NEWS

In brief
SEC observations don’t relate directly to areas such as critical contests are becoming more serious and are offer-
The US Securities and Exchange Commission national infrastructure. The report is here: ing ever-bigger rewards. According to a report
(SEC) has issued a report detailing how organi- http://bit.ly/31u0cwV. by Digital Shadows, the XSS forum (formerly
sations in the finance sector are currently Damagelabs but relaunched in 2018) is currently
tackling cyber security threats. These are not Fraud tops £1bn offering a prize pot of $15,000 to entrants who
being presented as ‘best practice’ per se, but it’s KPMG’s Fraud Barometer, which records fraud submit articles with proof-of-concept videos or
hoped that by showing the range of strategies cases of more than £100,000 reaching UK original code for new attacks. “Since its relaunch
that organisations have adopted, firms in this Courts, reported a total of £1.1bn of alleged as XSS, the former Damagelabs has organised
sector will be able to benefit from the experi- fraud in 2019, the sixth-largest value recorded three article competitions, all with four- or five-
ence of others. ‘Cyber security and Resiliency in the report’s 33-year history. This is the result figure prize funds,” the report says. The report is
Observations’, produced by the SEC’s Office of a mix of sophisticated cybercrime com- here: http://bit.ly/3bg7Orj.
of Compliance Inspections (OCIE) is the result bined with what the firm calls “traditional old
of studying broker-dealers, investment advisers, school frauds”. Insider fraud against businesses GDPR fines
clearing agencies, national securities exchanges doubled when compared to 2018, reaching Since the General Data Protection Regulation
and other SEC registrants. The most effective £46m. Tech-enabled frauds, which featured (GDPR) was introduced in May 2018, EU
risk management and governance measures heavily in the first six months and continued regulators have levied around E114m in fines,
it found were: senior level engagement; risk to drive fraud levels in court for the rest of the although much bigger levels of penalties are
assessment; policies and procedures; testing and year, included a number of large cross-border expected in the future. More than 160,000
monitoring; continuous evaluation and adapta- scams involving criminal gangs in multiple infringements have been reported across the
tion to change; and communication. And in countries. Over £192m of alleged fraud against EU, as well as European Economic Area
terms of solutions, the report studies: access businesses involving traditional embezzlement members Norway, Iceland and Liechtenstein.
rights and controls; data loss prevention; mobile against employers, manipulating accounts or France, Germany and Austria have led the field
security; incident response and resiliency; ven- abuse of position appeared in UK Courts in in terms of handing out the biggest fines, with
dor management; and training and awareness. 2019 compared to £109m in 2018. Alleged the French regulator hitting Google with a
The report is here: http://bit.ly/2OvfvAf. fraud cases against the public were also up from E50m penalty for failing to meet transparency
£40m in 2018 to £63.8m although the number standards and not obtaining proper consent
WeLeakInfo takedown of cases decreased (79 in 2018 to 67 in 2019). from users for exploitation of their data. The
A website that was selling access to billions of sto- The report is here: http://bit.ly/2txCAe8. Netherlands had the most offenders, number-
len personal records has been taken down by law ing 40,647 reported breaches, with Germany
enforcement in the US. The WeLeakInfo site Facebook crime rises coming second at 37,636 notifications and
purported to be a legitimate data breach notifica- Crimes that have some kind of link to Facebook the UK third with 22,181. The total value
tion service, much like HaveIBeenPwnd, where have risen by 19% in the past year, according of fines does not include the £183m that the
people can check to see if their data is included to figures published by The Daily Telegraph. UK’s Information Commissioner’s Office has
in breached records. Users could sign up for a The newspaper used Freedom of Information said it will impose on British Airways after the
subscription service, billed weekly, monthly or (FOI) requests to obtain data from 20 UK police company suffered a breach that compromised
quarterly, which gave them access to around 12 forces. The information included 32,451 crimes 500,000 customer records. Nor does it include
billion records. These typically included names, reported to the police that related to Facebook the £99m fine of hotel chain Marriott.
email addresses, usernames, phone numbers activity. However, as fewer than half of the UK’s
and passwords for online accounts. Of course, police forces provided responses, the real figure NHS ransomware attacks
the site was actually used by criminals look- is certain to be much higher. Among the crimes National Health Service (NHS) organisations
ing for accounts to exploit. The FBI and US involved were malicious communication, offen- in the UK have suffered 209 successful ran-
Department of Justice – working with the sive messages, harassment and sexual offences, somware attacks since 2014, according to data
Netherlands police, the UK’s National Crime including ‘engaging in sexual activity with a obtained by research firm Comparitech under a
Agency and Germany’s Bundeskriminalamt – child’. According to The Daily Telegraph, the Freedom of Information request. The good news
seized the site’s domain name and took it offline. UK Government is planning to respond to this is that only six of those attacks have occurred
At the same time, Dutch police arrested a man issue by introducing a new code of conduct for since the NHS was heavily impacted by the
in Arnhem and another man was taken into cus- social media platforms under which they will WannaCry outbreak in 2017. This suggests that
tody in Northern Ireland. There’s more informa- be required to protect children from viewing NHS organisations have taken effective steps to
tion here: http://bit.ly/31sCOjo. any content deemed to be “detrimental to their prevent or limit such attacks, although of the
physical or mental health or wellbeing”. This will 254 NHS Trusts contacted, only 184 (80%)
WEF worried about cyber supersede the current code of conduct that was responded, which could indicate that there are
The annual ‘Global Risks Report’ from the introduced in 2017 and updated in April 2019. as-yet unrevealed incidents. Where attacks did
World Economic Forum (WEF) once again The new rules, says the newspaper, will have occur, they caused an average downtime of 206
puts cyberthreats in the top 10 worries for poli- more teeth because they come with the threat of days, which represents a heavy impact. None
ticians, economists and business leaders. While extremely heavy fines. There’s more information of the organisations reported paying ransoms.
climate change is naturally seen as the most here: http://bit.ly/3bfpGma. Following the WannaCry campaign, NHS trusts
pressing concern, the fact that cyber attacks were encouraged to achieve Cyber Essentials Plus
make it into the top 10 threats both in terms Malware contests accreditation, IBM developed a Cyber Security
of likelihood and impact indicates how these For some time now, underground forums fre- Operations Centre to monitor and respond to
issues are now firmly in the consciousness of quented by malware authors and cyber criminals threats and a new agreement with Microsoft
those at the top of organisations. Data theft have been running competitions where contest- resulted in many organisations running more
and fraud also made the top 10 for likelihood, ants can win prizes for novel forms of malware up-to-date versions of Windows. The report is
though not impact – possibly because they or attack methods. However, now it seems these here: http://bit.ly/2GZYFFy.

5
February 2020 Computer Fraud & Security