Cyber Monthly Wrap-up (UK, EMEA and the US) – October 2024

Welcome to HSF’s October wrap up which features our top picks for cyber-related news in the UK, EMEA and US.

In a world overflowing with individual incidents and long-form analysis, our short articles are aimed at cutting through the noise, pointing you to key developments, providing you with learning points at a glance and signposting you to longer form content. If you would like to find out more, do reach out to a member of our international team.

NIS 2: Transposition progress and a new EU Commission implementing regulation

European Commission – 17 October 2024

The NIS 2 Directive, aimed at ensuring a high level of cybersecurity across key sectors in the EU and in force since in January 2023, obliged Member States to pass transposing legslation by 17 October 2024. Whilst the vast majority of Member States did not meet this deadline (and may not until H1 2025), the European Commission (in compliance with its own duties under NIS 2) also adopted an implementing regulation on 17 October, outlining more detailed technical and methodological requirements for entities that are either DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, online search engines, social networking services platforms, or trust service providers.

A spokesperson for the EU Commission confirmed to CNBC that so far only "Belgium and Italy notified full transposition, and Croatia, Latvia and Lithuania partial transposition of the NIS2 Directive". Despite the slow progress, the EU Commission has urged member states to quickly comply and has indicated its readiness to ensure compliance by using available tools. While it is unclear on how many countries have met the implementation deadline, the lack of national transposition despite the two year allocated for such task may force the regulators to refer to the measures in the Directive in the absence of local legislation.

CJEU Lindenapotheke case clarifies right of competitors to sue for GDPR violations and the meaning of “health data”

EUR-Lex – 4 October 2024

Despite a previous Attorney General opinion that only data subjects, and not commercial competitors, are the addressees of the protection of personal data guaranteed by the GDPR, the CJEU held that allowing commercial competitors to effectively “police” each other may reinforce the practical effectiveness of the GDPR and thus improve the protection of data subjects. Therefore the CJEU found that the GDPR does not preclude national legislation which grants competitors the right to take civil action for infringement of the GDPR in order to prevent unfair commercial practices. This builds on the existing permission under Art 80(2) for third parties (understood to be a reference to, for example, consumer protection organisations) to bring actions on behalf of data subjects.

Additionally, in this case involving the defendant operating a business selling pharmacy-only medicines through Amazon, allegedly processing “health data” of the ordering customer in doing so, the CJEU ruled that for the categorisation of information as data concerning health, it does not matter whether the information is entirely accurate (i.e. whether the ordering customer is the data subject taking the medicine), whether the medicine requires a prescription or whether the controller has any intent of obtaining special category data. This element of the decision goes against the AG’s opinion and it is difficult to see how this case law would play out. In some instances, Article 9’s extra protections are enhanced and, in instances that relate to other protected categories of data (e.g. buying books about political figures or the purchase of kosher food).

Cyber resilience act: Council adopts new law on security requirements for digital products

Council of the EU – 10 October 2024

On October 10, 2024, the European Council officially adopted a Regulation on enhancing cybersecurity requirements for products with digital elements (the so-called  “Cyber Resilience Act” or “CRA”). This law introduces EU-wide cybersecurity requirements for the design, development, production, and market availability of hardware and software products. It is similar to, albeit wider ranging, the UK’s own Product Security and Telecommunications Infrastructure Act 2022 and accompanying (UK) Regulations. The CRA covers all products connected directly or indirectly to another device or network, such as smart home devices and IoT products.

Key elements of the CRA include:

• Ensuring products with digital components are secure throughout their lifecycle.
• Requiring products to bear the CE marking, indicating compliance with the regulation’s cybersecurity standards.
• Exempting certain products already covered by existing EU regulations, like medical devices and aeronautical products.

The CRA aims to reduce vulnerabilities in digital products, enhance transparency about their security features, and empower consumers to make informed choices. The regulation will come into force 20 days after its publication in the EU’s official journal and will apply 36 months later.

Revolut urges Meta to share cost of reimbursing fraud victims

Financial Times – 3 October 2024

Revolut, a challenger bank, has urged Meta to reimburse victims of cyber fraud, asserting that its data-sharing partnership with UK banks including NatWest and Metro Bank for fraud prevention is insufficient. According to Revolut’s security report, Meta platforms are the source of 62% of cyber fraud attacks reported to the company. Revolut emphasised that the initiative is focused only on the UK and does not adequately address global fraud issues, stressing that Meta needs to be more proactive in monitoring scams on its own platforms. Tech enabled fraud remains a significant issue despite banks’ efforts to make it more difficult to pay previously unknown recipients. It remains to be seen how effective this type of calls on tech giants to share the costs of such frauds will be. This also came on the same day as new mandatory rules, effective 7 October 2024, requiring banks to compensate victims of “Authorised Push Payment” fraud up to £85,000 within five days, incentivizing enhanced fraud prevention measures.

White House official says insurance companies must stop funding ransomware payments

The Record – 4 October 2024

Another day, another proponent of a ban. Governments are at pains to pull the trigger and legislate in this area because they understand the harm it would cause to organisations that are already in a crisis.

Read our article about a rumoured (but since the UK general election, apparently abandoned idea about a) ransomware payment ban.

At the same time, the UK and 38 other countries endorsed new guidance around ransomware payments.

A senior White House official suggested that insurance companies must stop issuing policies that incentivise ransomware payments, arguing that such policies fuel cyber crime ecosystems. However, there has been no indication of a formal proposal to ban this practice from the White House. As previously highlighted by the rumoured, but seemingly abandoned ransomware payment ban, governments are reluctant to legislate in the area knowing the impact it would have on organisations that are already in crisis following a cyber incident. A recent summit of the International Counter Ransomware Initiative saw some members and eight insurance industry bodies endorsing guidance for organisations to carefully consider their decisions before making payments. Unfortunately, these measures fall short of eliminating the practice.

Upper Tribunal DSG judgment could affect data breach enforcement

Lexology – 09 October 2024

The UK Information Commissioner's Office (ICO) has lost an appeal in the Upper Tribunal against an electronics retailer, DSG, that lost control of over half a million credit card numbers. The controller, DSG, was the victim of a cyberattack that exfiltrated credit card data, some of which was associated with cardholders' names. The ICO found that a credit card number in itself is personal data under data protection law because it is used to single out individual bank account holders. The First Tier Tribunal (FTT) largely agreed, but the Upper Tier Tribunal sided with DSG, arguing that credit card numbers in themselves are not personal data.

The ICO's decision was based on a "three-limb test" for identifying when information is personal data: it's information about a directly identifiable individual, it can identify an individual indirectly when combined with other information held by the controller, or the same as 2, but instead of the controller, the other information is held or reasonably likely to be held by a third party. The FTT ruled that EMV-protected cards were "limb 2" personal data, and DSG failed to properly protect personal data and violated the law.

The ICO has just sought permission to appeal to the Court of Appeal.

MoneyGram 'shocked' by UK Post Office move to end relationship

Finextra – 02 October 2024

A cyber attack on MoneyGram led the Post Office to offer a shortened contract term, in the negotiations for a new contract started October 2024, which was rejected by MoneyGram. In response, MoneyGram accused the Post Office of misrepresenting the cyber attack and breaching the confidentiality of their current agreement. Despite the dispute, which benefits neither of the two companies involved, operations have resumed in all countries aside from the UK, and MoneyGram expressed hope for a continued relationship with the Post Office. This follows the Post Office's previous controversial dispute over its Horizon accounting system which various commentators have characterised as the biggest miscarriage of justice in British corporate history. This is an unfortunate, but luckily rare, example of public mudslinging – one of the many potential consequences of cyber attacks.

Northern Ireland police fined for data breach exposing secret identities of officers

The Record – 3 October 2024

The Police Service of Northern Ireland (PSNI) has been fined £750,000 ($1 million) by the ICO in the UK for a significant data breach that exposed the identities of its entire workforce. This breach potentially left staff and officers vulnerable to criminal and terrorist groups, causing considerable fear and concern. Remedial measures were taken swiftly following the breach, with PSNI officials working under the assumption that the exposed file might be used for intimidation by dissident republicans. The breach's impact has been compounded by the fact that 9,483 officers and staff members, some of whom had gone to great lengths to conceal their identities due to historical and ongoing targeting of the police in Northern Ireland, were affected. This could be seen as an example of the ICO being tough on breaches. While the action was foreseeable in such circumstances where there is real danger posed to the data subjects involved, the detrimental consequence of taking away resources from a public body remains. The question remains of how aggressively the UK ICO will enforce against private businesses.

A Single Cloud Compromise Can Feed an Army of AI Sex Bots

KrebsonSecurity – 3 October 2024

Cybercriminals are using stolen cloud credentials to operate and resell sexualised AI-powered chat services, often veering into darker role-playing scenarios, including child sexual exploitation. Permiso Security researchers found that attacks against generative artificial intelligence infrastructure like Bedrock from Amazon Web Services (AWS) have increased markedly over the last six months, particularly when someone in the organisation accidentally exposes their cloud credentials or key online.

The researchers discovered that attackers captured AWS credentials to interact with the large language models (LLMs) available on Bedrock. However, they found that none of these AWS users had enabled full logging of LLM activity, so they lacked any visibility into what attackers were doing with that access. To investigate, Permiso researchers leaked their test AWS key on GitHub, while turning on logging so they could see exactly what an attacker might ask for and what the responses might be. Within minutes, their bait key was scooped up and used in a service that offers AI-powered sex chats online.

Threat researchers at Permiso said attackers in possession of a working cloud account traditionally have used that access for run-of-the-mill financial cybercrime, such as cryptocurrency mining or spam. Over the past six months, Bedrock has emerged as one of the top targeted cloud services. Much of the AI-powered chat conversations initiated by the users were not illegal, but a percentage of it is also geared toward roleplaying alarming and illegal sexual behaviour.

EU Finance Bodies Seek Clarity On Cybersecurity Compliance

Law360 – 3 October 2024

Four major European trade bodies have called for clarity on how the upcoming Digital Operational Resilience Act (DORA), which is set to come into effect in January, applies to them. The trade bodies, representing banks, securities exchanges, and financial infrastructure, stress that their services are already regulated by financial authorities and should not be classified as 'information and communication technology services' under DORA. The trade bodies have urged European supervisory authorities to provide further guidance and ensure that finance-specific services such as clearing and settlement activities are not considered to be technology services, thus preventing extra compliance burdens. DORA, like NIS 2 is triggering many questions around interpretation, and with deadlines looming, it is more important than ever for organisations to stay abreast of the latest guidance and market practice.  

About a quarter million Comcast subscribers had their data stolen from debt collector

The Register – 4 October 2024

Comcast has revealed that data of 237,703 of its customers was stolen during a cyberattack on Financial Business and Consumer Solutions (FBCS), its debt collector. FBCS assured early on that no Comcast customer data was affected when the former was compromised in February 2024, but it later confirmed in July that the Comcast subscriber data held was stolen. The breached data included names, addresses, social security numbers, birthdates, and Comcast account numbers from around 2021. Comcast halted the use of FBCS for debt collection services in 2020, and it emphasised that its systems were not breached during the attack. Crisis communications during a cyber incident must be sensitive and quickly updated to the underlying fact pattern changing. In this scenario, Comcast had made an announcement it had to publicly go back on five months later.

SEC Fines 4 Cos. Over SolarWinds Breach Disclosures

Law360 – 22 October 2024

The US Securities and Exchange Commission (SEC) has imposed $7 million fines on four tech companies (Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd., and Mimecast Ltd.) for allegedly downplaying the impact of cybersecurity breaches associated with the SolarWinds Corp.'s software infiltration. From 2020 to 2022, the companies purportedly "negligently minimised" the attacks on their networks in their statements to investors. The breaches were tied to the installation of SolarWinds' software, which was accessed by suspected Russian spies, potentially compromising thousands of government and corporate clients worldwide. Without admitting or denying the allegations, the companies agreed to pay the penalties. Listed companies should be reluctant to downplay the impact of cyber incidents suffered at the risk of falling foul of investors and financial regulators, ultimately facing large fines.

Subscribe