Cyber_Bytes Issue 65

Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.

ICO to investigate 23andMe data breach with Canadian counterpart

The Information Commissioner's Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) have launched a joint investigation into the data breach that occurred in October 2023 at the global direct-to-consumer genetic testing company 23andMe. 23andMe processed highly sensitive personal information, including genetic data that remains unchanged over time and reveals details about individuals and their families, such as health, ethnicity, and biological relationships. Last year the company experienced a data breach where this sensitive personal data was stolen by threat actors and made available online. The joint investigation will assess the scope of information exposed by the breach and the potential harm to affected individuals. It will also determine whether 23andMe had sufficient safeguards in place to protect personal data and whether the company provided proper notification about the breach to the regulators and affected individuals.

Click here to read more from the ICO.

Downturn in percentage of companies paying cyber ransoms 

A new report by insurance and risk management company Marsh has highlighted that 23% of clients affected by a cyber extortion event in 2023 paid the ransom, out of a (rising) total of 282 events, according to Marsh's report.

The report, which analysed over 1,800 cyber claims submitted to Marsh in the U.S. and Canada last year, revealed a significant increase in the median payment for ransomware. While fewer payors were recorded, the median payment rose to $6.5 million in 2023 from $335,000 in 2022, and the median demand increased to $20 million from $1.4 million.

In 2023, 21% of Marsh clients with a cyber policy reported an incident. The healthcare and communications sectors experienced the highest number of claims annually. Although ransomware accounted for less than 20% of reported claims, it remains a primary concern due to its frequency, sophistication, and potential severity.

The report recommends companies develop a "cyber resilience strategy" that considers the enterprise-wide economic and operational impact of cyber risks. Meredith Schnur, cyber practice leader at Marsh, U.S. and Canada, emphasised the importance of clients adopting a proactive approach to safeguard themselves.

Click here to read the Marsh report. Click here to read the accompanying press release.

Further developments in Snowflake data breach

Hundreds of customers of Snowflake Inc, a popular US-based cloud data platform, have recently reported suffering a data breach. Cyber criminals allegedly used stolen log-in credentials obtained via infostealer malware to illegally access companies' accounts, with hundreds of Snowflake customers' passwords reportedly found online.

As an unfolding incident, the full extent of the breach is still being investigated. However, it is estimated that hundreds of millions of records have been exfiltrated, including data from major companies like Ticketmaster, with details of over 550 million customers being exposed. The threat actor behind the attack claims to have accessed data from around 400 organisations. A report by Mandiant, a cybersecurity organisation, suggests that these credentials were "primarily obtained from multiple infostealer malware campaigns that infected non-Snowflake owned systems".

A statement released by Snowflake has clarified that it has “not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration or breach of Snowflake’s platform", and there is no "identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel".

“This appears to be a targeted campaign directed at users with single-factor authentication. As part of this campaign, threat actors have leveraged credentials previously purchased or obtained through infostealing malware.”

Click here to read the Mandiant report.

Lloyd's of London issues bulletin to update cyber coverage risk requirements

Lloyd's of London has issued bulletin Y5433 to update cyber risk underwriting requirements in relation to state-backed cyber-attacks. This follows the controversial Y5381 bulletin from August 2022, which first mandated the use of cyber-specific war exclusion clauses in cyber policies written in the Lloyd's market.

The bulletin explains further steps being taken by Lloyd's to limit the use of cyber-specific war risk exclusion clauses which do not comply with the requirements in the original Y5381 bulletin. In particular, non-compliant exclusions for which there has been no dispensation issued by Lloyd's are forbidden from 1 July 2024. Where dispensations have been granted, these will not be renewed on expiry and no new dispensations will be granted.

The Y5433 bulletin also indicates that one of the narrower types of exclusion previously categorised previously as being compliant (or at least outside of the expressly non-compliant category) will now be phased out. This 'Type 4' variant of the exclusion contained a carve back for losses suffered as a result of cyber operations carried out as part of war where the affected systems were situated outside of the warring states. This is now stated to be outside of Lloyd's risk appetite and will be phased out by policies incepting on 1 January 2025.

Despite the variable reaction to the initial Y5381 bulletin, this more recent bulletin reinforces the approach of insisting on robust exclusions meeting original requirements. This might well be due in part to the deterioration in the global geopolitical landscape since the original bulletin.

Click here to read Market Bulletin Y5433.

FRA publishes report outlining issues, best practices, and suggested solutions on EU data protection enforcement 

The European Union Agency for Fundamental Rights (FRA) has announced the publication of its report "GDPR in practice - Experiences of data protection authorities," based on interviews with representatives from data protection authorities in 27 EU Member States.

The report highlights several issues undermining EU data protection enforcement:

• a lack of resources, funding and staff which prevent authorities from fully carrying out their mandates, made more difficult by increased workloads generated from new laws such as the EU Artificial Intelligence Act (the AI Act);
• a need for more tools to reinforce data protection authority's supervisory capacity, including the ability to conduct undercover investigations or the possibility of fining organisations that refuse to cooperate;
• a need for more guidance and exchange of best practices for data protection authorities that often need to prioritise complaint handling over other tasks;
• EU countries and their public institutions should systematically consult the data protection authorities and seek their advice in advance of new legislation - currently, data protection authorities are often not consulted on new legislation or are given tight deadlines;
• a lack of awareness among individuals regarding their personal data rights and organisations that struggle to identify and prevent data protection risks, especially when it comes to AI systems;
• difficulties for researchers in accessing data – specific guidance and clarifications are needed around processing of data for scientific purposes; and
• data protection authorities struggling to regulate new technologies - regulators need to identify specific technology related areas where more clarity is needed and work closely together when advising on new technologies.

Click here to read the press release. Click here to read the FRA's report.