A network of data floats over a globe on which the EU flag is projected.

EU Cybersecurity & Data Protection Update Q3-2024

Which topics dominated the Cybersecurity and Data-Protection headlines in the third quarter of 2024?

The third quarter of 2024, in terms of data protection and cybersecurity, was interesting, to say the least.

On the political side in the EU, the constitution of the new EU commission left time to not think about the big picture and not only the fine print and more hidden details of legislation. Will future regulations of privacy, platforms, and AI be more centralized and enforced on EU level instead by national agencies? Most probably yes.

The big stories in Cybersecurity were of course

A new stage of cyberwarfare: cyber-physical attacks.

General Developments

EU rethinking central versus federal approach in legislation and enforcement

A new EU commission emerging after the European Elections will bring policy changes. Some of them, much needed dare we write, are meant to bolster competitiveness, innovation, dependencies and investment. To achieve this, the EU commissioned Mario Draghi to issue a report with recommendation. One such is to skew the EU's future laws more towards central enforcement rather than leaving this to the national authorities. This seems to show that the EU is more satisfied with laws like the Digital Services Act and the AI Act than the GDPR, with the latter's patchy enforcement in places like Ireland still giving the Union headaches.

We at Engity hold that while a centralized enforcement seems to be more efficient at first sight, it also lacks a certain element of competitiveness that a federalized and – on the surface – more chaotic regime offers.

Many organizations fail to inform victims of data breaches, Dutch DPA finds

Data leaks happen even to companies who do all the right things. Yet after any such incidents, certain actions need to be taken. Mainly to inform the respective data protection authorities but also any affected data subjects. The latter is very important to prevent fraud and identity theft. We, the data subjects, can only be cautious if we know that our data has been stolen or simply mismanaged.

The Dutch Data Protection Authority (DPO), Autoriteit Persoonsgegevens, has investigated whether and how organizations comply with these obligations – and found them wanting.

Not only are many organizations late in informing data subjects of breaches, but their messaging is also very opaque. Often it is not clear what happened and what the recipient can do to mitigate effects. Moreover, often messages do not seem very urgent or alarming, looking a lot like the typical chatter of the day that all of us tend to ignore.

In this digest, under "Court decisions & Enforcement" we discuss the repercussions such failure to properly inform can have for the organization itself, namely in the form of fines and loss of standing with regulatory authorities.

German companies lost whopping 267 billion Euro due to cybercrime 2023

The ever-active German industry association BitKom published a survey of more than 1.000 companies of all sectors and sizes – with frightening findings. 80% of the companies were victims of data or IP theft in the last year. Cybercrime and similar sabotage activities have cost the businesses 267 billion Euro in 2023.

A hefty sum for the largest European economy. 90% of the surveyed businesses expect even more cybercrime this and the coming years. No wonder, of course, in a world where political tensions rise and cybercrime becomes more and more nationalized (see also our report in this digest).

Public Initiatives and Developments

Dutch Authority publishes guidelines on Digital Services Act for providers

The Digital Services Act (DSA), often covered in our digest, is still kind of a mystery to many businesses. The idea often seems to be that it applies only to the big companies, and they will know what to do. The reality is: also medium and small businesses are affected – online store, forums, hosting providers and so on.

For that reason, it makes sense for the authorities to give such businesses practical guidance on what they are expected to do and how to do it. The Dutch Authority for Consumers & Markets did exactly that in publishing DSA guidelines and a very helpful and concise guide to due diligence obligations.

Well done!

A new tool in action: EU commission "assists" Apple to meet DMA obligations

When it comes to enforcement of laws, we often tend to think in terms of administrative fines and court orders. There are, however, finer tools fostering cooperation and dialogue.

One of such tools is used by the EU commission as a means to ensure Apple's systems interoperability under the Digital Markets Act (DMA). The background is that the commission finds Apples iOS to be too closed-off vis-à-vis consumers as well as developers.

Before taking any "hard" enforcement action, the commission will explain its findings and ideas to Apple and assist the company, basically in the form of a dialogue.

Data Spaces all over: The Public Procurement Data Space goes live

The European Union may have many flaws – as projects of this size and ambition tend to have. Yet it remains committed to creating a unified market (in a wider sense) across the continent. Not just physically but also online.

One tool to achieve this goal is a Data Space. In our last issue we have discussed extensively the proposed Health Data Space, yet in the third quarter of 2024 the current project went live: the Public Procurement Data Space (PPDS).

The basic idea is to connect European databases and national procurement portals. To that end, the PPDS will consist of four different layers, allowing to feed in the data from all connected sources, integrating them into a harmonized data set, analyzing them, and making them available to users via an interface.

Public procurement is big business: Authorities across the EU spend 2 Trillion Euro per year purchasing goods and services.

While not too much happened in other data spaces in the third quarter, developments on Financial Data Access and the Mobility Data Space are supposed to gain steam again soon.

EU's AI Act comes into effect

The AI act came into effect on 1. August 2024. The final data of application is still two years in the future, but member states must prepare already for implementation and, of course, AI developers should start establishing processes to ensure compliance.

Cybersecurity and data breaches

Hacking becomes ever more nationalized

Most people – including many of our customers – still think of hackers as some guys with oversized hoodies in basements surviving von pizza and fizzy drinks. That, however, is less and less the reality.

Hacking is becoming more and more nationalized. This injection of resources and state level protection makes it much more dangerous than it used to be. The result is an increasing number of state-sponsored attacks.

Just a few examples from the third quarter of 2024:

Telegram banned from public use in Ukraine

The kind of developments discussed above also leads to a fragmentation of tool use as more and more platforms are seen to be in the hands or controlled by governments.

The list of such tools included popular messaging app Telegram for a long time. Both, the app and its founder (see next story) seemed to have been connected to the Russian government. That was at least a popular and plausible assumption as Telegram was notoriously unwilling to cooperate in any way, shape or form with any police or government agency in the West while having had no trouble at home (Russia) where secretiveness or lack of cooperation in other cases lead to accidents close to open windows.

Ukraine, a country in war with Russia, seemed to have had similar thoughts and banned the use of Telegram for all officials according to a post by the National Coordination Centre for Cybersecurity (NCCC). Telegram, the post reads, is used actively by Russia to "launch cyber-attacks, spread phishing messages and malicious software, track users' whereabouts, and gather intelligence to help the Russian military target Ukraine's facilities with drones and missiles."

Pavel Durov, Telegram's CEO arrested in France

On the ground of stonewalling any data requests by authorities conducting investigations and turning a blind eye on criminal activity on his platform, the CEO of Telegram, Pavel Durov, was arrested and questioned in France.

While the arrest has been seen by many as a free speech issue, the reasons most probably run deeper (see previous stories). It is widely known that Telegram is used by gangs, extremists and criminals to communicate. In a statement, Durov called such activities a "violation of the Terms of Service" and promised more cooperation.

Maritime Infrastructure under threat – new SideWinder attacks

State sponsored hacking attacks are not confined to the conflict between Russia and the West. Groups linked to India have carried out a number of high-profile spear fishing attacks on maritime facilities in countries such as Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives.

The attacks themselves are technically not very sophisticated but effective due to their social engineering. Victims are enticed by threats such as termination or salary cuts to open booby-trapped MS-Office documents.

Sometimes, the olden ways are still the most reliable.

Microsoft Defender Flaws used to deliver malware

While speaking of classic attacks: one of the most effective threats is to use infrastructure present on all target systems to deliver a payload. Even better if the very infrastructure that is supposed to counter such actions can be used to facilitate them.

Such a coup was landed by hackers that were able to use a security flaw in Microsoft defender, of all apps, to deliver files containing malicious payloads to users.

Microsoft has fixed the issue in the meantime – a reminder that keeping software updated is not optional but mandatory.

OVH hit by awe inspiring DDoS attack using compromised routers

DDoS attacks have always been an issue, but with ever more devices "out there" with bad initial security, outdated firmware, and often terrible default settings such as the infamous "admin – admin" combination for username and password, the become an issue even for big players with tons of computing power and bandwidth. Such as OVH.

Their cloud was hit by an awe-inspiring attack using up to 840 million packets per second hitting the OVH cloud systems. The bulk of the attack seems to have originated from compromised MikroTik Cloud Core Routers, a popular yet highly flawed device.

As mankind will amass an increasing amount of junk connected to the internet – think of IoT devices such as lamps and fridges – the frequency and intensity of DDoS attacks is set to increase further.

Thousands of Hezbollah pagers exploded

When we talk about electronic warfare and cybersecurity, we typically think of payloads and data theft, not necessarily missing limbs. Yet in the biggest story of not only the last quarter but the last years, thousand of pagers and other electronics physically exploded, killing tens, injuring thousands of people.

Pagers are ancient electronic communication devices. They were chosen by Hezbollah, a political group in Lebanon with a terrorist fraction, for the very reason of being not very sophisticated: they can only receive, not send messages, making them hard to track. A more sophisticated player – almost certainly Israel's secret services – managed to plant explosives in the gadgets used. And then exploded them.

The incident shows how vulnerable our world and our supply chains have become. The integration of all kinds of technology, gadgetry, and software into our daily lifes opens the door for all kinds of rather unexpected – and potentially deadly – attacks. Cyber-physical attacks being a new facet in this game.

Private Initiatives

Instagram introduces Teen Accounts with better protection

Instagram, a tool of Meta, was often criticized for not protecting the personal rights of children good enough. As a result, the messenger introduced Teen Accounts for all users under 16. That type of account comes with several built-in protection measures.

Not everybody can contact such an account and not all content can be accessed from there. Parents or guardians can set permission parameters to ensure safe and controlled use of the platform.

Updates needed: Apple warns users not to use old iOS

Apple urged its users to upgrade to iOS 18 to protect their devices from potential exploitation, ensuring data privacy and device security.

Apple's iOS 18 release focuses heavily on security, patching 33 significant vulnerabilities that posed serious risks to iPhone users. These flaws, if left unaddressed, could have allowed hackers to access sensitive data, control device functions, or compromise privacy. Notable issues included accessibility and Bluetooth vulnerabilities, a kernel flaw affecting VPN traffic, and Webkit bugs that could expose users to cross-site scripting attacks.

The update is critical for maintaining user security, as these vulnerabilities ranged from minor to severe, including threats from Wi-Fi disconnection attacks and Siri-related data leaks.

Court Decisions & Enforcement

Polish DPO UODO fines 1 Mio Euro for failure to notification of data breach

In this digest, we already discussed systemic failure among organizations to inform the data subjects of data leaks accordingly. We looked at the matter mostly from the vantage point of the victims, and for good reason. Yet not acting according to the obligation can also lead so severe consequences and fines for the organization.

mBank, a Polish credit institute, failed to inform affected data subjects after a data leak. The leak itself – a failed transfer – may have not been the most severe leak that ever has happened. Still, the Polish UODO held, affected people should have been informed. The relatively severe amount of the fine is due to the fact that mBank was found to not only have mismanaged this particular case but hat installed a policy which would have called to a similar handling of comparable cases.

Swedish bank fined 1.3 million Euro for data transfer of data… to Meta

Sometimes small oversights and negligence can have rather grave consequences. Such as in the case of a Swedish bank that configured the infamous Facebook Pixel in a way that allowed for the transfer of personal data to Meta. Personal data of one million customers, that is.

Facebook pixel, now Meta Pixel, is a piece of code that can be put on websites to measure the effectiveness of advertising. In real world terms: tracking people and what they do. The bank accidentally activated a function of the pixel that transferred data, and not just any data but information on securities holdings and value, loan amount, account number and social security number.

Swedish SA, the DPA, took action and fined 1.3 Mio Euro.

Irelands DPC ends lawsuit against X regarding data collection for AI training

DPC, Irelands data protection commission, ended proceedings against X, formerly Twitter, regarding their use of data of EU citizens for the training of AI models. X agreed not to use such data until firmer legal ground has been found.

Finish retailer fined 856,000 Euro for undefined storage periods

Another classic case was fined by the Finish Data Protection Ombudsman with 856,000 Euro: an online retailer failed to specify data retention periods.

Only a few years ago, such an omission would have been seen as a minor offense. Recently, however, regulators have taken a harder stance. And for good reason, as data that are not stored (any longer) can also not be stolen or abused – a simple logic.

The online retailer did not only not delete data but also collected more than necessary by forcing customers to create an online account on their respective website. Such registration should not be mandatory, the Finish Data Protection Ombudsman found.

Clearview AI fined 30.5 million Euro for illegal database

We have reported repeatedly on cases in many EU countries against Clearview AI, a company offering facial recognitions solutions.

In a decision already taken in May but published in the third quarter of 2024, the Dutch DPA fined another 30,5 million Euro against the company. Clearview AI did not object, making the decision binding.

The authorities found that Clearview AI had no legal basis for the processing of highly sensitive data such as biometric data. Furthermore, the company failed to inform data subjects adequately and failed to respond to data subjects requesting access to their data.

Clearview AI defended themselves mainly with formal arguments such as having no place of business in the Netherlands. The Dutch DPA, however, found that the possession of biometric data of Dutch citizens suffices for action.

We, at Engity, share that interpretation of the law as otherwise any effective protection under the GDPR can be circumvented just by choosing a more lenient jurisdiction.