First ‘Heartbleed’ victims announced
It has been confirmed that the Canadian Revenue Agency (CRA) and UK parenting website Mumsnet have been hacked following the release of the ‘Heartbleed’ bug last week. The CRA has said cyber criminals have stolen the social insurance numbers of about 900 taxpayers with Mumsnet also announcing that users’ data including passwords and private messages have been accessed. Whilst the CRA has so far been the only government organisation to shut down online services, American Funds, one of the world’s largest mutual fund providers, has become the first financial institution to warn that its customers may also be at risk. So far only one arrest has been made of a 19 year old Canadian on suspicion of hacking into the CRA website.
U.S. retailers share cyber threat data
In the wake of last year’s big attack on Target Corp, U.S. retailers are planning to form an industry group for collecting and sharing intelligence about cyber security. The National Retail Federation announced this week that it will establish an Information Sharing and Analysis Centre for the retail industry in June to foster sharing of security information between the public and private sector. These measures are further to the Department of Justice and Federal Trade Commission’s recent announcement that companies would not breach antitrust laws by sharing information to mitigate or prevent cyber-attacks.
Government launches Cyber Essentials scheme
Supported by the pledge to provide “clarity to organisations on what good cyber security practice is”, the Government has launched its Cyber Essentials scheme setting out the steps to manage cyber risks. Funded by the National Cyber Security Programme, the scheme allows organisations to self-assess their cyber security protections and apply to be assessed and gain a ‘Cyber Essentials’ badge to demonstrate to their clients that they are ‘cyber safe’.
Police forces under threat of cyber attack
A report conducted by Her Majesty’s Inspectorate of Constabulary has found that only three out of 43 police forces in England and Wales have a comprehensive plan to deal with a large-scale cyber-attack. It also found that only 2% of police staff across 37 forces had been trained to investigate cybercrime. The report is the first in a series of inspections looking at how individual forces have responded to cybercrime guidelines issued last year. Further reports and active measures can be expected given the police force’s ability to deal with cyber-threats remains “largely absent” with some senior officers unsure of what even constitutes a large-scale cyber-incident.
German space and aviation centre under cyber-attack
Germany’s Cologne-based aviation and space research centre is the latest victim to suffer a targeted cyber-attack. Spy software and computer viruses were found in the computers operated by researchers and programmers. It is reported that all the centre’s computers were affected, suggesting that the attack was coordinated and systematic with some software designed to self-destruct upon discovery. The German government has taken the incident very seriously as the attack sought to access data relating to products of the defence and space industries. It is not yet known who the hackers are.
EU warns companies against working with U.S. spies
Following the Snowden disclosures, EU data-protection regulators from 28 EU countries have released a warning to companies that they may be in breach of European law by granting U.S. spy agencies access to data. Enforcement action should not be excluded where companies willingly and knowingly cooperate with intelligence services to hand over the data of European citizens. Companies have been warned that they may be acting in breach of European law by doing so. It was however noted that surveillance programmes run by member states will not be subject to EU law on national-security grounds.
New privacy rules target data breaches
Proposals have been made to update Canada’s federal privacy laws granting enforcement powers to Canada’s privacy commissioner and implementing to fine businesses up to USD 100,000 for not reporting data breaches. The proposed bill would also require businesses to track data breaches, communicate more clearly when gaining consent to collect personal data and facilitate the use and sharing of information amongst organisations. The bill now awaits second reading