Cyber_Bytes - Issue 56

Published on 01 September 2023

Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.

 No Compelling Evidence That Cyber Insured Victims Pay More

The cyber insurance industry has sometimes received criticism over the perception that policies could encourage victims to make extortion payments following a ransomware incident. However, a recent research paper sponsored by the U.K.’s National Cyber Security Centre and the Research Institute for Sociotechnical Cyber Security has concluded that there is no "compelling evidence" that having policies increase the risks of extortion.

The report determined that there was some evidence that exfiltrated policies could be used as leverage in negotiations to request higher ransom demands. But it determined that the idea that ransomware operators were targeting insured organisations had been overstated. Instead, the report identified that there were three main drivers for the continued success of ransomware attacks:

  1. A profitable business model that continues to evolve with new methods of extorting victims.
  2. Challenges around securing organisations of different sizes.
  3. Low-cost barriers to obtain ransomware tools alongside limited risks due to the low prospect of punishment which fail to disincentivize potential cybercriminals.

The paper also reviewed the British government's current stance on ransomware payments, which outlines that extortion payments should not be paid in any instance. It determined that this approach has not assisted in responding to attacks. The report therefore outlined 9 recommendations to both the insurance industry and the UK government. These include increased oversight, appointing specialist panel firms to assist with breaches and introducing additional ransomware reporting to assist victims in enabling access to law enforcement support.

Further information can be located here and the full report can be found here.

Philipp (Respondent) v Barclays Bank UK PLC (Appellant)

On 12th July 2023, the Supreme Court ruled in favour of Barclays Bank following an ongoing dispute with their customers, Mr and Mrs Philipp, who fell victim to a fraud, after the Bank, on instructions of the customers, transferred two payments totalling £700,000. 

The Supreme Court held that the Bank did not owe a duty under its contract or under common law not to carry out the payment instructions if, as was alleged, the Bank had reasonable grounds for believing that the customers were being defrauded.

This case limits the scope of the Quincecare Duty, which established that banks have obligations to protect customers when the bank is on reasonable inquiry that there may be a risk of fraud. Therefore, the case may have a bearing when Insurers and/or Insured clients are considering a recovery against a bank, following successful payment diversion fraud.

Where a bank customer has been the victim of an authorised push payment fraud and had been deceived into instructing the bank to make a payment to fraudsters, provided the customer's payment instruction had been clear and is given by the customer personally or by an agent acting with apparent authority, the bank is under no duty to make inquiries to clarify or verify such instructions. The bank's duty is to execute the instruction and any refusal or failure to do so would prima facie be a breach of duty.

Click here to read the full judgment.

Windows Defender-Pretender Attack Dismantles Flagship Microsoft EDR

SafeBreach researchers have found a security feature bypass vulnerability in Windows Defender, which they disclosed to Microsoft to patch for the vulnerability in April 2023, that allowed threat actors to hijack the antivirus software, hijack the signature-update process and to obtain access, delete benign files and cause disruption.

The research goal was to verify 3 concerns:

  1. whether the update process could be used to import known malware into systems that the software is designed to protect; and
  2. whether Windows Defender could be made to delete signatures of known threats; and
  3. deleting benign files and triggering a denial-of-service condition on a compromised system

The researchers were able to achieve all three objectives. The research was inspired by Flame Cyberespionage Campaign that targeted organisations in the Middle East in 2012.

Based on the potential for signature update processes to be exploited as a new attack vector, SafeBreach says that more research is needed to ensure the security of this process. Safebreach also outlined that this vulnerability reflects the serious risks involved in data protection and how even the most reliable security tools can be used as loopholes.

Click here to read the full Dark Reading article.

Ransomware Attack Hits Japan’s Biggest Port, Disrupting Cargo Shipments  

A recent ransomware attack caused a container terminal at the Port of Nagoya in Aichi Prefecture to suffer an outage that lasted from the morning of Tuesday 4 July to the morning of Thursday 6 July.

Nagoya port authority claimed that ransomware group Lockbit 3.0 was responsible for the hack.  It is one of the several ports to be recently targeted globally, alongside Portugal's Port of Lisbon and Jawaharlal Nehru Port Trust in India in 2022. These attacks pose increased risks for the ports due to more ports moving towards automated data systems creating new potential vulnerabilities for hacking organisations to exploit.

Click here to read more from the insurance journal.

GDPR fine calculation: A look at the EDPB's new guidelines and the UK's approach

New guidelines seek to harmonise the methods of calculating administrative fines adopted across EU Member States.

Five key steps have been introduced for authorities to consider before imposing an administrative fine for breach of the GDPR: 

  1. identify the processing operations in the case and evaluate the application of Art 83(3) GDPR (intentional or negligent infringement of several provisions in the GDPR;)
  2. identify the starting point for further clarification of the fine by evaluating the classification of the infringement in the GDPR, considering the seriousness of the infringement, the circumstances of the case and evaluating the turnover of the undertaking; 
  3. evaluate the aggravating and mitigating circumstances related to past or present behaviour of the controller/processor;
  4. identify the relevant legal maximums for the different infringements – increases applied on the previous or next steps cannot exceed this maximum;
  5. analyse whether the calculated final amount meets the requirements of effectiveness, dissuasiveness, and proportionality.

To summarise the principles involved:

  • The calculation of the amount of the fine is at the discretion of the supervisory authority, subject to the GDPR
  • The GDPR requires that the amount of the fine shall in each individual case be effective, proportionate, and dissuasive (Article 83(1) GDPR).
  • When setting the amount of the fine, supervisory authorities shall consider a list of circumstances that refer to features of the infringement or of the character of the perpetrator in accordance with Article 83(2) GDPR.
  • The amount of the fine shall not exceed the maximum amounts provided for in Articles 83(4) (5) and (6) GDPR.
  • The quantification of the amount of the fine is therefore based on a specific evaluation carried out in each case, within the parameters provided for by the GDPR.

These steps are under continuous review and may be subject to change in the future. 

Click here to see the breakdown published by iapp and full guidelines here.


New Legal Framework for EU-US Data Privacy Rules

On 10 July 2023, the European Commission issued its adequacy decision for the EU-US Data Privacy Framework. The decision determines that the US now ensures an adequate level of data protection, comparable to that of the EU. This decision will enable companies participating in the framework to transfer data from the EU to the US without requiring additional safeguards or risking GDPR enforcement.

Previously the EU and US had a Privacy Shield agreement in place, which had allowed businesses to freely share data. However, this had changed following the Schrems II ruling which invalidated the Privacy Shield by determining that the level of access allowed by US surveillance programmes were not permitted under EU law. Following this ruling, on 7 October 2022 President Biden signed an executive order introducing enhanced safeguards for the US, limiting data access so that it is only when necessary and proportionate to resolve the issues previous raised in the Schrems II ruling and paving way for the adequacy decision.

There is some potential for this adequacy decision to be challenged, with criticisms arising over how US organisations may interpret the "proportionate" requirements. It is therefore possible that the CJEU may consider a further decision on the new framework. However, until a further ruling is made, EU and US organisations can continue to rely on the framework to transfer data.

As the UK does not fall under this framework, businesses transferring data to the US from the UK will need to continue to rely on other transfer mechanisms. However, the UK government is currently working on its own adequacy decision for the US announcing in June an intention to establish a 'data bridge'.

Further information from the Law Society Gazette can be located here.

Data Breach for Norfolk and Suffolk Police

The Norfolk and Suffolk police have issued apologies following the accidental publication of 1,230 victims of abuse. This accidental publication occurred when this information was included in a Freedom of Information response as a result of a technical issue.

The published data included personal data relating to the victims, witnesses and suspects along with descriptions of the offences investigated. The police have confirmed that immediate steps were taken to remove the data and they have subsequently contacted all impacted parties to inform them of the breach. The ICO has confirmed that the breach is under investigation and have stressed how significant it is for organisations to ensure that robust measures are in place to protect data, especially where an organisation holds sensitive data.

This is the second time in the past year the Suffolk police has been involved in a personal data breach. The previous breach occurred back in November 2022 when the personal details of sexual abuse victims briefly appeared on their website. Norfolk's chief constable has confirmed that they have updated their processes to prevent future similar breaches but acknowledges that the breach may impact people's trust in their organisation. 

Further information can be located here.

Stay connected and subscribe to our latest insights and views 

Subscribe Here