How do you respond to a cyber attack when the whole world is watching?
Some sobering lessons from the Capita hack this month where the outsourcing giant has come under scrutiny for its slow response to revealing the damage done by a recent breach.
Of further concern to businesses is the government warning that you donโt have to be a coding genius to commit serious cyber crime.
Organisations are at increased risk of corporate espionage thanks to off-the-shelf attack tools used by hackers-for-hire. These keyboard crims are using freely available commercial hacking tools to steal confidential information.
In addition, reports of AI being subverted via Prompt Injection weaknesses mean that these flaws could be exploited by non-technical hackers using natural language.
This is likely to be an area of wider concern for Open AI, as well as Google and Microsoftโs chatbots Bard and Sydney respectively.
In more positive news, the government is gaining ground on cyber criminals with the creation of a new National Cyber Force and lots more investment in cyber protection.
As always, the advice for staying safe remains the same โ stay vigilant, follow security best practice and invest in cyber security training.
Hereโs a round-up of what caught our eye in April:
Capita hack goes from bad to worse
Capita, one of the countryโs largest outsourcing companies โ with ยฃ6.5 billion worth of government contracts โ finds itself in a rapidly worsening hack scenario.
Late last month, it said it was hit by an โIT issueโ which it later confirmed to be a โcyber-incidentโ. The hack mainly affected Capitaโs Microsoft 365 estate. Capitaโs response has come under growing scrutiny as the company was slow in revealing the full extent of the damage.
However, a report by the Times soon claimed that sensitive personal data including over a hundred bank accounts, passport photos and addresses were now up for sale on the dark web.
Capita has now acknowledged that hackers stole potential staff, customer and supplier data.
The group behind it is believed to be the Russian ransomware criminal gang Black Basta. The hack is particularly worrying as Capita provides outsourcing services to the NHS, the British Army, the Royal Navy and many other public and private organisations considered to be part of our critical national infrastructure.
A big lesson here for businesses and organisations โ transparency about cyber attacks is vital from the very start. Itโs an important part of your cyber breach response strategy as per GDPR. And you donโt want the news sites beating you to it! If youโd like help improving your own Business Continuity Planning and response strategy for data protection, please get in contact.
Government is fighting back against cyber crime with National Cyber Force
The National Cyber Force is the governmentโs new bulwark against cyber crime. There has been ramped up investment in the UKโs overall cyber security as set out in the 2022 National Cyber Strategy.
The National Cyber Force is an important element of this commitment. The NCFโs main aim is to support the armed forces and UK foreign policy in disrupting a wide range of cyber threats.
These can include everything from foiling terrorist attacks and hostile state actors to preventing serious crime.
TikTok fined ยฃ12.7m for unlawfully processing childrenโs data
The Information Commissionerโs Office has fined the Chinese-owned video sharing app ยฃ12.7m for illegally processing the personal data of over a million children.
The watchdog said that the data of 1.4 million children under 13 was illegally processed as the children were using the platform without parental consent. This is in breach of UK data protection laws.
According to the ICO, TikTok โwas not doing enough to prevent under-13s accessing their platformโ. The fine comes close on the heels of a government ban of the app from work devices and parliamentary networks.
Tik Tokโs privacy settings are indeed worrying as we explore in our most recent blog post here.
Government warns of Hacking-as-a-Service
The UKโs cyber security agency has raised the alarm over increasingly popular commercially available hacking and espionage services.
The agency further warned that commercially available cyber crime tools can be easily bought off-the-shelf and have lowered the barrier for entry to state and non-state actors.
Of special importance to businesses, is the warning that commercial โhackers-for-hireโ pose a significant corporate espionage threat to an organisationโs confidential information across a range of sectors.
The recent government crackdown on the Genesis cyber-crime website is an example of how even low-level cyber criminals were able to buy victimsโ passwords online to commit fraud.
Google releases patch update for second zero-day attack
Google has issued an updated patch for a high-severity zero-day exploit in its Chrome web browser.
The bug is also known as CVE-2023โโโ2136. This is the second vulnerability to be exploited this year.
Users have been advised to upgrade to version 112.0.5615.137/138 for Windows, 112.0.5615.137 for macOS, and 112.0.5615.165 for Linux.
Those using Chromium-based browsers such as Brave, Microsoft Edge, Vivaldi and Opera should also apply patches immediately.