Despite the veneer of technology, cyber crime is a very human story full of human emotion.
In this month’s cyber security newsletter, we’ll witness how aggression, curiosity and old-fashioned avarice all motivated cyber attacks and security breaches.
The response, too – however augmented by technology – should be human. Caution. Suspicion. And a fierce defence of what’s rightfully yours.
Here’s this month’s top stories.
UK government warns of growing Chinese cyber threats
Deputy Prime Minister Oliver Dowden has pointed the finger at Chinese ‘state-affiliated actors’ for cyber attacks against the Electoral Commission and British MPs who have been critical of the Chinese state.
Mr Dowden revealed in the Commons that a hack at the Electoral Commission (which oversees elections and political finance) discovered in 2022, was most likely caused by hostile China-backed state actors. The hack exposed the names and addresses of tens of millions of voters. Another incident in 2021 of ‘online reconnaissance activity’, which targeted the accounts of China-sceptic MPs, is believed to have been carried out by the Chinese state-backed group, APT31.
There is a growing fear amongst US and UK governments that China is on a cyber-espionage spree. They worry that the Chinese state is actively looking to destabilise Western rivals’ economies and supply chains, steal their intellectual property and silence any critics of the authoritarian regime.
A recent Guardian article said that US cyber security experts have seen Chinese hackers specifically target international organisations in sectors such as biotechnology, aerospace, renewable energy and microchips.
The NCSC (National Cyber Security Centre) has also published updated guidance on improving cyber security for political organisations and think tanks.
Kate Middleton data breach: the plot thickens…
The Information Commissioner’s Office is investigating The London Clinic over an attempted data breach of the Princess of Wales’s private medical information.
It’s been reported that three staff are being questioned about trying to illegally access the Princess’ private medical records, following her treatment there for 13 days in January.
Now it’s believed that the ICO is also looking into whether The London Clinic delayed reporting the breach. As per ICO guidelines, personal data breaches must be reported within 72 hours from the time of discovery if a risk is posed to an individual’s rights and freedoms.
However, the London Clinic did not deliver an incident report until more than a week after the Princess was discharged on 29 January. There has been speculation in the media that news of the data breach could have pushed the Princess into publicly disclosing her cancer diagnosis this month.
The ICO makes it clear that accessing someone’s medical records without cause or consent can be a criminal offence and that last year a medical secretary was fined by the courts for illegally accessing over 150 people’s records.
It’s a sobering lesson for any business that handles sensitive client data. Investing in best-practice IT systems and processes that restrict access to specific types of data through the principle of least privilege (POLP) is crucial.
Should ransomware payments be banned? Discuss
A global movement to resist making ransomware payments is gathering pace. Both US and UK governments make it clear that paying a ransom is no guarantee that your data will be decrypted, not leaked, or that your systems won’t be open to further hacks in the future.
Now a cyber security expert has called for a complete ban on ransomware payments. Brett Callow, threat analyst at cyber security firm Emsisoft, recently told the Register, ‘I think more people are coming to accept that a ban, while problematic, may ultimately be the only solution to the ransomware problem.’
Late last year, 50 member countries of the International Counter Ransomware Initiative signed up to an agreement to not pay ransom demands to cyber criminals. Closer to home, The British Library was lauded by the National Cyber Security Centre for refusing to pay cyber criminals a £600,000 ransom.
‘Tighten up your act, digital vendors’ says government
Both the UK government and the EU are pushing for tighter regulation around cyber security for digital vendors.
The EU is close to going live with The Cyber Resilience Act (CRA) this year. The new rules promise safer hardware and software across a range of products and services, including everything from baby monitors to smart watches. The CRA plans to protect ‘consumers and businesses buying or using products or software with a digital component’. The CRA will introduce new ‘…mandatory cybersecurity requirements for manufacturers and retailers of such products, with this protection extending throughout the product lifecycle’.
The Act also applies to open-source components and includes a requirement for manufacturers to draw up a software bill of materials that identifies and documents components contained in products with digital elements.
The UK government, meanwhile, has published a policy paper highlighting proposed measures for greater accountability from software vendors. This includes ‘setting clear expectations for software vendors, strengthening accountability in the software supply chain and protecting high-risk users and addressing systemic risks’.
Fujitsu cyber security fails – again
Japanese IT services provider Fujitsu has confirmed that a recent hack resulted in criminals stealing sensitive customer data. The business announced that it had found malware on several of its business computers and that files containing customers’ personal information had been stolen.
This isn’t the first time that Fujitsu has been hacked. Back in 2021, their ProjectWEB information-sharing tool was compromised, which led to the offices of several Japanese government agencies being breached. Fujitsu’s services include everything from servers and storage systems to telecommunications equipment and IT consulting.
Other vulnerabilities
Fortinet FortiClient EMS SQL Injection Vulnerability
Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability
Nice Linear eMerge E3-Series OS Command Injection Vulnerability