Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

DPC to Facebook: drop data transfers to the US

Our first story has major implications for all companies transferring personal data about EU data subjects to the US. Ireland’s Data Protection Commissioner has ordered Facebook to stop sending European user data to the United States. The move follows the ‘Schrems II’ European Court of Justice ruling that found the Privacy Shield arrangement unlawful. Facebook plans to appeal the decision. Meanwhile the European Data Protection Board has set up two task forces to respond to issues raised by the ruling. Justice Commissioner Didier Reynders recently said he expects “no quick fix” to replace the previous data sharing agreement. 

Commenting for SANS, Brian Honan said: “The core of the issue is that the EU does not believe that US privacy laws and mechanisms are robust enough to protect the privacy rights of EU data subjects against US surveillance laws and abuse of that personal data by US corporates.” Privacy comes at a price which for too long has been borne by the individual. This move sends a clear message to governments and companies that they too have a responsibility to protect the privacy of individuals.” This development could also affect data transfers to the UK in the event of a no-deal Brexit, he added. The Irish Independent’s Adrian Weckler has a good op-ed noting the increasingly polarised positions of both sides. Let’s also take a moment to acknowledge the tireless work of Irish Times journalist Karlin Lillington. Her excellent, in-depth coverage of data privacy dates back over 15 years, long before it was mainstream. 

You try coming up with a clever headline that has IOCTA in it

Europol’s Internet Organised Crime Threat Analysis [IOCTA] 2020 report gives law enforcement’s perspective on cybercrime developments this year. It found that COVID-19 sparked an increase in cybercrime activity. Top trends this year were ransomware, online financial fraud, and a rise in child exploitation material. The same old social engineering techniques keep cropping up, proving if anything how well they work for criminals. The report said prevention and awareness can guard against cybercrime, but cryptocurrencies and the dark web hinder investigations. 

A new trend this year is SIM swapping, where criminals fraudulently swap victims’ SIM cards to one in the criminal’s possession to intercept one-time passwords and bypass two-factor authentication. It’s a comprehensive 64-page report for decision-makers in all organisations. You can download a free PDF of the report here, or watch the report’s launch and discussion of its findings at Europol’s YouTube channel


Ransomware now a matter of life and death

It’s been coming. As if 2020 couldn’t get any grimmer, there’s news from Germany that a ransomware attack on a hospital caused an IT failure that led to a patient’s death. On September 10th, the University Hospital Düsseldorf (UKD) in Germany suffered a ransomware attack after threat actors compromised their network a software vulnerability in “a commercial add-on software that is common in the market and used worldwide”. According to Bleeping Computer, it’s believed to be the first case of a death attributable to ransomware, albeit indirectly. The Guardian since reported that prosecutors have opened a homicide investigation.

There was no concrete ransom demand other than a note addressed to the university. AP reported that Düsseldorf police contacted the perpetrators, explaining that the hospital, not the university, was affected, endangering patients. The perpetrators withdrew their extortion demand and supplied a decryption key for the data but are reportedly no longer reachable. An interesting take from IOCTA 2020 (above), via ZDNet, is that ransomware is one of the most under-reported forms of cyberattack. Despite its high profile as a threat, some victims seem to hope no-one finds out they were a target. We’ve just launched a white paper on tackling ransomware, which you can download free at this link.

Links we liked

The most influential security frameworks of all time MORE 

Security hubris: why people think they’re safer than they really are [podcast] MORE

Does a red and a blue team together make a purple team? MORE

This useful privacy tool reveals the user-tracking technologies of popular websites. MORE

This investigative piece highlights privacy concerns involving patient DNA data. MORE

What happens to funds after they’ve been stolen in a security breach? MORE

A perspective on cloud risk management from the Cloud Security Alliance MORE

An excellent source of best practice: Cyber Planning for Response and Recovery Study MORE

Budgets at the ready: Gartner’s list of top security projects for 2020/21 MORE

Inside this summer’s Twitter hack, courtesy of Wired MORE

How *not* to run a phishing test, the Chicago way. MORE

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here