Despite the veneer of technology, cyber crime is a very human story full of human emotion.
In this monthโs cyber security newsletter, weโll witness how aggression, curiosity and old-fashioned avarice all motivated cyber attacks and security breaches.
The response, too โ however augmented by technology โ should be human. Caution. Suspicion. And a fierce defence of whatโs rightfully yours.
Hereโs this monthโs top stories.
UK government warns of growing Chinese cyber threats
Deputy Prime Minister Oliver Dowden has pointed the finger at Chinese โstate-affiliated actorsโ for cyber attacks against the Electoral Commission and British MPs who have been critical of the Chinese state.
Mr Dowden revealed in the Commons that a hack at the Electoral Commission (which oversees elections and political finance) discovered in 2022, was most likely caused by hostile China-backed state actors. The hack exposed the names and addresses of tens of millions of voters. Another incident in 2021 of โonline reconnaissance activityโ, which targeted the accounts of China-sceptic MPs, is believed to have been carried out by the Chinese state-backed group, APT31.
There is a growing fear amongst US and UK governments that China is on a cyber-espionage spree. They worry that the Chinese state is actively looking to destabilise Western rivalsโ economies and supply chains, steal their intellectual property and silence any critics of the authoritarian regime.
A recent Guardian article said that US cyber security experts have seen Chinese hackers specifically target international organisations in sectors such as biotechnology, aerospace, renewable energy and microchips.
The NCSC (National Cyber Security Centre) has also published updated guidance on improving cyber security for political organisations and think tanks.
Kate Middleton data breach: the plot thickensโฆ
The Information Commissionerโs Office is investigating The London Clinic over an attempted data breach of the Princess of Walesโs private medical information.
Itโs been reported that three staff are being questioned about trying to illegally access the Princessโ private medical records, following her treatment there for 13 days in January.
Now itโs believed that the ICO is also looking into whether The London Clinic delayed reporting the breach. As per ICO guidelines, personal data breaches must be reported within 72 hours from the time of discovery if a risk is posed to an individualโs rights and freedoms.
However, the London Clinic did not deliver an incident report until more than a week after the Princess was discharged on 29 January. There has been speculation in the media that news of the data breach could have pushed the Princess into publicly disclosing her cancer diagnosis this month.
The ICO makes it clear that accessing someoneโs medical records without cause or consent can be a criminal offence and that last year a medical secretary was fined by the courts for illegally accessing over 150 peopleโs records.
Itโs a sobering lesson for any business that handles sensitive client data. Investing in best-practice IT systems and processes that restrict access to specific types of data through the principle of least privilege (POLP) is crucial.
Should ransomware payments be banned? Discuss
A global movement to resist making ransomware payments is gathering pace. Both US and UK governments make it clear that paying a ransom is no guarantee that your data will be decrypted, not leaked, or that your systems wonโt be open to further hacks in the future.
Now a cyber security expert has called for a complete ban on ransomware payments. Brett Callow, threat analyst at cyber security firm Emsisoft, recently told the Register, โI think more people are coming to accept that a ban, while problematic, may ultimately be the only solution to the ransomware problem.โ
Late last year, 50 member countries of the International Counter Ransomware Initiative signed up to an agreement to not pay ransom demands to cyber criminals. Closer to home, The British Library was lauded by the National Cyber Security Centre for refusing to pay cyber criminals a ยฃ600,000 ransom.
โTighten up your act, digital vendorsโ says government
Both the UK government and the EU are pushing for tighter regulation around cyber security for digital vendors.
The EU is close to going live with The Cyber Resilience Act (CRA) this year. The new rules promise safer hardware and software across a range of products and services, including everything from baby monitors to smart watches. The CRA plans to protect โconsumers and businesses buying or using products or software with a digital componentโ. The CRA will introduce new โโฆmandatory cybersecurity requirements for manufacturers and retailers of such products, with this protection extending throughout the product lifecycleโ.
The Act also applies to open-source components and includes a requirement for manufacturers to draw up a software bill of materials that identifies and documents components contained in products with digital elements.
The UK government, meanwhile, has published a policy paper highlighting proposed measures for greater accountability from software vendors. This includes โsetting clear expectations for software vendors, strengthening accountability in the software supply chain and protecting high-risk users and addressing systemic risksโ.
Fujitsu cyber security fails โ again
Japanese IT services provider Fujitsu has confirmed that a recent hack resulted in criminals stealing sensitive customer data. The business announced that it had found malware on several of its business computers and that files containing customersโ personal information had been stolen.
This isnโt the first time that Fujitsu has been hacked. Back in 2021, their ProjectWEB information-sharing tool was compromised, which led to the offices of several Japanese government agencies being breached. Fujitsuโs services include everything from servers and storage systems to telecommunications equipment and IT consulting.
Other vulnerabilities
Fortinet FortiClient EMS SQL Injection Vulnerability
Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability
Nice Linear eMerge E3-Series OS Command Injection Vulnerability