We can’t let August slip by without reflecting on the accusation that the former President of the United States misappropriated secure data for personal gain. If classified government documents are not safe from the highest of employees, is it that far to stretch that your own employees could be the perpetrator of a data breach, intended or otherwise? Trust, training and culture can go a long way, but additional safeguards such as user policies and tracking of high priority activities can also help.
August saw 97 million data records breached, and was also a month where incidents involving disgruntled employees shot up, aside from potential Presidential breaches.
LastPass suffers a breach
Provider of password security LastPass announced in August that it had suffered a breach, with hackers stealing proprietary software from the brand. Despite holding millions of passwords safe on behalf of users, LastPass is at this stage confident that their client data has not been affected.
Paperwork piles up in the NHS after supplier suffers breach
At the beginning of August it was confirmed that Advanced, one of the major suppliers of IT and digital services to the NHS, had suffered a breach, affecting the NHS 111 service. It was later reported that the attack was in fact a cyberattack and that it would take several weeks before systems were fully operational. At the end of August, a number of Doctors highlighted the additional hidden costs of the breach, highlighting the reality that it could take months to clear the backlog of transcribing paper documents, after many had to turn back to pen and paper due to system outages.
Gloucester voters back on the register, 8 months later
In December 2021, Gloucester City Council suffered a significant breach that took many of its client-facing services offline. In August, nearly nine months after they originally suffered the breach, postal voters in the county were asked to re-enrol. It transpires that the electoral register was recovered, but the information pertaining to postal voting was lost.
Phone providers urge security updates
In August, first Google and then Apple recommended urgency in applying updates, to maximise protection against known security threats.
Google released 37 flagged vulnerabilities, including one critical security vulnerability, in their update. The major flaw could lead to remote code execution via Bluetooth with no additional execution privileges required, while some of the other flaws created vulnerabilities around sensitive personal information.
Apple’s update to iOS 15.6.1 came as they identified major flaws in devices that could and may already have enabled hackers to breach information. Left unsecured, could potentially see hackers take complete control of users’ phones, tablets and computers.
Microsoft releases Cyber Signals report
The Microsoft Cyber Signals report draws together insights from Microsoft’s 43 trillion security signals and 8,500 security experts. Their latest report highlights the growing trend of RaaS (Ransomware-as-a-Service) whereby threat actors exploit known security flaws using pre-designed software. The key threat identified is that with an ever-increasing number of credentials compromised through attacks, businesses are at threat of secondary attacks, if they are not making use of basic security features such as multi-factor authentication. In figures, it means that 80% of ransomware attacks exploit known configuration errors, and in one year, Microsoft identified 531,000 unique phishing URLs being distributed via email.
UK Parliament closes TikTok account
Following concerns that data from TikTok may be passing to the Chinese government, MPs proposed that the UK government should remove its account from the platform. It was subsequently taken offline and will remain so until the government receives assurances that data is not passing from the Chinese parent company to the Chinese government.
Hackers dump data after breaching water company
On 15 August, South Staffordshire Water announced that it had been the victim of a cyberattack, leading to disruptions across its network. The attack, which did not affect its ability to supply water, despite impacting operations, was further exacerbated by the hackers dumping sensitive employee data such as passport numbers, and passwords.
Lloyd’s of London withdraws cover for nation-state sponsored cyber attacks
Lloyd’s of London has instructed its members to exclude nation state cyber attacks from insurance policies next year, highlighting that they pose an unacceptable level of risk. It comes as the National Cyber Security Centre also highlights the risk, issuing updated guidance to infrastructure operators on how to defend their systems. Lloyd’s believe that the risk and scale of the threat make it larger than the insurance market can feasibly absorb, resulting in the update to policies.