Robin’s Newsletter #269

13 August 2023. Volume 6, Issue 33
UK Elections watchdog comopromsed two years ago. Detials of Northern Ireland police staff accidentally published. Zoom backtracks on AI training in terms of service.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

UK Electoral Commission reveals cyber-attack

  • “Hostile actors” gained unauthorised access to the Electoral Commission’s servers two years ago. The Electoral Commission is an independent agency charged with registering political parties, regulating party and election finance, managing electoral registrations, and setting the standards by which elections in the UK follow.
  • The incident was detected a year ago, and public notification was made this week. During the attack, which the Commission describes as “complex”, the attackers accessed their email, control systems and copies of the electoral registers.
  • No election results were affected however it makes for dramatic news, as the electoral register contains details on over 47 million people. While the volume of people affected is attention-grabbing, and data could be used to target disinformation, the harm to individuals is likely to be minimal, and I think it’s important to put this enormous number into context.
  • The electoral register data includes first and family names, addresses, and the date the person achieves voting age that year (if applicable).
  • As I tweeted, in 2017, there were 46.8 million registered electors in the UK and the Electoral Register contains first and family names, home address, and in some cases, the date on which that person achieves voting age.
  • Of those 46.8 million, 25 million (53%) had opted out of the ‘public register’. For the ~22 million people that hadn’t opted out, this was already information that was ‘public’ information. The ICO assessment is that Electoral Register information “does not in itself present a high risk to individuals”. And just because the attacker could access the data doesn’t mean that it’s now all been published.
  • Also, remember that, despite GDPR and rights to privacy, your existence is not private. Births, marriages, and deaths are all recorded and available to search (for example, on family tree websites).
  • The EC’s email server will, like any organisation’s, contain a lot of ‘unstructured’ data: daily chatter, meeting invites, plus any messages sent to or from the organisation. So while the data affected on the email server also includes email addresses, telephone numbers, ‘personal images’ and so on, this is only for those who have emailed the Commission or contacted them using the form on their website.
  • Russia is “first on the list” of suspects, according to former GCHQ director Sir David Omand, and my hunch is that the SVR (Russia’s foreign intelligence service) would be very interested in getting the inside track on any investigations into party finances which campaigners say are open to malign influence.
  • Questions remain over the time it has taken to notify the public of the breach — commercial organisations would rightly face a backlash if they waited two years to come clean — but remember that GDPR’s notification requirement is to the regulator (the ICO), not the public. The Electoral Commission may have met its reporting requirements. Given the potential national security nature and minimal potential for public harm, the determination may have been to take time to complete the investigation thoroughly without potentially tipping off the hostile actor or creating a media frenzy. I’d welcome further transparency on what happened, when, and the decisions that led to the timing of this notification.

Thousands of North Ireland police officers and civilian staff identified in breach

  • The Police Service of Northern Ireland (PSNI) has apologised after the names of 10,000 current and former police officers and civilian staff were published online. The breach occurred when responding to a freedom of information request: in addition to providing salary band information and counts of each grade, a second tab in the spreadsheet listed the surname and initials of staff, along with their employment grade. The file was online for two hours before being taken down.
  • The breach may have severe ramifications for those working undercover, in specific counter-terrorism roles, and those who may not have told their friends and family about their police employment. During the Troubles, police officers in Northern Ireland were regularly targeted, and some have been attacked since the Good Friday Agreement.
  • Adding to the PSNI embarrassment, a spreadsheet containing names of 200 current staff, a laptop and a radio were stolen from a vehicle last week.

Interesting stats

$549 million fines for US banks amid “widespread and longstanding failures” to preserve electronic communications by employees trying to covertly discuss business via Signal, WhatsApp and iMessage.

75% of businesses are considering, or implementing, bans on ChatGPT, according to a BlackBerry of 2,000 IT decision-makers in Australia, Japan, France, Germany, Canada, the Netherlands, US, and the UK.

130 approaches from individuals looking to monetise a Chrome extension with 300,000 installs over the last nine years. Most of these are offering revenue in exchange for embedding tracking code in the extension.

64,000 people have been detained in China for ‘personal data infringements’ in the last three years.

Other newsy bits / in brief

  • Microsoft has responded to Tenable CEO Amit Yoran’s scathing comments about the time and opacity it has taken them to address a vulnerability in Azure (vol. 6, iss. 32). The Redmond-headquartered company says the issue affected a “very small subset” of customers and that “[moving] too quickly could result in more customer disruption (in terms of availability) than the risk customers bear from an embargoed security vulnerability.” The latter is an interesting challenge for cloud/software-as-a-service providers, and we will, sooner or later, see a severe vulnerability that needs fixing promptly, but that would ultimately break customers’ use of the service.

  • Chris Krebs, former CISA director, thinks the SEC has overreached with its new cyber breach reporting rules and, in an option piece for the FT, says Congress should ‘reassert itself’ and reduce ‘overlapping, conflicting and counterproductive’ regulatory programmes.

_“We will soon have a cyber reporting mess on our hands. Due to jurisdictional turf battles and the absence of a unified constituency… Over the past decade, legislators have issued a hodgepodge of laws and authorised a never-ending stream of organisations.” — Chris Krebs, partner at Krebs Stamos Group.

Investments, mergers & acquisitions

  • Horizon3 has announced a $40 million Series C that will be used for R&D and expanding channel sales of its continuous penetration testing platform.
  • Check Point is buying Perimeter 81, an Israeli startup, for $490 million to bolster remote and hybrid work services.

Two rounds of layoffs were announced this week:

And finally

  • A card shuffling device used by casinos that “cannot be compromised” was compromised. In a talk at Defcon, researchers from IOActive explained that the DeckMate 2, which is usually under gambling tables, has an exposed USB port that can be used to reprogram the devices and a camera, ostensibly used to confirm every card is present in a deck, can be used to give the exact order that cards will be dispensed.

  Robin's Newsletter - Volume 6

  Electoral Commission Election Interference General Data Protection Regulation (GDPR) Privacy Police Service of Northern Ireland (PSNI) Freedom of Information (FOI) Zoom Rapid7 Lapsus$ Cyber Safety Review Board Artificial Intelligence (AI) Barracuda Networks Viasat Russia Dark Patterns