Five.

Decrypt is a regular publication by Vertical Structure. In this series, we decrypt and distil cyber security news, events, insights and updates from Vertical Structure into a short (but perfectly formed) educational digest.

Have YOU Been PWNED?

With special guest and cyber security legend, Troy Hunt.

In this episode we are joined by Troy Hunt, renowned cyber security expert and creator of the world's largest breach database, Have I Been Pwned. Troy shares with us his story - from his early work at Pfizer to the creation and subsequent success of Have I Been Pwned. We also hear about his work with law enforcement (including the FBI), the precarious process of verifying a data breach and the legal ramifications of getting it wrong.

A Case of Youthful Curiosity? Or Criminal Entrepreneurship?

In an incident described as 'hugely disruptive', Transport for London (TFL) reported a data breach exposing personal and financial data relating to some of its customers. In addition to names, email addresses, and home addresses, TFL also suggested that financial data including sort codes, bank account details, and Oyster Card refund data may also have been compromised during the incident.

Although no physical public transportation services were affected, TFL did take proactive measures to mitigate the spread of the attack by shutting down numerous internal systems.

How these systems were compromised, or the motives behind the attack have not been disclosed. However, TFL has begun a monumental task of resetting passwords and verifying the identify of its entire workforce. This is being done in person (via appointments) for each of its 30,000 workers which strongly suggests that a compromised account could have been one of the attack vectors used by the persons responsible.

As the story progressed, we learned that the National Crime Agency (NCA) had arrested a 17-year-old boy from Walsall in connection with the incident. Interestingly, the NCA also arrested a 17-year-old boy from Walsall in July for a possible link to the hugely disruptive MGM Resorts ransomware attack. It is understood that the same individual was also accused of being a member of the notorious Scattered Spider gang - a group of highly capable teens and young adults attributed to attacks on tech companies Twilio, LastPass, and Mailchimp.

This latest attack unfortunately feeds an unfortunate trend involving teenagers and young adults engaging in cyber crime. According to a recent National Crime Agency survey, 20% of children aged between 10-16 showed behaviours that violate the Computer Misuse Act - a hugely concerning statistic.

Other instances which saw teenagers engaged in high-profile attacks include a London based 17-year-old arrested in 2022 for the high-profile data breach at tech giants Rockstar Games and Uber. Looking back to 2015, a 15-year-old was among several young hackers arrested in relation to the TalkTalk ransomware attack.

With many of these attacks demonstrating a degree of skill and expertise, it raises the question - are these simple cases of naive curiosity? Or a conscious effort to engage in criminality for profit and gain?

And, given the talent involved, what can do better to channel these young minds into a career in cyber, rather than taking the road to criminality?

AI Pioneer Pytilia Among First to Certify to Cyber Essentials Plus under NCSC Funded Programme

As AI continues to evolve at an unprecedented rate, Belfast technology firm Pytilia sets the security standard with certification to Cyber Essentials Plus - among the first to do so in Northern Ireland under a National Cyber Security Centre (NCSC) funded scheme.

Engaging with Vertical Structure, Pytilia presented a requirement to enhance their overall operational resilience, baseline cyber security, and to signal to their customers and the AI market alike, their ongoing commitment to cyber security. Subsequently choosing Cyber Essentials Plus as their path to deliver on these goals, the team at Vertical Structure began working with them on the certification journey.

As a ‘contributor to the development of core AI technologies’ in the UK, Pytilia’s certification was achieved under a scheme made available by the NCSC. The scheme, which provides funding for organisations operating in the most critical sectors and who develop leading-edge technology, helps develop resilience against the most common forms of cyber-attack.

As one of only a few Certification Bodies operating in Northern Ireland and a leading implementor of the hugely successful NCSC scheme, choosing Vertical Structure was the clear choice for Pytilia:

Vertical Structure was the obvious choice for Pytilia with their Cyber experts providing a personal and highly professional service throughout from managing our application for NCSC-funding all the way through to successful certification

Neil Sinclair (Director, Strategy & Business Development, Pytilia)

Guiding Pytillia through the process was security consultant Paul McKeown. Paul is among the most seasoned Cyber Essentials practitioners in Northern Ireland and was worked with organisations in every sector.

Artificial Intelligence is all around us now, so it’s been a privilege to work with those who have been leveraging its endless possibilities with ethics and sustainability in mind. The opportunity to work with such a talented group of individuals has also been a great experience. When you work alongside those who understand the important role that cyber security plays in the growth of an organisation, the Cyber Essentials certification process becomes much simpler as a result.

Paul M. (Cyber Security Consultant, Vertical Structure)

Read the full case study: https://verticalstructure.com/case-studies/ai-pioneer-pytilia-achives-cyber-essentials-plus