previous article for more details: UK Government's Latest Counter-Ransomware Proposals: Implications for Public Bodies, Businesses and Individuals.

National Audit Office's report exposes weakness in UK Government's cyber resilience

National Audit Office – 29 January 2025

The UK's public spending watchdog, National Audit Office (NAO), has released a report indicating that the UK government's cyber resilience is inadequate amidst escalating threats. An assessment of 58 critical government IT systems in 2024 revealed significant vulnerabilities, with many lacking fundamental security controls. Additionally, the government is unaware of the cyber vulnerabilities in at least 228 legacy IT systems. The NAO criticizes the slow progress in enhancing cyber defenses, attributing delays to a persistent shortage of cybersecurity professionals and an overreliance on outdated technology, urging the government to expedite improvements in cyber resilience to safeguard public services and infrastructure.

UK Government blocks second attempt to reform computer misuse act in two months

Computer Weekly – 29 January 2025

The UK government has once again rejected efforts to reform the Computer Misuse Act (CMA) 1990, as Science Minister Patrick Vallance dismisses the proposed amendments aimed at protecting cybersecurity professionals. This marks the second failed attempt within 2 months (the previous attempt being in December 2024) to introduce a statutory defense for ethical hackers and security researches who conduct legitimate cybersecurity activities e.g. vulnerability testing and threat intelligence gathering. The amendment, put forward by Lords Chris Holmes and Tim Clement-Jones during debates on the Data (Use and Access) Bill, was blocked over concerns that it could create loopholes for cybercriminals and hinder law enforcement efforts. Vallance stated that the government remains committed to reviewing the CMA and consulting industry stakeholders, but emphasized the complexity of balancing cybersecurity protections with national security needs. The rejection is a major setback for the CyberUp Campaign (a coalition of cybersecurity experts, industry leaders, and legal professionals advocating for CMA reform), which has long argued that the 30-year-old law fails to reflect modern cybersecurity realities and criminalizes professionals working to identify and mitigate cyber threats. Despite this setback, campaigners continue to push for legislative updates, warning that failure to reform the CMA leaves the UK at greater risk of cyberattacks.

Prismall v Google: UK court blocks mass privacy lawsuit over NHS patient data

Courts and Tribunals Judiciary – 11 December 2024

The Court of Appeal upheld the dismissal of Prismall v Google [2024] EWCA Civ 1516, a representative action seeking to bring a mass data privacy claim against Google and DeepMind over their 2015 deal with the Royal Free London NHS Trust. The lawsuit, representing 1.6 million individuals whose medical records were used to develop the “Streams” app for detecting kidney injuries, was struck out on the basis that claimants did not share the “same interest” required under CPR 19.8, a key threshold for representative actions under English law. The Court found that not all claimants had a realistic prospect of establishing a reasonable expectation of privacy or meeting the de minimis threshold necessary to bring a claim. The ruling reinforces the legal hurdles for large-scale privacy claims in the UK, echoing Lloyd v Google [2021] UKSC 50, and highlights the difficulties in pursuing collective redress for data misuse where individual circumstances—such as consent, harm, and privacy expectations—vary widely. The decision is a significant setback for claimants seeking non-material damages for data breaches, suggesting that future litigation may require an opt-in approach or individual claims rather than broad representative actions.

EU updates:

ENISA's 2024 Report on the State of the Cybersecurity in the Union

ENISA – 3 December 2024

ENISA has published its first biennial 'Report on the State of Cybersecurity in the Union' on 3 December 2024. The report provides an evidence-based overview of the cybersecurity landscape in the EU, highlighting substantial cyber threats and the varying cybersecurity capabilities among Member States. The report, prepared in accordance with Article 18 of the NIS 2 Directive, includes policy recommendations to address identified shortcomings and enhance cybersecurity levels across the EU. Key recommendations focus on strengthening policy implementation, improving cyber crisis management, addressing supply chain security, and enhancing cybersecurity skills. The report also emphasises the importance of emerging technologies like AI and Post-Quantum Cryptography, and the need for common situational awareness and operational cooperation to tackle future cybersecurity challenges.

Commission unveils action plan aimed at bolstering the cybersecurity of hospitals and healthcare providers

European Commission – 15 January 2025

The European Commission has presented an EU action plan to strengthen the cybersecurity of hospitals and healthcare providers, in an attempt to address the growing cyber threats in the healthcare sector. This initiative, announced as a key priority within President von der Leyen's political guidelines, aims to enhance threat detection, preparedness, and response capabilities, creating a safer environment for patients and health professionals. Digitalisation in healthcare, through innovations like electronic health records and AI-driven diagnostics, has increased the sector's vulnerability to cyberattacks, which can disrupt vital services and impact lives. In 2023, 309 significant cybersecurity incidents were reported in the healthcare sector, more than any other critical sector. The action plan proposes establishing a pan-European Cybersecurity Support Centre by ENISA, providing tailored guidance, tools, services, and training. It focuses on four priorities: enhanced prevention and preparedness, better detection and identification of threats, response to cyberattacks, and deterrence of cyber threat actors. Specific measures include introducing Cybersecurity Vouchers, developing an EU-wide early warning service by 2026, and proposing a rapid response service under the EU Cybersecurity Reserve. The plan also features the use of the Cyber Diplomacy Toolbox to deter cyber threats. The action plan will be implemented in collaboration with healthcare providers, Member States, and the cybersecurity community, with a public consultation to refine the most impactful actions. Specific actions will be rolled out progressively in 2025 and 2026, with further recommendations expected by the end of 2025.

ENISA report on critical insights revealed by the Cyber Europe exercise targeting the EU energy sector

ENISA – 10 December 2024

The after-action report on the 2024 edition of the Cyber Europe exercise, conducted in June, identifies gaps and possibilities to enhance cybersecurity preparedness and resilience revealed by the exercise. The exercise scenario focused on cyber threats targeting EU energy infrastructure due to geopolitical tensions, requiring stakeholders to coordinate actions and responses to prevent large-scale attacks and ensure business continuity. The exercise assessed the adequacy of processes, improved standard operating procedures, and strengthened internal and external communication channels crucial during cybersecurity crises, raising corporate-level cybersecurity awareness. Cyber Europe 2024 involved around 5,000 participants from various sectors, including energy, digital infrastructure, and public administration, as well as EU-level cybersecurity networks and institutions. With approximately 28,000 injects, the exercise advanced the scenario's quality. The report identifies meaningful insights from participants, areas for improvement and provides actionable recommendations. Over 90% of participants reported enhanced readiness and preparedness for cybersecurity incidents, viewing the exercise as an opportunity to test their capabilities and procedures. The exercise also aimed to ensure the adequacy of EU-level operational cooperation and communication channels between the CSIRT Network and EU-CyCLONe. However, the report noted the need for better cross-border sectorial coordination and resource allocation. Lessons learned were used to develop recommendations for future exercises, demonstrating the initiative's valuable practical impact.

New EU laws adopted to increase Europe's cybersecurity resilience

Council of the European Union – 2 December 2024

The Council has adopted two new laws to strengthen the EU's capacity to detect, prepare for, and respond to cybersecurity threats and incidents. The first law, the Cyber Solidarity Act, aims to enhance Europe's resilience against cyber threats by establishing a cybersecurity alert system and a pan-European infrastructure of national and cross-border cyber hubs. These hubs will use advanced technologies like AI and data analytics to detect and share timely warnings on cyber threats. The Act also introduces a cybersecurity emergency mechanism to support preparedness actions, create an EU cybersecurity reserve for incident response, and provide technical mutual assistance. Additionally, it establishes an incident review mechanism to assess the effectiveness of these measures. The second law is a targeted amendment to the 2019 Cybersecurity Act ("CSA"), which aims to enhance EU cyber resilience by enabling the adoption of European certification schemes for managed security services. This amendment highlights the importance of managed security services in preventing, detecting, responding to, and recovering from cybersecurity incidents. It aims to increase the quality and comparability of these services, foster trusted cybersecurity service providers, and avoid market fragmentation. The new laws will be published in the EU's official journal and will enter into force 20 days after publication.

Romania's presidential election results annulled amid alleged Russian interference

The Constitutional Court of Romania – 6 December 2024

Romania's constitutional court has cancelled the results of the first round of the presidential election due to allegations of Russian interference, leading to the cancellation of the second round vote scheduled for 8 December 2024. The decision, based on Article 146(f) of the Constitution, aims to ensure the fairness and legality of the electoral process. The annulment follows the release of declassified documents by the Romanian government, which alleged a pro-Russian influence campaign using 25,000 TikTok accounts to promote Călin Georgescu, the first-round winner. The Romanian Intelligence Service (SRI) reported over 85,000 intrusion attempts targeting election websites and IT systems, suggesting a state-sponsored cyber campaign. The European Commission has urged TikTok to preserve data related to systemic risks and is investigating whether the platform breached the Digital Services Act by failing to mitigate election-related risks. TikTok has disrupted several small-scale operations and removed networks spreading misinformation. The election will be rescheduled, with a new date and calendar to be established by the government.

EU court rejects Irish DPC’s challenge to EDPB’s authority

The General Court of the European Union – 29 January 2025

The General Court of the European Union has dismissed a challenge by Ireland's Data Protection Commission (DPC) against the European Data Protection Board (EDPB), confirming the EDPB’s authority to direct national regulators in cross-border data protection cases. The case arose after the EDPB issued Binding Decision 3/2022, instructing the DPC to broaden its investigations and amend its draft decisions concerning Meta Platforms Ireland Ltd (formerly Facebook Ireland Ltd) and WhatsApp Ireland Ltd. The EDPB found that the DPC’s initial decisions were too narrow, particularly regarding Meta’s processing of sensitive personal data under Article 9 of the GDPR. The DPC argued that the EDPB had exceeded its powers, but the court ruled that it acted within its mandate under Article 65(1)(a) of the GDPR, which allows it to adopt binding decisions to resolve disputes between national regulators and ensure consistent enforcement across the EU. The ruling confirms that supervisory authorities must comply with EDPB binding decisions, reinforcing harmonized GDPR enforcement while limiting national regulators’ discretion in major investigations.

US updates:

Biden administration launches cybersecurity executive order

Whitehouse – 16 January 2025

In the final days of his presidency, Joe Biden signed a comprehensive cybersecurity executive order aimed at bolstering America's digital defenses. This directive mandates that software providers demonstrate the security of their development processes and requires cloud providers to publish secure operation information. It addresses a wide range of issues, including securing federal communications networks, imposing stricter sanctions on ransomware groups, and enhancing software security. The order also emphasizes the use of AI to strengthen cybersecurity measures and introduces the U.S. Cyber Trust Mark label for internet-connected devices, which will be mandatory for government purchases starting in 2027. This move follows a year of significant cyber threats from foreign actors and ransomware attacks that disrupted critical services, though the timing of the order raises questions about its long-term impact.

CISA issues new voluntary guidelines to strengthen IT cybersecurity

Bankinfosecurity – 7 January 2025

The Cybersecurity and Infrastructure Security Agency (CISA) has introduced new voluntary cybersecurity performance goals for the IT and product design sectors. These goals aim to enhance software development security and mitigate risks by urging developers to isolate software development environments, monitor trust relationships, and implement supply chain risk management programs. The guidance emphasizes adopting CISA's Secure by Design principles, including enforcing phishing-resistant multi-factor authentication, setting strict security requirements for software tools, and securely storing sensitive data. These measures are part of CISA's ongoing initiative to embed cybersecurity into product development and ensure transparent vulnerability reporting

Trump administration fires members of cybersecurity review board

The Hacker News – 23 January 2025

The Trump administration has terminated all memberships of advisory committees reporting to the Department of Homeland Security (DHS), including the Cyber Safety Review Board (CSRB). This decision, aimed at eliminating resource misuse and prioritizing national security, disrupts ongoing cybersecurity reviews, such as investigations into Chinese-linked cyber attacks. The CSRB, established in 2022, had been assessing significant cybersecurity events and providing recommendations. The termination has raised concerns about the impact on cybersecurity oversight and the potential benefits to foreign adversaries.

Notable Enforcement (UK, EU & US):

PayPal reaches $2m cybersecurity settlement with New York regulators

PayPal has recently settled a dispute by the New York State Department of Financial Services (NYDFS) relating to appropriate management of cybersecurity risk in connection with its efforts to grant customers easier access to reports of payments for customer’s US tax forms. Allegedly, Paypal failed to use qualified personnel to manage key cybersecurity functions and failed to provide adequate training to address cyber risks. As a result, it is claimed that approximately 35,000 customers data was accessible by criminals between 6-8 December 2022. The $2m settlement demonstrates the high cost to businesses of not focussing enough on holistically addressing technical and organisational measures to ensure cybersecurity.

FTC brings enforcement action against GoDaddy for cybersecurity failures

The FTC has lodged a formal complaint against GoDaddy for allegedly failing to implement basic security measures since 2018, leading to several major breaches between 2019 and 2022. The company allegedly did not use multi-factor authentication, log security events, or monitor for threats. It was also put forward that these alleged failings meant that "GoDaddy's representations about security [were] false or misleading"; such allegations can raise the prospect of litigation from a number of different sources. Under the terms of a proposed FTC settlement, GoDaddy must establish a comprehensive information security program within 90 days; the settlement does not include any admission of fault or monetary penalties, but non-compliance could result in fines.

Washington sues T-Mobile over 2021 data breach that spilled 79 million customer records

The U.S. state of Washington has filed a lawsuit against T-Mobile, alleging that the company failed to secure the personal data of millions of residents prior to a data breach in August 2021. This breach reportedly affected over 79 million customers across the United States. The complaint alleges that T-Mobile misrepresented the adequacy of its cybersecurity defenses and the threat to customer data. T-Mobile has disagreed with the claims and indicated a willingness to resolve the issue through further dialogue following its earlier $31.5 million negotiated settlements of its dispute with the FCC in respect of the same incident.

Barings Law enleagues 15,000 claimants against Google and Microsoft

In an era where an increasing number of people are concerned about the compliant development and deployment of AI, Barings claims the use of personal data (allegedly including the collection of information regarding users’ voices, demographics, time spent on apps, and personal information including email addresses and the contents of emails) for the training of Google’s and Microsoft’s AI models is being done without proper authorisation or consent from users, who may understand data is being collected, but be unaware of the role this data plays in the training of AI large language models. Barings state that "The swift response from 15,000 claimants highlights the growing public demand for accountability in the face of persistent data privacy issues. We anticipate that this will present a challenge to a number of clients across multiple jurisdictions and it will be interesting to see to what extent there is a divergence in approaches.

Robinhood to pay $45 million over multiple regulatory failures

Robinhood has agreed to pay $45 million to settle SEC charges related to multiple regulatory failures. The SEC’s order alleges that Robinhood Securities and Robinhood Financial failed to timely investigate suspicious transactions, protect customers from identity theft, and address known cybersecurity vulnerabilities. Additionally, the firms allegedly failed to maintain and preserve electronic communications and operational databases as required by federal securities laws. The SEC also claims that Robinhood provided inaccurate trading data and engaged in abusive short selling practices.