Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

Target the human, swipe the cash: Verizon DBIR 2023 highlights crime trends

Manage the human risk and mind your money: those are two key takeaways from Verizon’s 2023 Data Breach Investigations Report. Almost three-quarters of breaches (74 per cent) involve the human element through error, social engineering, stolen credentials or misusing privileges. And 95 per cent of breaches are financially motivated, the report found. Half of all social engineering attacks involve ‘pretexting’, where criminals fabricate a story to trick the victim. Verizon said this could be why business email compromise attacks (which are essentially pretexting) have almost doubled on last year. Dark Reading led with this angle, drawing the connection between social engineering and the high instance of human involvement.

Ransomware didn’t actually grow year on year; it held steady at 24 per cent of breaches. Security Week’s report focused on the rising cost to recover from a ransomware incident even as ransom amounts themselves are lower. Verizon believes this suggests ransomware victims are a higher proportion of smaller companies than before. SC Magazine noted Verizon’s finding that DDoS attacks are getting worse.

The DBIR is now in its 16th year and is one of the most widely respected reports among the security community. Verizon points out that cybercrime risk crosses all sectors regardless of industry vertical, but it provides 10 sectoral snapshots to help readers understand the threats in more depth. The report contains analysis from 16,312 security incidents, of which 5,199 were confirmed breaches. Verizon has a preview with links to download the full report or executive summary, all free of charge.

Finance fraud and phishing scams increase in Ireland, too

Financial fraud and scams in Ireland have risen by 560 per cent in three years. Phishing frauds involving email, text messages and video were up by 417 per cent in the same time period. The figures come from An Garda Siochana, the Irish police force, supplied to the Irish Government via the Department of Justice. It said the criminals often take over victims’ accounts and empty them of funds. The Irish Independent’s story about the data makes the connection between the staggering increase in frauds with the growth in online banking since the start of the Covid-19 pandemic. The story also tracks a big increase in investment frauds, romance frauds and online auction scams since 2019.

In a related development, the Central Bank of Ireland has warned the public about companies trying to offer loans and investments here despite not being authorised to do so. Meanwhile, WithSecure has produced a detailed analysis of the cybercrime underground, with good insights into how it’s evolved and professionalised over recent years. And as this newsletter went into production, a ransomware gang, cl0p, confirmed it exploited a flaw in the MOVEit file sharing software to access victims’ data. Many well known names, including Aer Lingus and British Airways, have been caught up in this: not as direct victims but as customers of affected companies. Experts are warning of a possible wave of extortion attempts after the mass hack.

When is a cybersecurity incident a GDPR data breach? 

An emerging legal case could go towards establishing if a ransomware attack counts as a data breach under the GDPR. The ransomware incident the HSE suffered in 2021 led to the personal data of close to 100,000 people being compromised. The Irish Times reports that up to 100 people are suing the Health Service Executive for damages. It said it’s unclear whether the HSE is liable to pay compensation for alleged “non-material damage” from the event. A Dublin Circuit Court judge imposed a stay preventing one claim against the HSE from proceeding until the Court of Justice of the European Union (CJEU) decides nine cases referred to it by EU member states concerning liability and damages for such attacks. All 100 cases are likely to stay on hold pending the CJEU decision.

Writing in the SANS newsletter, BH Consulting CEO Brian Honan noted that “the EU GDPR now enables data subjects who have been negatively impacted by a data breach to sue for damages resulting from a data breach caused by the data controller not taking reasonable measures to prevent that data breach, without the burden being placed on the data subject to prove a direct cost to them. The EU GDPR is also one of the first regulations within the EU that supports class action type lawsuits. So while many of the headlines around GDPR focused on the fines companies could face for breaching GDPR, this is another part of the regulation that companies need to be aware of.”

In other privacy news, the Irish Council for Civil Liberties has criticised failure to enforce GDPR against big technlogy firms. Calling it a “crisis point”, the group alleged that 63 per cent of enforcement measures amounted to reprimands. Dr Johnny Ryan, senior fellow at ICCL and author of the report, said the lack of action exposes people to “serious digital hazards: discrimination, manipulation, information distortion, and invasive AI”.

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe.

Sign up here