As we always say at the beginning of our quarterly Cybersecurity and Data Protection digest: no quarter ever was boring. Yet the fourth quarter of last year was a bit different that the previous ones.
On one hand, due to the transition of power in the EU commission, there were some moments to catch breath on the legislative front. That did, however, not stop the EU from assessing the success of past laws and treaties. The most interesting development was without doubt the review of the EU-US Data Privacy Framework: an agreement between the USA and the EU that everybody hopes will survive the new and rather erratic US administration.
In terms of data breaches and cybersecurity, things moved maybe even faster than usual. The most spectacular event was the VW data leak – positional data of tens of thousands of electric vehicles were accessible more or less directly over the internet.
But more nefarious forms of cybersecurity threats are also on the rise. Generative AI enables more targeted attacks, and political tensions continue to drive state sponsored activities in the field.
At the same time, legislators are trying to understand the privacy implications of large AI models while we, as a society, still struggle to regulate social media properly: a 20-year-old technology – ancient, in a way.
Let’s look into all of this.
Public Initiatives and Developments
EU commission report on functioning of the EU-US Data Privacy Framework
The EU-US Data Privacy Framework was one of the key projects of the last EU commission and outgoing US President Biden. It forms the basis for an EU adequacy decision that enables easy flows of personal data between the EU and the US without too many additional safeguards needed – synchronizing the highly connected economies of the territories.
There were, however, always doubts about the EU-US DPF as it looks suspiciously like previous transfer mechanisms (Safe Harbor and Privacy Shield) that were found wanting by the European Court of Justice (ECJ). Many critics think that the third iteration of such transfer tools may be built on quicksand as well.
For that reason, the EU commission’s report was eagerly awaited.
The report focuses heavily on the set-up process of the EU-US DPF: structures and processes had to be established, tools put in place, companies certified under the mechanism. At the same time, the US has, according to the report, made progress in developing legal and administrative processes to implement the safeguards meant to protect personal data of EU citizens in the US. This concerns data handling in US intelligence agencies in particular. Those processes, the commission remarks, are not fully completed yet.
A possible disruption for the further implementation of the EU-US Data Privacy Framework is the change in administration in both the US and the EU. While the Commission is optimistic that not much will change in practice, we at Engity suspect that a review of duties resulting from an agreement with the EU on the US side are more likely than, say, an invasion of Greenland.
EDPB clarifies rules for data transfers to third country authorities
The European Data Protection Board (EDPB) clarified one of the more overlooked parts of the GDPR: Article 48. The stipulation deals with judgements or requests of courts or authorities of third countries for the transfer or personal data. Such requests may only be recognized if they are based on an international agreement. This way, the GDPR aims to protect union citizens from extraterritorial overreach: third country courts or authorities cannot circumvent the GDPR – an international agreement needs to justify the data transfer.
In its helpful “Guidelines 02/2024 on Article 48 GDPR”, the EDPB makes Article 48 GDPR more transparent, explains the rationale, its place in the full framework of the GDPR, and give some practical advice.
European Data Protection Board selects topic for 2025: Right to be forgotten
The EDPB has a (still rather new) tradition to select a topic for a Coordinated Enforcement Action (CEF). Member Data Protection Authorities can contribute in an effort to find a joint approach to the topic and coordinate enforcement across the EU.
The topic for 2025 will be the “right to be forgotten” – in more technical GDPR-lingo: the right to erasure. The EDPB will look into issues and deficits in implementation and enforcement, but also give advice on best practices.
Cyber Solidarity Act adopted
In an effort to strengthen cybersecurity capacities in the EU, the EU Council has adopted the “Cyber Solidarity Act”, an amendment to the already existing Cybersecurity Act.
The new EU law enhances Europe’s resilience against cyber threats by establishing a robust cybersecurity framework and fostering improved cooperation mechanisms across member states. Central to the regulation is the creation of a "cyber security alert system", a network of national and cross-border cyber hubs tasked with sharing information and responding to cyber threats. These hubs will leverage technologies like artificial intelligence and advanced data analytics to detect threats and disseminate timely warnings, thereby fortifying the EU’s ability to respond efficiently to cybersecurity incidents. This initiative strengthens the existing European framework by improving information sharing and coordination across borders.
Additionally, the regulation introduces a cybersecurity emergency mechanism. This includes actions like vulnerability testing in critical sectors (e.g., healthcare, transport, and energy), the establishment of an EU cybersecurity reserve with private-sector incident response services, and the provision of technical mutual assistance.
An incident review mechanism is also established to evaluate the effectiveness of these measures, assess the use of the cybersecurity reserve, and ensure the regulation contributes to strengthening the competitiveness of EU industries and services.
EDPB on data protection aspects in the context of AI models
While we look at the work of the EDPB: it also dives into pressing considerations on the edge of current tech development. To that end, it published an “Opinion on certain data protection aspects related to the processing of personal data in the context of AI models.”
Questions looked into are, for example, if AI models process personal data, what legitimate interests for processing could be, and which consequences unlawful processing should have.
The answer to many of those questions seem to be “maybe” and “it depends”. But the world is complex, each case is different, the issues discussed in the paper are in no way settled, and Data Protection Authorities across Europe seem to disagree in many respects. The opinion, therefore, is a valuable contribution to a pressing discussion but not a definite guide.
Cybersecurity and data breaches
Volkswagen knows where your car is – and so does everybody else
One of the companies that seem to be caught in a permanent vicious cycle of bad luck and bad news reinforcing each other is Volkswagen. After emission scandals and business restructurings, the car maker has been hit with a major privacy and data security snafu.
Cariad, VW’s software affiliate, exposed the location information of more than 800.000 electric Volkswagen vehicles. The data allows to profile movement patterns of the cars. Often the data can be linked to the names and even contact data of the owners. It is easy to see how this can lead to conclusions about where the owner lives and works, but also about friends or even affairs or meetings with business colleagues.
A data leak of such epic proportions should also find the attention of regulators and may have major implications on the compliance side of things. In future quarterly digests we will surely come back to this issue.
Atos is in double-trouble
To add irony to injury: Atos, a French provider of cloud and cybersecurity solutions has, allegedly, been hacked by ransomware gang “Space Bears”. The infamous collective claims to be in possession of a company database.
Atos is already in rather serious economic turmoil, restructuring its finances after its share price has fallen to close to zero.
As of the time of writing of this digest, it is neither clear what that database contained nor if the hack actually happened: Atos issued a statement that they cannot find any traces of being compromised.
Should, however, the incident turn out to be real, we mere mortals have to ask ourselves some serious questions. If even seasoned professionals cannot protect themselves from serious data breaches, who then can?
Phishing attacks become more plentiful – and more sophisticated
The latest Phishing Intelligence Report by SlashNext contains concerning news. The company found that e-mail-based attacks increased by more than 200% compared with last year – and still trending up as 2025 drew closer.
When such attacks try to make the targeted user click on links, then such links often exploit zero-day vulnerabilities. This fact and the sheer number of attacks often simply overwhelm traditional security measures.
The study also finds that attackers increasingly use generative AI to draft phishing mails that are very targeted and very convincing. In numerous cases, attacks start with creating elaborate backstories that make the e-mail executing the attack as such even more unsuspicious.
Last but surely not least, the attacks now more than ever employ elaborate social-engineering tactics and may also use collaboration tools and platforms: Think of a comprehensive attack carried out over MS-Teams, LinkedIn, text message and e-mail.
Threats from abuse of Microsoft built-in tools are on the rise – a lot
The abuse of legitimate local software tools, especially Microsoft tools, is on a sharp rise, as the latest Sophos Active Adversary Report finds. The researchers found that 187 so called LOLBins were used in almost 200 incidents analyzed.
Such LOLBins are legitimate local software binaries, often pre-installed in the system, that are abused for attacks. This is a dangerous threat vector, as such LOLBins are known to the system, signed by the software manufacturer, and may thus bypass intrusion detection systems. This way, attackers may be able to remain unnoticed for a long time.
Examples of software tools abused are the Remote Desktop Protokol (RDP), cmd.exe, PowerShell (71%) and net.exe – all very normal and useful programs.
Weaponizing Cybersecurity – and hard liquor
USA sanctions Chinese cybersecurity company – and individuals
The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned Chinese cybersecurity company Sichuan Silence, a government contractor serving Chinese intelligence agencies.
In April 2020, Sichuan Silence allegedly exploited a zero-day vulnerability in a firewall product, compromising more than 80,000 firewalls globally, including over 23,000 in the United States – the latter leading to the action of the US authorities.
The attack aimed to steal sensitive data and infect systems with the infamous Ragnarok ransomware, which disables antivirus software and encrypts networks, posing significant risks to critical systems. Among the affected entities were sensitive companies, where, according to the authorities, the attack could have caused oil rig malfunctions and potential loss of human life. Swift detection prevented such outcomes.
Guan Tianfeng, a Chinese cybersecurity researcher employed by Sichuan Silence, executed the attack using a device owned by his employer. Sichuan Silence provides tools for network exploitation and surveillance.
Sichuan Silence has been designated under U.S. Executive Orders for engaging in cyber-enabled activities threatening U.S. national security and critical infrastructure. Furthermore, the US authorities offer a US$ 10 Million reward for information regarding the whereabouts of Guan Tianfeng.
Phishing Campaign targeting Ukrainian defense companies and citizens
The war in the East of Europe does never fails to produce cybersecurity news as well. Little wonder as wars these days are fought on many domains, not just kinetically on a defined geographical frontline.
Ukraine saw a number of phishing campaigns in the fourth quarter of 2024.
There were very targeted campaigns against Ukrainian defense companies trying to steal credentials in order to get access to the respective systems.
There were also reports of more net-phishing campaigns trying to obtain personal data of Ukrainian citizens. Such data are routinely used by Russian (and, reversely, Ukrainian) intelligence services for all kinds of nefarious activities ranging from psy-ops to identity theft.
Russian ransomware targets Vodka distiller
Vodka maker “Stoli” had to file for bankruptcy with its US affiliates after it was hit by a major ransomware attack.
Stoli’s ERP system as well as its financial systems were successfully taken down by the attack, causing not only production hick-ups but making it also impossible for Stoli to deliver financial reports to its lenders, making it impossible to roll-over or extend debt.
While it is unclear where exactly the attack originated, circumstance suggests a political background. Stoli Group was in constant battles with the Russian government after trademark and ownership battles concerning the famous “Stolichnaya” and “Moscovscaya” Vodka brands. Those fights intensified after the Russian government labeled Stoli Group and their owner as “extremists” due to their support of Ukrainian refugees.
Private Initiatives
Meta will offer subscription-model with no ads in Europe
Meta has announced that, starting in March 2024, users in the European Union (EU) and European Economic Area (EEA) will have the option to subscribe to ad-free versions of Facebook and Instagram.
The move comes in response to European regulations and feedback from users. Meta says that the subscription fees are set to cover the costs associated with providing an ad-free experience.
Users who choose not to subscribe will continue to have access to Facebook and Instagram with personalized ads – basically the current state of affairs we all have come to know and love.
Meta’s data protection practices came under much scrutiny recently (see also below – “Court Decisions & Enforcement”. Observers have doubted the ethics of users having to pay for privacy, while on the other hand Meta is indeed a profit-oriented company offering a service many people like to use – often a bit too much.
DPAs, however, seem to welcome the choice (“pay or consent”) to users. It seems, however, that other (non-ad) content on Meta’s platform will still be delivered based on profiling and context.
It remains to be seen how the new initiative works in practice and our quarterly report will keep you updated.
Meta to use Facebook and Instagram posts to train AI – in the UK
In the last quarterly report, we commented on Meta’s decision to halt AI training using data from Facebook and Instagram in the EU. In the UK, however, Meta will resume its training program, saying that “(Meta’s) generative AI models will reflect British culture, history and idiom, and that UK companies and institutions will be able to utilize the latest technology.”
The UK used to be a part of the EU but for various reasons choose to exit the block in a so called “Brexit” in 2020.
Court Decisions & Enforcement
ECJ curbs Meta’s data use for targeted advertising
Meta, owner of big social media platforms such as Facebook and Instagram, earns much of its revenues by targeting ads. The idea is that users are shown things they are interested in so as not to waste eyeballs and attention. To find out which user is interested – potentially – in which product or service, Meta profiles users of their network by looking thru heaps of data, a practice often described as “surveillance capitalism”.
That need not be a bad thing in principle – the author of this digest has trained their personal Meta-algorithm to show them mostly enjoyable ads for men’s shoes. Yet the depth and breath of the profiling is not transparent to most users.
The European Court of Justice now ruled that Meta has to limit the use of data and must, in particular, implement sensible retention periods and cannot use all public data.
Meta had been, in fact, building up huge pools of data over decades. Furthermore, it harvested data from public discussions and used them for targeting – basically turning the exercise of free speech into a sales tool.
The lawsuit was brought forward by privacy activist Max Schrems, known for landmarks ECJ-rulings named after him.
LinkedIn hit with 310 million Euro fine
The Irish Data Protection Commission (DPC) has imposed a 310 million Euro fine on LinkedIn. The social network, known for its often cringy semi-deep posts generated by overzealous executives, had failed to inform its users on how their personal data will be used, namely for targeted advertisement and behavioral analysis.
Meta fined 251 million Euro for 2018 data breach
In almost every quarterly digest we report an administrative fine vis-à-vis Meta, and this edition is no exception.
Meta, owner of platforms such as Facebook, Instagram, or WhatsApp, was fined 251 million Euro for a data breach in 2018 where hackers gained access to accounts by exploiting bugs in the platform.
DPC, the privacy watchdog, did not only issue the fine due to the bug itself, but also because of Meta’s dismal job of dealing with its aftermath as the company did not issue a full breach documentation in time failed to document the breach and steps taken to remedy it.
More details will be published soon, and our digest will certainly report on them.