Welcome to Cyber_Bytes, our regular round of major developments in cyber, technology and ever -evolving risks.
Others move to Abuse of Personal Information – Smith and Others v TalkTalk [2022] EWHC 1311 (QB)
Prosecutors filed a lawsuit against TalkTalk after data breaches in 2014 and 2015, alleging that personal data was taken from TalkTalk’s IT system by an unknown criminal third party and then used for fraudulent purposes. He claimed compensation for breach of statutory duties under the Data Protection Act 1998 and compensation for misuse of personal information.
The ruling follows a ruling in Warren v DSG Retail Limited, which stated that the claim was inadmissible for negligence or misuse of personal information where defendant did not perform a voluntary act that resulted in the loss of confidentiality in the data.
Prosecutors tried to distinguish Smith from Warren by treating TalkTalk’s actions as positive actions rather than a series of failures. However, as Saini J puts it, this argument is “an act of negligence disguised as a claim to misuse personal information.” Finally, it is held that the misuse of personal information occurs as a result of the actions of a criminal third party and not TalkTalk.
However, in a more concerned development, Saini J rejected the application of “unconfirmed violations”. A particular plaintiff could not determine whether he was affected by a 2014 or 2015 offense or some other offense. However, this is considered a permissible snippet, if the personal information used by the scammers was not obtained in violation of 2014 or 2015, the trigger may be some unauthorized access to the TalkTalk system. Although the disclosure can be complicated and complicated, Saini J is reluctant to deny the claim.
This decision is Warren’s re -welcome because it has to do with the misuse of personal information. However, it also shows a willingness by the Court to show leniency in data protection pleadings where Claimants can only infer facts from publishing.
Click here to read the High Court decision of Bailii.
Updating ICO funding: A good income retention agreement
The ICO has announced it will now be able to withhold up to £ 7.5 million annually in financial funds raised through civil monetary policy notices. When publishing a civil monetary policy notice, the ICO will be able to use the funds to cover agreed, specific and externally audited court costs.
The truth to such agreements is said to increase the number and complexity of claims in the digital age. Additional funding will allow the ICO to maintain the technical and legal capacity needed to address ongoing and future issues. These changes have been agreed by the Ministry of Culture, Media and Sport and HM Treasury.
The ICO will be subject to an audit by the National Audit Office each year to ensure that the funds are only refunded when appropriate, and the ICO will report fines and related costs in the Annual Report and HM Treasury.
The ICO calls this measure an “appropriate and proportional regulatory action” and the new funding could help the ICO shift its attention to larger fish than the five -figure PECR fines that have plagued enforcement activity in recent times.
Click here to read the full article as published by the ICO.
Access rights extend to the identification of specific recipients to whom personal data is disclosed (AG opinion)
In RW v Österreichische Post AG, it was determined that the data subject’s access rights to the information extend to the identification of the recipient of the personal data.
RW made a subject access request to the Österreichische Post (OP), Austria’s main postal service, to identify third parties who received data about RW from the OP. The OP provides information about recipient categories, as well as general information about data sharing, but does not identify specific parties.
Attorney General Pitruzzella (AG) noted that the wording of Article 15 (1) (c), GDPR gives rights to “recipients or categories” and not to data controllers who decide the details to be provided to data subjects. Furthermore, Recital 63 of the GDPR provides that data subjects “have the right to know and obtain communications. […] with regard to […] recipients of personal data ”.
The OP cannot restrict RW’s access rights to information about personal data and must therefore provide special identification if requested. RW reserves the right to ensure the legitimate use and receipt of data and to know how it is processed.
This decision describes the type of information that the data subject will receive from the data controller when requesting the data subject’s access request. This is an important decision that clarifies the data controller’s obligation to the data subject when the same request is made.
Click here to read Advocate Pitruzzella’s full opinion of InfoCuria.
State -Sponsored Cyber Actors of the People’s Republic of China Exploit Network and Device Providers
The National Security Agency (NSA), Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency (CISA) have authorized the Cybersecurity Advisory detailing how state -sponsored actors of the People’s Republic of China (PRC) participate in global targeting. telecommunications companies and network service providers.
PRC cyber actors are known to have been involved in the exploitation of commonly identified vulnerabilities. This allows actors to gain access to the victim’s account through an exploit code that is publicly available. The actor has also been observed to change tactics by monitoring network defenders in order to continue exploiting undetected systems.
Known vulnerabilities are exploited through the use of open source tools, such as custom software frameworks, to find access to small office / home routers. The actors then use the exploit to identify critical infrastructure, obtain user passwords and access to administrative accounts.
Organizations are encouraged to take mitigation actions such as updating and patching systems/products, using multi -factor authentication, strict password requirements and logging and robust network access reviews.
Click here to read the full article published by the Cybersecurity & Infrastructure Security Agency.
Qatar is increasing its cyber security in preparation for the World Cup
As Qatar prepares to host the 2022 FIFA World Cup, experts expect cyber security issues to emerge due to increased digital infrastructure and demands. From tickets to hotels and restaurants, there will be foreign personal and financial data. Hackers will hopefully benefit from this data through fake orders and phishing attempts.
Because this is the first event in Qatar, many are skeptical about the country’s cyber security defense capacity. Qatar is currently facing a very concentrated challenge to handle an estimated 1.5 million visitors. Interpol hosted cyber security experts on March 25 to analyze the potential threats posed by the event as part of ‘Project Stadia’, a Qatar -funded security program.
Qatar will also partner with Morocco, which will send a team of cyber security experts to assist Qatar’s existing defenses, such as the National Cyber Security Agency (established in 2021). To date, the agency has trained 25,000 employees in information security aspects and has shown interest in working with global organizations.
Click here to read the full article published by ComputerWeekly.com.
How Cyber Criminals Target Cryptocurrency
The nature of cryptocurrency is suitable for targeting cyber criminals. Anonymity and the lack of centralized regulation make cryptocurrency a practical target and medium of exchange.
Researchers have observed a variety of threats, such as traditional fraud targeting individuals and organizations to facilitate the storage and transfer of cryptocurrency. The total reported value of cryptocurrency lost due to cyber crime is reported to be around $ 14 billion in 2021.
Phishing campaigns that target or use cryptocurrency can be divided into three main categories:
- Credential Harvesting – These are usually URLs sent to potential victims that lead to fake landing pages, designed to mimic popular websites. This prompts the user to enter log-in information or a recovery phrase that ultimately gives the cyber actor access to the account.
- Cryptocurrency Transfer Requests – This is a popular and more traditional form of cybercrime where threat actors try to sell funds from victims through social techniques. For example, an actor may claim to have sensitive data, pretend to be a business or claim to collect it for charity. Cryptocurrency is generally used as a means to transfer these funds due to anonymity.
- Specific Targeting of Cryptocurrency Data – Malware that targets user data (such as passwords or financial information) has been adapted to target and monitor cryptocurrency activity. This is usually in the ‘infostealer’ malware family that records user input, takes images and searches for data for sensitive files.
As an industry that I am increasingly interested in, it is important to be aware of the emerging threats from social engineering, exploitation and malware.
Click here to read the full article published by Proofpoint.
