Security News

Britain's Information Commissioner's Office has confirmed it is investigating grumbles about heavy-handed marketing emails and texts promoting the NHS COVID-19 contact-tracing app in England. Between 26 and 27 September, NHS Test and Trace messaged anyone resident in the country who was over the age of 16 and had previously provided their contact details to a GP. Those contacted had not specifically opted in to receive marketing communications regarding the NHS COVID-19 app.

When the ICO handed IT Protect Ltd a "Monetary penalty notice" back in 2017 for making nuisance sales phone calls, it appears few were expecting the chain of events set off by the fine. Insolvency and Companies Court Judge Sally Barber ordered Warren Pye to repay a total of £114,508, revealing in a detailed judgment handed down on 25 September how Bognor Regis-based IT Protect Ltd simply ignored its 2017 fine and continued funnelling cash to its director, his partner, and his brother even after the ICO secured a winding-up order against the firm.

No matter the legal reasoning, an "Adequacy" decision to let data flow between the UK and the EU will hinge on the ups and downs of the wider Brexit negotiations, which are entering a tense final phase. At the end of the Brexit transition period, when business-as-usual trading with the EU will come to an end and the UK begins dealing with the world's largest trading bloc on new terms, the EU will need to decide whether the new UK data rules are sufficiently aligned with GDPR and allow the uninterrupted transfer of personal data from the EU to the UK. Such a decision of "Adequacy" in the relationship with EU data law is said to be important to the UK working as a successful digital economy.

UHS insists patient care continues to be delivered and that "No patient or employee data appears to have been accessed, copied or otherwise compromised." A UHS spokesperson declined to provide further details or to comment on unsubstantiated claims made via social media suggesting the involvement of the Ryuk ransomware family.

Texts were received by unsuspecting members of the public between 29 February and 30 April, said the UK Information Commissioner's Office. The texts promoted Zoono-branded hand cleaning products that purported to be "Effective against coronavirus," said the ICO. Reg readers will remember that silly members of the public bulk-bought certain products, including toilet paper and hand sanitisers as the spread of the potentially deadly virus made its way across Europe.

The British Airline Pilots' Association has told American aviation regulators that the Boeing 737 Max needs better fixes for its infamous MCAS software, warning that a plane crash which killed 149 people could happen again. Airlines, in contrast, are broadly happy with proposed changes to the Boeing 737 Max, even as trade unions bellow at the US Federal Aviation Administration that more needs to be done.

In the absence of a working contact tracing app, the UK government has been forced to rely on manual data collection and human-powered tracing to identify potential cases of exposure to the Covid-19 virus. As this information is recorded and stored digitally, any concerns regarding an app-based approach to contact tracing also apply to manual contact tracing.

Conservative backbencher David Davis has vowed to ask questions in Parliament over Uber's seemingly unregulated sharing of data with police and transport regulators as it battled to save its London private hire operator's licence. In November 2019, Uber was formally stripped of its licence after what Transport for London called a "Pattern of failures", including allowing random third parties to upload their mugshots to legitimate Uber driver accounts, bypassing background checks.

The U.K.'s National Cyber Security Center has released a guide to help organizations get started with implementing a vulnerability disclosure process. A well-defined vulnerability disclosure program, NCSC argues, prevents reputational damage that public disclosure may cause, and allows companies not only to establish a way to take action on the identified vulnerabilities, but also to inform the reporting entity that the issue is being managed.

For the past year, Russia-linked threat actor Strontium has targeted hundreds of organizations in the United States and the United Kingdom to harvest account credentials, Microsoft reveals. On Thursday, Microsoft published information on a newly identified Strontium campaign that focused on harvesting Office365 credentials for tens of thousands of accounts at organizations in the US and UK, many of them directly involved in political elections.