This week, we discuss security issues at the Electoral Commission, Meta’s appeal against daily GDPR fines, and a breach affecting 10 million users of the French unemployment agency Pôle emploi.
Also available on Spotify, Amazon Music, Apple Podcasts and SoundCloud.
Transcript:
Hello and welcome to the IT Governance podcast for Friday, 8 September 2023. Here’s the news:
As discussed in our 11 August podcast, the Electoral Commission issued a public notification of what it called a “complex cyber-attack” on 8 August, in which “hostile actors” gained access to the UK’s electoral registers, which contain somewhere in the region of 46 million people’s personal information.
According to the statement, attackers were able to access servers that held emails, control systems and reference copies of the electoral registers of those registered to vote in the UK between 2014 and 2022, as well as overseas voters.
However, it seems that the cyber attack might not have been as “complex” as the Commission initially suggested: a whistleblower has told the BBC that the Commission had failed a Cyber Essentials audit around the time the attackers gained access to its systems.
Although there’s no evidence to suggest that the attackers exploited any vulnerability associated with this audit failure, the failure itself is indicative that security at the Commission was, perhaps, not as robust as it could have been.
The security researcher Kevin Beaumont supports this assessment, explaining on doublepulsar.com that the Commission was known to have been running an unpatched version of Microsoft Exchange Server that was vulnerable to ProxyNotShell attacks at the time of the incident.
The Cyber Essentials scheme is a government-backed framework supported by the National Cyber security Centre. IT Governance has been a certification body for the scheme since 2014, when it was launched. The scheme sets out five basic cyber security controls that organisations can implement to protect themselves from around 80% of common cyber attacks, including patch management – in other words, ensuring software, apps and operating systems are kept up to date.
It’s very much a base level of cyber security that every organisation should comply with as a matter of course. For an organisation such as the Electoral Commission, which processes such huge volumes of personal data, a more resilient approach to cyber security would appear to be essential.
A cyber-defence-in-depth approach means implementing the right combination of physical, technical and administrative controls to safeguard your organisation, even if one of those defensive layers is breached.
The Commission has confirmed that it has still not passed its Cyber Essentials audit.
Last month, Meta Platforms asked a Norwegian court to overturn an order by the country’s data protection authority, Datatilsynet, fining it 1 million kroner (approximately £75,000) per day since 14 August for processing personal data in violation of the GDPR.
The fines are due to continue until 3 November.
On 17 July, Datatilsynet imposed a temporary ban on the owner of Facebook and Instagram “carrying out behavioural advertising based on the surveillance and profiling of users in Norway” – a practice Datatilsynet considered unlawful, based on a January decision by the Irish Data Protection Commission, Meta’s lead supervisory authority in the EU, and a subsequent ruling by the Court of Justice of the European Union.
On 29 August, Reuters reports, Christian Reusch, a lawyer representing Meta Platforms, told the Oslo district court that the company had “already committed to ask for consent” from its users when using their personal data to determine the advertising content they saw, and that Datatilsynet had used an “expedited process” that didn’t give the company time to respond to the decision.
However, the court ruled in favour of Datatilsynet on 6 September. Datatilsynet commented: “We are very pleased with the Court’s ruling and the result. This is a big victory for people’s data protection rights.”
Meta, unsurprisingly, was less pleased. “We are disappointed by today’s decision and will now consider our next steps,” a spokesperson said. “We have already announced our intention to transition all EU and EEA users to the GDPR legal basis of Consent, and will continue to work with the Irish Data Protection Commission to facilitate this.”
The commodification of personal data is central to big tech companies’ business models, with behavioural advertising – personalised advertising targeting individuals based on analysis of their online behaviour – a key source of revenue. This decision could therefore have serious implications for many companies operating in the EEA.
The French unemployment agency Pôle emploi has notified the Commission nationale de l’informatique et des libertés of a data breach thought to have affected 10 million people.
According to a press release published on its website, job seekers registered in February 2022 and all former users of Pôle emploi are potentially affected, with their first and last names, and social security numbers compromised. Email addresses, phone numbers, passwords and bank details were unaffected.
The security firm Emsisoft listed Pôle emploi among the many victims of May’s MOVEit Transfer breach, in which the Russian Cl0p gang exploited a zero-day SQL injection vulnerability in Progress Software’s popular file transfer app MOVEit Transfer, but it’s since removed it from its list of MOVEit victims.
Moreover, as BleepingComputer notes, Cl0p “has not yet published the French agency on its extortion site”, nor does Pôle emploi mention MOVEit in its press release. However, this omission could be due to Cl0p’s previous announcement that it “would not expose information obtained from government agencies”.
If the breach is indeed part of the attack on MOVEit Transfer, it makes Pôle emploi the second largest victim in terms of individuals affected, behind the US government contractor Maximus, which saw 11 million data records compromised as a result of the breach.
Whether or not Pôle emploi can be added to the list of victims, the MOVEit Transfer breach is the largest of the year so far: more than 1,000 organisations are now known to have been caught up in the breach, with over 60 million individuals affected.
That was the news. And that’s it for this time. We’ll be back in a fortnight, but until then you can get in touch with us either by leaving a comment on the blog, or via Twitter @itgovpod (that’s my account) or @itgovernance. Our archive is on SoundCloud, Amazon Music, Spotify and Apple Podcasts, and you can find everything you need to implement and maintain cyber security defence in depth on our website: itgovernance.co.uk.
