First ‘Heartbleed’ victims announced

It has been confirmed that the Canadian Revenue Agency (CRA) and UK parenting website Mumsnet have been hacked  following the release of the ‘Heartbleed’ bug last week. The CRA has said cyber criminals have stolen the social insurance  numbers of about 900 taxpayers with Mumsnet also announcing that users’ data including passwords and private messages  have been accessed. Whilst the CRA has so far been the only government organisation to shut down online services,  American Funds, one of the world’s largest mutual fund providers, has become the first financial institution to warn that its  customers may also be at risk. So far only one arrest has been made of a 19 year old Canadian on suspicion of hacking into  the CRA website.

U.S. retailers share cyber threat data

In the wake of last year’s big attack on Target Corp, U.S. retailers are planning to form an industry group for collecting and  sharing intelligence about cyber security. The National Retail Federation announced this week that it will establish an  Information Sharing and Analysis Centre for the retail industry in June to foster sharing of security information between the  public and private sector. These measures are further to the Department of Justice and Federal Trade Commission’s recent  announcement that companies would not breach antitrust laws by sharing information to mitigate or prevent cyber-attacks. 

Government launches Cyber Essentials scheme

Supported by the pledge to provide “clarity to organisations on what good cyber security practice is”, the Government has  launched its Cyber Essentials scheme setting out the steps to manage cyber risks. Funded by the National Cyber Security  Programme, the scheme allows organisations to self-assess their cyber security protections and apply to be assessed and gain  a ‘Cyber Essentials’ badge to demonstrate to their clients that they are ‘cyber safe’. 

Police forces under threat of cyber attack

A report conducted by Her Majesty’s Inspectorate of Constabulary has found that only three out of 43 police forces in England  and Wales have a comprehensive plan to deal with a large-scale cyber-attack. It also found that only 2% of police staff across  37 forces had been trained to investigate cybercrime. The report is the first in a series of inspections looking at how individual  forces have responded to cybercrime guidelines issued last year. Further reports and active measures can be expected given  the police force’s ability to deal with cyber-threats remains “largely absent” with some senior officers unsure of what even  constitutes a large-scale cyber-incident. 

German space and aviation centre under cyber-attack 

Germany’s Cologne-based aviation and space research centre is the latest victim to suffer a targeted cyber-attack. Spy  software and computer viruses were found in the computers operated by researchers and programmers. It is reported that  all the centre’s computers were affected, suggesting that the attack was coordinated and systematic with some software  designed to self-destruct upon discovery. The German government has taken the incident very seriously as the attack sought  to access data relating to products of the defence and space industries. It is not yet known who the hackers are.

EU warns companies against working with U.S. spies

Following the Snowden disclosures, EU data-protection regulators from 28 EU countries have released a warning to companies  that they may be in breach of European law by granting U.S. spy agencies access to data. Enforcement action should not be  excluded where companies willingly and knowingly cooperate with intelligence services to hand over the data of European  citizens. Companies have been warned that they may be acting in breach of European law by doing so. It was however noted that  surveillance programmes run by member states will not be subject to EU law on national-security grounds.

New privacy rules target data breaches

Proposals have been made to update Canada’s federal privacy laws granting enforcement powers to Canada’s privacy  commissioner and implementing to fine businesses up to USD 100,000 for not reporting data breaches. The proposed bill  would also require businesses to track data breaches, communicate more clearly when gaining consent to collect personal  data and facilitate the use and sharing of information amongst organisations. The bill now awaits second reading