Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

There’s breach response … and there’s M&S breach response

Breach response is in the spotlight, with two recent cases showing the best and worst examples of the genre. After reporting a “cyber incident” on 25 April, the UK retailer Marks & Spencer announced it was suspending online orders and contactless payments. It also sent 200 employees home from a major logistics hub as it dealt with the aftermath of the attack. Disruption to M&S’ online systems looks set to continue until mid-July, the BBC reported. The company also disclosed that customer data was stolen during the breach. But the company emerged with credit for its transparency and communication as the incident unfolded.  “Marks & Spencer have to be commended in their proactive way of keeping their customers and the public aware of the impact of this attack,” wrote Brian Honan in the SANS newsletter. He said many organisations should use M&S’ public response to the breach as a template for how they should communicate if they experienced a cyberattack.

Contrast that with Oracle’s response to a recent breach, which drew widespread criticism within industry circles. As reports emerged that more than 6 million records had been removed from Oracle Cloud customer environments, the company initially denied it had happened. True to form, The Register offered a very snarky “translation” of the company’s letter to customers. Security Magazine put Oracle’s actions into context: “Oracle’s initial denial delayed the ability of impacted organisations to rotate keys, isolate affected systems or notify internal stakeholders. In many cases, those actions rely on one thing: confirmation that there is a threat to act on. This isn’t about blaming vendors for being targeted. It’s about how we show up when we are. Cyber resilience is no longer measured solely by how well you prevent incidents but by how transparently and responsibly you respond when they occur.”

Brian Honan honoured with tech industry lifetime achievement award 

BH Consulting founder and CEO Brian Honan received the Lifetime Achievement Award at the Tech Excellence Awards, which were held in May at the Royal Marine Hotel in Dún Laoghaire on May 22nd. The award honours an individual’s contributions throughout their entire career, and Brian’s impact on the industry has been nothing short of exceptional.

EU launches new security bug database with CVE future cloudy

ENISA’s European Vulnerability Database (EUVD) is a centralised platform intended to enhance digital security across the EU. Developed under the NIS2 Directive, the EUVD aggregates “reliable and actionable” information on cybersecurity vulnerabilities affecting ICT products and services. It provides details such as mitigation measures and exploitation status, facilitating better risk management for public and private sector stakeholders. It’s free to access from the EU cybersecurity agency’s website. The database collects and references vulnerability information from open-source databases, advisories and alerts issued by national Computer Security Incident Response Teams (CSIRTs), along with mitigation and patching guidelines published by vendors. It offers three dashboard views: critical vulnerabilities, exploited ones, and EU-coordinated vulnerabilities, aiding in the analysis and correlation of threats.

Security Week’s coverage polled security professionals who broadly welcomed the project but questioned whether it was duplicating the work of others. Computer Weekly’s report of the launch noted the timing, given recent uncertainty around the MITRE CVE programme, which almost had its US Government funding cut in April. A last-minute reprieve prevented the loss of a widely used resource within the cybersecurity industry, which logs thousands of security bugs discovered every year. Others like the Register speculated that the “uncertainty around the CVE programme is set to push the European effort into the spotlight as a replacement, fallback, or alternative”.

Data protection and privacy roundup: regulations old and new, plus guidelines galore

The European Data Protection Supervisor’s (EDPS) annual report highlights its new AI Strategy and preparations for responsibilities under the AI Act, including setting up an AI Unit and Correspondents Network. Separately, the European Data Protection Board (EDPB) and EDPS jointly supported proposed GDPR amendments to ease record-keeping duties for small mid-cap companies and non-profits, provided their data processing poses minimal risk.

The EDPS has also issued new guidance to EU legislators, stressing the need for clear and legally sound provisions in laws involving personal data, in line with fundamental rights and GDPR standards.

In a landmark ruling, a Brussels court declared the Transparency and Consent Framework (TCF), used in online advertising by major tech companies, is incompatible with the GDPR. The court emphasised that TCF’s consent mechanisms lack transparency and that the TC String constitutes personal data when linked with other identifiers. Campaigners have called this a major win for privacy rights.

Lastly, the Irish Government published guidelines for public sector bodies on responsible use of AI, mandating Data Protection Impact Assessments and human oversight in AI decision-making.

On-Demand Data Protection Expertise

Many organisations need to appoint a full-time independent data protection officer (DPO) to meet their GDPR obligations. But it’s the classic Catch-22: that individual needs to have broad experience and expertise, and those qualities are difficult and expensive to recruit and retain. Many groups struggle to fill the post from in-house resources. An outsourced DPO from BH Consulting offers subject matter expertise, provided on demand so it’s cost-effective and tailored to your needs. Talk to us today.

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe.

Sign up here