Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

Virtual shock, real-world consequences

Long warned about, and now tragically come true: a fatality has been directly linked to a cybersecurity incident. The UK NHS determined that a ransomware infection at Synnovis, a pathology service provider, contributed to a patient’s death. The BBC reported that: “King’s College Hospital NHS Foundation Trust confirmed that one patient had ‘died unexpectedly’ during the cyber attack on 3 June 2024, which disrupted more than 10,000 appointments.” A long wait for a blood test was one of the factors that led to the patient’s death, an NHS spokesperson told The Register. Claims Journal said the breach “triggered a major crisis at health-care providers”, predominantly in southeast London. Ironically, weeks before that, The Lancet warned that cybersecurity in healthcare hasn’t advanced as quickly as other industries. It described the impact of cyber incidents as “overlooked and under-reported” in terms of safety and security concerns.

BBC journalist Joe Tidy contacted the Qilin group responsible for the Synnovis ransomware incident and was met with “no comment”. Which, ironically, says a lot about what they think of their actions. BH Consulting CEO Brian Honan called it “a stark reminder that cyber criminals have no morals and only care about money”. Writing in the SANS newsletter, he said it was “well beyond time” to consider ransomware “a major societal threat”. He called for the necessary government agencies to be given the resources, laws, and support to deal with ransomware appropriately.

The Business Post [paywall] has an in-depth profile of Jacky Fox who was tasked with coordinating the national response to the ransomware that hit the Health Service Executive in 2021. Staying with ransomware, nearly 30 per cent of Irish-based businesses were forced to pay a ransom to cybercriminals in 2024. The finding comes from a survey of 200 businesses in Ireland by the IT services company Expleo. Ransom payments among larger companies averaged €683,000. One-fifth said they hold €2.7 million in reserve in case of future incidents

Dr Valerie Lyons appointed to CeADAR

BH Consulting Chief Operations Officer Dr Valerie Lyons has been appointed to the Industry Board of CeADAR, Ireland’s national centre for artificial intelligence. CeADAR plays a critical role in driving responsible, cutting-edge AI innovation in Ireland and beyond. Dr Lyons will lead the board’s focus on trustworthy AI, digital ethics, and human-centric innovation. Dr Lyons also features in the upcoming Women in Security documentary (trailer here), which had its official premiere on 17th of July in the USA.

Microsoft makes changes to Windows kernel to boost security

In response to the July 2024 CrowdStrike incident that disrupted 8.5 million Windows devices, Microsoft has launched the Windows Resiliency Initiative (WRI). In a blog announcing the move, Microsoft described it as “designed to make all digital environments touched by Microsoft products more secure and resilient”. It focuses on preventing, managing, and recovering from security incidents. A key component is the Quick Machine Recovery feature, enabling remote remediation of non-booting devices via the Windows Recovery Environment.

Microsoft is also collaborating with multiple cybersecurity vendors including CrowdStrike, Bitdefender, ESET, and Trend Micro, to move antivirus and endpoint detection applications out of the Windows kernel. This shift aims to reduce risks associated with kernel-level access, which contributed to the CrowdStrike issue. Broad industry input is aimed at ensuring broad compatibility and effectiveness for the initiative, and making the Windows ecosystem more resilient. The change also applies to video game makers, and is intended as a long-term process rather than a short-term fix, Risky Business reported.

Data protection and privacy roundup: investigations, appeals, access and AI

The Data Protection Commission (DPC) has launched a second investigation into TikTok Technology Limited over the transfer of European user data to China. The probe follows TikTok’s admission in April that some data from users in the European Economic Area (EEA) had been stored on Chinese servers, contradicting earlier assurances. TikTok is appealing a record €530 million DPC fine over alleged unauthorised data transfers. The judicial review places enforcement of the fine on hold, and a full hearing is scheduled for October.

The DPC has also published guidance on potential risks in the development and use of AI and large language models. It outlines 12 key privacy considerations for organisations building or deploying AI systems using personal data. Meanwhile Meta said it won’t sign up to the voluntary code of practice for the EU AI Act, claiming Europe is “heading down the wrong path”. In a move likely to catch the attention of privacy campaigners, Google has quietly begun allowing its Gemini AI to access other apps on a person’s Android device. That includes encrypted messaging tools like WhatsApp. The good news is, it’s possible to disable this feature.

Elsewhere, privacy groups are increasingly invoking the EU’s Collective Redress Directive to launch class actions against companies like Meta, Microsoft, and TikTok. Politico reported that this could lead to a wave of such suits against tech giants. In a separate ruling, the EU’s General Court upheld the right of individuals to access documents used by the European Data Protection Board (EDPB) in binding decisions (Ballmann v EDPB), reinforcing transparency in GDPR complaint procedures.

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe.

Sign up here