6# The World Moves on: News you missed while all eyes were fixed on "CrowdStrike"

?????Privacy in the Public Sector

"Delaware DOJ launches Data Privacy Act outreach effort"— Delaware Business Times

• New Website Launch: Delaware Department of Justice launches website to help businesses and consumers understand the upcoming Delaware Personal Data Privacy Act (DPDPA).
• Consumer Rights: The DPDPA grants consumers the right to know, correct, and delete their personal data collected by businesses.
• Business Obligations: Businesses must obtain consent to use and share sensitive data, and provide data in an easy-to-use format unless it reveals trade secrets.
• Scope of Law: Applies to businesses that process and control the data of at least 35,000 consumers or derive over 20% of gross revenue from selling data.
• Exemptions: Financial institutions and national securities associations are exempt from the law.
• Effective Date: The DPDPA takes effect on January 1, 2025.
• Statewide Education Initiative: The Department of Justice is conducting a statewide initiative to educate businesses about their obligations under the DPDPA.

??Link to the full story??

"Hackney Council criticised by regulator over cyber attack"— BBC News

• ICO Reprimand: Hackney Council criticized by the Information Commissioner's Office (ICO) for failing to protect its systems from a 2020 cyber attack.
• Cyber Attack Impact: The attack affected at least 288,000 individuals, with hackers gaining access to and encrypting 440,000 files.
• Sensitive Data Exposed: Files contained information about religious beliefs, health, criminal records, economic data, and sexual orientation.
• Data Theft: Over 9,600 records were stolen, posing a "meaningful risk of harm" to 230 people.
• Service Disruption: The attack caused significant disruption to council operations, with some services not fully restored
• Security Failures: The ICO found that the council failed to apply security measures to all devices and left an insecure password on a dormant account, which was exploited by hackers.
• "Avoidable Error": ICO Deputy Commissioner Stephen Bonner described the breach as an "avoidable error" with severe consequences.
• Council Response: Hackney Council disagrees with the ICO's findings and maintains it did not breach its security obligations.
• No Fine Issued: The ICO opted for a reprimand instead of a fine due to positive actions taken by the council after the attack.

??Link to the full story??

"SEGIB and RIPD Sign Agreement to Advance Data Protection in Latin America"— Secretaría General Iberoamericana

• Collaboration: The Secretaría General Iberoamericana (SEGIB) and the Red Iberoamericana de Protección de Datos (RIPD) signed an agreement to advance data protection in the Ibero-American region.
• Key Focus Areas: The agreement prioritizes addressing challenges posed by neuroscience, artificial intelligence, and the Internet of Things (IoT), ensuring the protection of minors in digital environments, and strengthening data protection authorities in the region.
• Policy Development: The collaboration aims to develop public policies that promote the protection of personal data and privacy, ensuring the ethical and responsible use of technologies.
• Child Protection: A key focus is on protecting minors in digital environments through non-intrusive tools and measures.
• Institutional Strengthening: The agreement seeks to strengthen data protection institutions through guidelines, regulations, and enhanced cooperation.
• Comparative Analysis: A comparative analysis of existing public policies, legislation, and data protection standards will be conducted to identify best practices and areas for improvement.
• Implementation of CIPDED: The agreement reaffirms the commitment to implementing the Carta Iberoamericana de Principios y Derechos en los Entornos Digitales (CIPDED), a framework for digital rights in the region.

??Link to the full story??

"Concerns over facial recognition at river festival" — BBC News

• Police Initiative: Bedfordshire Police introduces facial recognition technology (LFR) for the first time at the Bedford River Festival, aiming to locate wanted offenders and enhance public safety.
• Criticism and Concerns: Liberty, a campaign group, expresses grave concerns about the use of LFR, citing it as an unregulated mass surveillance tool with potential privacy implications.
• Public Debate: The deployment of LFR sparks a debate on social media, with both supportive and critical comments on the police force's Facebook page.
• LFR Technology: The technology uses cameras to scan faces and match biometrics against a watch list of individuals.
• Police Justification: Bedfordshire Police emphasizes adherence to strict guidelines for privacy protection and highlights the technology's potential to fight crime and protect people.
• Transparency Measures: LFR locations at the festival will be clearly marked, and specially trained officers will review any matching images.
• Data Handling: Images triggering alerts will be deleted immediately or within 24 hours.
• Bias Acknowledgment: The police acknowledge historical issues with LFR and potential bias, but claim that these have been significantly reduced with technological advancements.
• Council Support: Bedford Borough Council supports the police's decision to use LFR at the festival, citing its potential to enhance security and reassure the public.

??Link to the full story??

"Correos (Spanish Post Office) Becomes the First Postal Company to Obtain ISO 27701 Certification to Guarantee Information Privacy"— Diario de Transporte

• Pioneering Certification: Correos is the first postal and logistics company in Spain to obtain the ISO 27701 certification for Information Privacy Management Systems.
• Commitment to Cybersecurity: This achievement demonstrates Correos' dedication to adapting to evolving cybersecurity challenges and protecting customer information.
• ISO 27701 Focus: The standard focuses on privacy protection, facilitating risk identification, management, and minimization, safeguarding the organization from threats and vulnerabilities.
• ISO 27001 Renewal: Correos also renewed its ISO 27001 certification for Information Security Management Systems, updating it to the latest 2022 version.
• Expanded Scope: Both ISO 27001 and the National Security Scheme (ENS) have been extended to cover digital mailbox and mass communication services.
• ENS Framework: The ENS, based on Royal Decree 311/2022 and backed by the National Cryptologic Center (CCN), provides a common framework for the public sector to protect information, electronic media, and services.
• Competitive Advantage: These certifications enhance Correos' reputation as a trustworthy organization and provide a competitive edge in the market.

??Link to the full story??

????Privacy & Cyber Security

"APT41 Infiltrates Networks in Italy, Spain, Taiwan, Turkey, and the U.K."— The Hacker News

• Sustained Campaign: China-based APT41 hacking group targeted organizations across Italy, Spain, Taiwan, Thailand, Turkey, and the U.K.
• Prolonged Unauthorized Access: APT41 successfully infiltrated victim networks, maintaining access for extended periods to exfiltrate sensitive data.
• Unique Tactics: APT41 distinguished by using non-public malware typically reserved for espionage in activities beyond state-sponsored missions.
• Complex Attack Chains: Employed diverse tools like web shells (ANTSWORD, BLUEBEAM), custom droppers (DUSTPAN, DUSTTRAP), and public tools (SQLULDR2, PINEGROVE) for persistence, payload delivery, and data exfiltration.
• Google Workspace Compromise: APT41 leveraged compromised Google Workspace accounts to mask malicious activities.
• Data Exfiltration: Utilized SQLULDR2 to export data from Oracle Databases and PINEGROVE to transmit large volumes via Microsoft OneDrive.
• DUSTTRAP Malware: Multi-stage plugin framework with diverse components for command execution, file system operations, keylogging, and Active Directory manipulation.
• Stolen Code Signing Certificates: DUSTTRAP components signed with stolen certificates, including one linked to a South Korean gaming company.
• GhostEmperor Resurfaces: Separate campaign by China-nexus group GhostEmperor involved Demodex rootkit variant delivery through unknown initial access.
• Stealth and Persistence: GhostEmperor employed multi-stage malware and evasion techniques, including Cheat Engine to bypass Windows security.

??Link to the full story??

"RecFaces argues biometric data privacy rule carries Olympics security risk"— Biometric Update

• Critical Infrastructure Protection: RecFaces urges using FRT to enhance security at the Paris Olympics, emphasizing its role in safeguarding critical infrastructure.
• Enhanced Security Capabilities: FRT integrated into video management systems (VMS) enables rapid identification of individuals against offender databases, deterring malicious activities and enabling real-time monitoring of crowd behavior.
• 360-Degree Protection: RecFaces claims FRT offers comprehensive security by reducing incident response times and providing valuable insights to security personnel.
• Cybersecurity Benefits: FRT minimizes unauthorized access to critical infrastructure and enhances real-time data analytics, contributing to cybersecurity efforts.
• Additional Capabilities: FRT features like biometric liveness and gait detection further enhance security by reducing unauthorized access risks.
• Widely Adopted Technology: RecFaces cites data showing FRT as the most widely adopted AI surveillance technology globally, used by 64 percent of countries in 2020.
• Key Sectors Vulnerable: Transportation, energy, and telecommunications sectors identified as particularly vulnerable due to reliance on aging infrastructure and inadequate protective measures.
• Real-World Application: RecFaces' facial recognition cameras were successfully used to secure Brazil Carnival 2024.

??Link to the full story??

"17-Year-Old Linked to Scattered Spider Cybercrime Syndicate Arrested in U.K."— The Hacker News

• Arrest: 17-year-old boy from Walsall, U.K., arrested for suspected involvement in the Scattered Spider cybercrime syndicate.
• Global Cybercrime: The arrest is part of a global investigation into a large-scale cyber hacking community targeting major companies, including MGM Resorts.
• International Collaboration: The arrest was coordinated with the U.K. National Crime Agency (NCA) and the U.S. Federal Bureau of Investigation (FBI).
• Scattered Spider's Evolution: The syndicate, an offshoot of The Com group, has become an initial access broker and affiliate, delivering various ransomware families.
• Encryptionless Extortion: A recent report reveals Scattered Spider's shift to encryptionless extortion attacks targeting data theft from software-as-a-service (SaaS) applications.
• DDoS Attack Sentence: Scott Raul Esparza of Texas sentenced to nine months in prison for operating Astrostress, a distributed denial-of-service (DDoS) attack service.
• Astrostress Operation: Esparza provided the attack servers and collaborated with Shamar Shattock of Florida in maintaining the service.
• Sanctions on CyberArmyofRussia_Reborn: U.S. Treasury Department imposed sanctions on two members of CyberArmyofRussia_Reborn (CARR), a hacktivist persona linked to Sandworm (APT44), for cyber attacks on critical infrastructure.
• CARR's Activities: CARR used unsophisticated techniques to manipulate industrial control systems at water supply, hydroelectric, wastewater, and energy facilities in the U.S. and Europe.

??Link to the full story??

* The information in this newsletter is for informational purposes only and does not constitute legal or professional advice.

While we strive for accuracy, we do not guarantee the completeness or accuracy of the content. The views and opinions expressed in linked articles and resources are those of the authors and do not necessarily reflect the views of The Privacy HawkEye and / or its authors.

#AIethics #AIBias #Cybercrime #dataprivacylaw #surveillance #databreach #spyware #privacyinpolitics #digitalprivacynews #techpolicy #privacyadvocacy #cyberlaw #privacynewsletter #cybersecurity #hack