Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.
DPC to Facebook: drop data transfers to the US
Our first story has major implications for all companies transferring personal data about EU data subjects to the US. Ireland’s Data Protection Commissioner has ordered Facebook to stop sending European user data to the United States. The move follows the ‘Schrems II’ European Court of Justice ruling that found the Privacy Shield arrangement unlawful. Facebook plans to appeal the decision. Meanwhile the European Data Protection Board has set up two task forces to respond to issues raised by the ruling. Justice Commissioner Didier Reynders recently said he expects “no quick fix” to replace the previous data sharing agreement.
Commenting for SANS, Brian Honan said: “The core of the issue is that the EU does not believe that US privacy laws and mechanisms are robust enough to protect the privacy rights of EU data subjects against US surveillance laws and abuse of that personal data by US corporates.” Privacy comes at a price which for too long has been borne by the individual. This move sends a clear message to governments and companies that they too have a responsibility to protect the privacy of individuals.” This development could also affect data transfers to the UK in the event of a no-deal Brexit, he added. The Irish Independent’s Adrian Weckler has a good op-ed noting the increasingly polarised positions of both sides. Let’s also take a moment to acknowledge the tireless work of Irish Times journalist Karlin Lillington. Her excellent, in-depth coverage of data privacy dates back over 15 years, long before it was mainstream.
You try coming up with a clever headline that has IOCTA in it
Europol’s Internet Organised Crime Threat Analysis [IOCTA] 2020 report gives law enforcement’s perspective on cybercrime developments this year. It found that COVID-19 sparked an increase in cybercrime activity. Top trends this year were ransomware, online financial fraud, and a rise in child exploitation material. The same old social engineering techniques keep cropping up, proving if anything how well they work for criminals. The report said prevention and awareness can guard against cybercrime, but cryptocurrencies and the dark web hinder investigations.
A new trend this year is SIM swapping, where criminals fraudulently swap victims’ SIM cards to one in the criminal’s possession to intercept one-time passwords and bypass two-factor authentication. It’s a comprehensive 64-page report for decision-makers in all organisations. You can download a free PDF of the report here, or watch the report’s launch and discussion of its findings at Europol’s YouTube channel.
Ransomware now a matter of life and death
It’s been coming. As if 2020 couldn’t get any grimmer, there’s news from Germany that a ransomware attack on a hospital caused an IT failure that led to a patient’s death. On September 10th, the University Hospital Düsseldorf (UKD) in Germany suffered a ransomware attack after threat actors compromised their network a software vulnerability in “a commercial add-on software that is common in the market and used worldwide”. According to Bleeping Computer, it’s believed to be the first case of a death attributable to ransomware, albeit indirectly. The Guardian since reported that prosecutors have opened a homicide investigation.
There was no concrete ransom demand other than a note addressed to the university. AP reported that Düsseldorf police contacted the perpetrators, explaining that the hospital, not the university, was affected, endangering patients. The perpetrators withdrew their extortion demand and supplied a decryption key for the data but are reportedly no longer reachable. An interesting take from IOCTA 2020 (above), via ZDNet, is that ransomware is one of the most under-reported forms of cyberattack. Despite its high profile as a threat, some victims seem to hope no-one finds out they were a target. We’ve just launched a white paper on tackling ransomware, which you can download free at this link.
Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here