Cyber Monthly Wrap-up (UK, EMEA, and the US) - August 2024

Welcome to HSF’s August wrap up which features our top picks for cyber-related news in the UK, EMEA and US.

In a world overflowing with individual incidents and long-form analysis, our short articles are aimed at cutting through the noise, pointing you to key developments, providing you with learning points at a glance and signposting you to longer form content. If you would like to find out more, do reach out to one of our international team.

Sellafield apologises after guilty plea over string of cybersecurity failings

The Guardian – 8 August 2024

Sellafield, the UK’s largest and most hazardous nuclear site, pleaded guilty to breaches of cybersecurity obligations that left 75% of its computer servers vulnerable to cyber-attacks over a four-year period from 2019 to 2023. The breaches exposed sensitive national security information, classified as Sensitive Nuclear Information (SNI). Investigations revealed the use of outdated technology, unauthorised access by contractors, and critical failures by Sellafield to conduct IT health checks that it had claimed were completed. Sellafield’s CEO apologised in a written witness statement in the ongoing legal proceedings for the failures, admitting that the breaches could have threatened national security. Sellafield outlined corrective actions, including overhauling IT management and creating a secure data center.

 UN cybercrime treaty passes in unanimous vote

The Record – 9 August 2024

In a significant move resulting from an agreement first proposed by Russia, the UN has unanimously passed its first cybercrime treaty. The treaty, expected to sail through the General Assembly vote in the fall, establishes a global-level cybercrime and data access-enabling legal framework.  Both human rights organisations and big tech companies oppose the treaty due to concerns that the treaty states authorities investigating crimes in any nation are entitled to obtain electronic evidence from other nations as well as ask internet service providers to hand over data. Opponents are also concerned that the treaty is insufficient in its human rights commitments and does not have the safeguards to prevent misuse of digital investigation and digital evidence powers.

Information Commissioner’s Office makes rare provisional decision to impose £6m fine on software provider

Information Commissioner’s Office – 7 August 2024

Following the 2022 ransomware attack on Advanced Computer Software Group Ltd (“Advanced”) that disrupted the NHS and social care services, the Information Commissioner’s Office has provisionally decided to impose a fine of £6.09m. Advanced processed personal information on behalf of the NHS and other healthcare organisations as a data processor and the ICO’s finding is  based on an alleged failure to implement measures to protect the personal information of 82,946 people, including some sensitive personal information. Advanced will have an opportunity to make representations to the ICO and whilst this enforcement action is a rare example of data processors being pursued, it may yet result in a reduction of the fine (similar to the decision the ICO made in the case of British Airways).

National Cyber Security Centre invites UK organisations to contribute evidence of cyber deception

National Cyber Security Centre – 12 August 2024

The National Cyber Security Centre recently hosted a first of its kind conference for international government partners and wider UK government and industry to discuss cyber deception in cyber defence at its headquarters in London. Cyber deception involves utilising proactive security and defense tactic which hinges on deceiving bad actors and malicious attacks  and arms businesses with early warning signals into ransomware attacks .The Centre recognises the potential value of using cyber deception technologies and techniques to support cyber defence in certain situations and have announced an ambition to establish an evidence base for use cases of cyber deception and their efficacy, on a national scale, in support of Active Cyber Defence 2.0.

Sophos publish article on aggressive tactics ransomware gangs use to coerce targets

Sophos.com - 6 August 2024

In a follow-up to their 2021 article on the top ten ways ransomware operators ramp up pressure on their targets, Sophos have published another piece on the way these threat actors continue to adapt and change their tactics to increase leverage against their targets. They cite a number of tactics including ransomware operators increasingly weaponising legitimate entities to ramp up pressure on victims and claiming to assess stolen data for evidence of illegal activity regulatory noncompliance, and financial discrepancies – all of which can be used as further leverage and to inflict reputational damage. Also cited as a tactic is ransomware criminals openly criticising victims, sometimes attempting to deride them as unethical or negligent, causing reputational damage as well as contributing to some threat actor groups’ attempts to ‘flip the script’ and portray themselves as beneficent vigilantes

Ticketmaster data breach class action lawsuit seeks damages from live nation over cybersecurity failure

AboutLawsuits.com - 19 August 2024

In a response to the discovery that Ticketmaster’s data breach in May 2024, was a result of a cybersecurity failure, a class action lawsuit has been filed in California seeking damages , including reimbursement for out-of-pocket expenses, losses incurred seeking to remedy or mitigate effects of the attack, as well as compensation for emotional distress and the risk that impacted individuals may  face in the future of harm caused by the compromise of their private information.

FAA admits gaps in Aircraft cybersecurity; New cybersecurity rules proposed

Infosecurity Magazine – 22 August 2024

New cybersecurity rules have been proposed in the US to mitigate vulnerabilities caused by the interconnectedness of modern aircraft following the publication of the Federal Aviation Administration (FAA)’s proposal. The current trend in aircraft design of increased integration of airplane, engine and propeller systems with internal or external data networks and services and the regulator warned that these designs are leading to vulnerabilities from sources such as wireless sensors, satellite communications and portable electronic devices, potentially affecting the safe operation of aircraft. The FAA’s proposed rules will require aircraft manufacturers to demonstrate that their design both protects against unauthorised access from inside or outside of the airplane and prevents malicious changes to, and adverse impacts on, the airplane equipment, systems, and networks required for safe operation.