July 2024 – Newsletter Update

We recognise that staying on top of changes to legislation and advice can be difficult. Here are some articles and alerts we’ve seen lately that we think you should be aware of, or might be interested in.

Please note that we’ve included links below to external websites. PCML consultants are not responsible for the content of any external websites.

We’ve collated the below from alerts and bulletins that we receive from UK Government agencies and others. You can find links to those sources and others on our website. We’ve linked to that page on our website at the end of this email.

This update includes Updates to ISO Standards, Net Zero & Sustainability Services, Information Security, Environment and Health & Safetyclick to jump to the relevant section.

Updates to ISO Standards

In February, ISO published amendments to the current versions of its quality, environmental, health and safety and information security Management System Standards (ISO 9001:2015, ISO 14001:2015, ISO 45001:2018 and ISO 27001:2022) as part of an initiative following the London Declaration on Climate Action.

To increase awareness of climate change and drive actions, ISO have amended the text of two subsections of Clause 4 of the above Management Systems to require that organisations consider the relevance of climate change to the organisation and its activities as part of understanding the organisation’s context.

Specifically: –

  • Clause 4.1 (Understanding the organisation and its context) has been amended to include the following wording – ‘The organisation shall determine whether climate change is a relevant issue
  • Clause 4.2 (Understanding the needs and expectations of interested parties) has been amended to include this wording – ‘Relevant interested parties can have requirements related to climate change’

To help our customers with the above and demonstrate understanding of their obligations under climate change legislation, we have added three new records to the Infosec Legal register for UK customers: –

  • Climate Change Act 2008 (as amended) – this includes a note explaining how this contributes to the required commitment to acknowledge, understand and evaluate the requirements of identified interested parties in relation to Climate Change across the above Management System standards
  • Climate Change and Sustainable Energy Act 2006
  • Key climate change protocols and agreements 1987-date – this summarises the five major climate change agreements or amendments to agreements

Net Zero & Sustainability Services

PCML can assist our customers in complying with the above updates to the quality, environmental, health and safety and information security Standards. We can also support you to design a long-term Net Zero strategy, including setting your carbon emissions baseline, and reporting annually on your carbon footprint and progress against targets.

If you would like any more information about how we can help, or have any questions about how this affects you, please contact Amy Cousins directly on 07525 933142 or email [email protected]. We have attached an overview of what Net Zero means, and some of the common terms you may be seeing in RFQs or tenders.

Information Security

If you are an IT professional; these articles may be directly of use to you. If you are a manager with responsibility for information security and an in-house or outsourced IT function, you may wish to check that they are aware of this advice.

Legislative changes

Published legislation

No new principal legislation and no other relevant legislation relevant to our customers was identified in this quarter.

  • A commencement of the Online Safety Act 2024 was published, but it relates only to video sharing services.
  • An amendment to the Investigatory Powers Act 2024 was published. The latter has no material impact on our customers. It builds on existing legislation and gives powers to law enforcement and intelligence services to conduct investigations
  • The Product Security and Telecommunications Infrastructure Act 2022 came in to effect on 29th April. This affects businesses manufacturing, importing or selling IoT devices. While we do not believe this directly impacts any of our customers, most will benefit to some extent through the enhanced requirements for securing IoT devices that the act places on those parties who do have obligations under the act, including greater password security on IoT devices

Other published

  • See above note regarding climate change amendments to ISO Management Systems
  • The EU has published Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence. The regulation comes in to force on 1st August 2024. Whilst it does not directly apply to the UK, organisations selling AI products within the EU will need to be aware of this regulation. It sets definitions for types of AI and prohibitions of specific types of AI that are forbidden. Rules for ‘high risk’ AI and transparency of AI risks are defined.
    • As reported in the April newsletter, the UK Government has been developing its own AI regulations. The Artificial Intelligence (Regulation) Bill, would have applied to UK organisations, but was dropped in May, due to the dissolution of Parliament for the General Election. It applied a lighter-touch ‘pro-innovation’ approach to AI. Some reports have suggested that a revised bill, likely to be more akin to the EU regulation (i.e. with stronger regulation) will be brought forward instead.

Microsoft

SANS Internet Storm Centre published the following summaries of Q1’s patch Tuesday releases from :-

Other

  • Microsoft developing zero-trust DNS for future versions of Windows. More here
  • NT LAN Manager (LNTLM) depreciated More here
  • Recall AI screenshot feature will be ‘Opt-In’, after backlash over security concerns. More here
  • PHP vulnerability actively exploited. More here

Apple

Details of Key apple updates and security fixes can be found on Apple’s security updates page

Linux, Android, Google

  • Google
    • Delays phasing out third-party cookies in Chrome to early 2025. More here
  • Linux kernel vulnerability actively exploited. More here

Roundup of recent posts by the National Cyber Security Centre (NCSC) and partner agencies

Categories Posts (Click to view)
AI Machine learning security principles updated
Cyber Essentials Pathways: exploring a new way to achieve Cyber Essentials certification
Cyber Essentials Cyber Assessment Framework 3.2
Governance/Guidance/General Information Raising the cyber resilience of software ‘at scale’
Governance/Guidance/General Information Business email compromise: new guidance to protect your organisation
Governance/Guidance/General Information Introducing the NCSC’s ‘Share and Defend’ capability
Governance/Guidance/General Information What’s happened to my data?
Governance/Guidance/General Information Guidance for organisations considering payment in ransomware incidents
Governance/Guidance/General Information Advanced Mobile Solutions (AMS) guidance trailer
Governance/Guidance/General Information Smart devices: new law helps citizens to choose secure products
Governance/Guidance/General Information ‘NCSC Cyber Series’ podcast now available on Spotify
Technical/Configuration Advice Business email compromise: defending your organisation

Information from the Information Commissioner’s Office and partner agencies

  • Online privacy notice generator for sole traders and small organisations published here
  • The Data Protection Practitioner’s Conference will be held on 8th October. More here

Noteworthy cyber incident and breach news in the quarter

This information is provided to raise awareness of the causes of incidents and breaches, so preventative action can be taken to prevent similar breaches in your organisations. It may also be helpful to keep your awareness-raising materials up to date and build business cases for information security investment

  • April (Most of April was captured in last quarter’s update)
    • Quantas, the Australian national airline, announced it was investigation a privacy breach on its app that allowed customers to see other customer’s personal details. More here
  • May
    • 80 stores closed by Canadian pharmacy chain London Drugs due to a cybersecurity incident. More here
    • 2.7 Million people affected by data breach of Financial Business and Consumer Solutions (FBCS), a US debt collection agencyMore here
    • 49 Million customers potentially affected by Dell customer database compromise. More here
    • UK and US Protected Healthcare Information (PHI) among information affected by cybersecurity incident at DocGo, a mobile medical care and ambulance service operating in the US and the UK. More here
    • 225,000 current and former UK military personnels’ information may have been affected following system breach of UK Ministry of Defence Payroll Contractor. More here
    • Zscaler took its test environment offline following a reported breach. More here
    • Europol investigated alleged breach of its Law Enforcement Info Sharing Portal. More here
    • Christies auction house website taken offline following security issue. Later confirmed data stolen. More here
    • Former provider of prescription services to Australia’s health network MediSecure disclosed ransomware attack. MediSecure had retained customer data after transition to a different provider several months earlier. More here
    • >2.4 Million users’ personal information compromised in breach of WebTPA Employer Services, a Texas-based company. More here
    • DDoS attack affected the Internet Archive and Wayback Machine. More here
    • 25,000 current and former employees of the BBC informed of personal data compromise following breach of cloud-hosted pension database. More here
  • June
    • One of the largest data breaches seen so far was revealed in early June. More than 165 clients of the Snowflake cloud provider suffered breaches of their cloud databases, exposing their own customers’ data. More here & here Affected clients, who have been named included
      • ‘Nearly all’ AT&T customer’s records breached, including call records from 2022 and early 2023. AT&T became aware of the breach in April, but delayed disclosure at the request of US law enforcement.
      • TicketMaster (560 Million customers’ records breached)
      • Santander (30 Million customers and staff affected)
    • Seven NHS trusts’ hospitals were affected by a breach of blood transfusion provider Synnovis, leading to shortages of Type O blood in London. Non-emergency surgery cancelled and patients sent home. More here
    • The New York Times’ source code was stolen and leaked after GitHub credentials inadvertently exposed. More here
    • 15,000 US car dealerships were affected by two CDK Global cybersecurity incidents in quick succession. CDK Global were reported to be contemplating paying the ransom, apparently tens of millions of dollars. More here

Highlights of new and emerging malware, techniques and other vulnerabilities in the quarter

This is not intended to be a comprehensive summary. Readers are strongly recommended to sign up for some of the more regular vulnerability news feeds available from SANS and other providers to stay abreast of emerging vulnerabilities in general and particularly those that may affect systems they use

  • In June the Arkansas Attorney General filed a lawsuit against the China-based discount online retail app Temu, alleging that it is malware secretly monetising unauthorised user data including camera, location, contacts, text messages and other information on users’ devices. More here
  • Okta has announced it detected unprecedented increases in credential-stuffing attacks, starting in early March. More here
  • Verizon has published its Data Breach Investigations Report for 2024, highlighting vulnerability exploits were up 180% compared to 2022 and human error still plays a part in most breaches. More here
  • VPN Bypass technique identified, affecting most VPN clients. More here
  • Antivirus update mechanism used to spread malware. More here
  • Cisco
    • ArcaneDoor espionage-focused campaign found targeting perimeter network devices. More here
    • Webex Meetings security advisory published. More here
    • Fix for Command Injection Vulnerability in NX-OS Software CLI. More here
  • Citrix publishes updates to fix NetScaler ADC and Gateway flaws. More here
  • SSID configuration vulnerability identified which could trick users to connect to unsecured networks. More here
  • Atlassian published fix for high-severity flaw in Confluence. More here
  • WordPress plugin vulnerabilities actively exploited. More here
  • Zyxel published fixes for critical firmware flaws in NAS devices. More here
  • UK homemade cell phone tower used to send phishing messages. Two arrested. More here
  • LastPass offline for 12 hours due to malfunctioning update of its Chrome extension. More here
  • GitHub users targeted in phishing campaign since February. More here
  • Veeam Recovery Orchestrator vulnerability identified. Upgrade advised. More here
  • Social engineering campaigns tricking Chrome, Word and OneDrive users in to installing malware by applying malicious PowerShell scripts. More here
  • VMware vCentre Server vulnerabilities More here
  • Critical vulnerability in MOVEit Transfer utility actively exploited. Update now. More here
  • Critical vulnerability in OpenSSH Server. More here
  • End of life D-Link routers attacked. More here

Other infosec news

  • Ghana, Singapore and Malaysia have all passed legislation requiring that cybersecurity companies and practitioners be licenced. More here
  • CISA will start to give more information as part of its CVE records. More here
  • MITRE EMB3D threat-modelling framework for embedded devices in critical infrastructure released. More here
  • Botnet exploiting >19 Million infected devices dismantled More here
  • Thousands of LockBit Decryption keys now available to victims from the FBI. More here
  • Kaspersky Software to be banned in US from 20th July 2024. More here

Environment

Legislative changes

No new principal legislation relevant to our customers was identified in this quarter.

The Packaging Waste (Data Reporting) (England) (Amendment) Regulations 2024 amended the Packaging Waste Regulations to cover drinks packaging, household packaging and exempted packaging, and to clarify definitions of persons with responsibilities under the regulations.

Other published

  • See above note regarding climate change amendments to ISO Management Systems

Health & Safety

Legislative changes

  • No new principal legislation and no other relevant legislation relevant to our customers was identified in this quarter.

Other published

  • See above note regarding climate change amendments to ISO Management Systems

If you would like to discuss any of the topics we have covered in this newsletter, or would like to know more about how PCML Consultants can help you with your Security, Quality, Environment, H&S and Business Continuity objectives, then please don’t hesitate to get in touch

Here are some more helpful links which may be of use