Last week’s security news focused on the EU Digital Operations Resilience Act (DORA). Despite organisations having had two years to prepare, they admit they are unprepared. Financial services firms appear to be banking on regulators’ inability to enforce DORA.
In related news, Azul reassured customers worried about DORA and their Java code. Java makes up 51% of the code running in core financial services IT environments. The company says its OpenJDK fully supports DORA requirements and can support older versions of Java, giving IT departments time to rewrite applications.
Green Raven also released more research from its Dark Side of Cybersecurity report. It says supply chain cybersecurity is a major headache for CISOs in financial services organisations as they prepare for Dora.
Dragos
Dragos and Yokogawa Electric Corporation have entered into a global partnership to strengthen cybersecurity in industrial systems. The Dragos Platform has been validated inside the Yokogawa CENTUM VP distributed control system (DCS). It means customers will benefit from both applications to protect their environments.
Robert M. Lee, CEO and Co-founder of Dragos, said, “This partnership with Yokogawa marks a significant milestone in our mission to secure industrial environments worldwide.
“By combining Dragos’s industry-leading OT cybersecurity Platform with Yokogawa’s extensive expertise in industrial automation, we’re providing organizations with unparalleled visibility and protection for their critical infrastructure.”
Europol
Europol invited 80 financial experts from around the world to participate in Project A.S.S.E.T. (Asset Search & Seize Enforcement Taskforce). The goal was to improve the number of criminal assets seized globally. 28 countries sent representatives, and in just five days seized €200,000 in cryptocurrencies and identified:
- 53 properties, 8 of which were valued EUR 38.5 million;
- Over 220 bank accounts, including one with a US $5.6 million balance;
- 15 companies, over 20 yachts and luxury vehicles, 4 of which were valued more than EUR 600,000;
- 83 cryptocurrency addresses and wallets.
FBI
The FBI led an international operation to delete Chinese malware (PlugX) from 4,258 infected computers and networks in the US. The operation was carried out with assistance from French cybersecurity company Sekoia.io. It was able to send commands to PlugX that instructed it to uninstall itself from infected computers.
Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division said, “This operation, like other recent technical operations against Chinese and Russian hacking groups like Volt Typhoon, Flax Typhoon, and APT28, has depended on strong partnerships to successfully counter malicious cyber activity.”
US Federal Trade Commission
The FTC has taken action against General Motors and OnStar for sharing detailed geolocation data and customers’ driving behaviour without consent. The data was shared with credit agencies, which passed it on to insurers to help them set driver insurance rates. GM and OnStar are now banned from disclosing geolocation and driving behaviour to consumer reporting agencies.
FTC Chair Lina M. Khan said, “GM monitored and sold people’s precise geolocation data and driver behaviour information, sometimes as often as every three seconds. With this action, the FTC is safeguarding Americans’ privacy and protecting people from unchecked surveillance.”
National Cyber Security Centre
The National Cyber Security Centre (NCSC), alongside agencies from the Five Eyes intelligence and security alliance and European partners have issued new advice today (Monday), which sets out key security considerations for organisations when purchasing OT products.
Jonathon Ellison, NCSC Director of National Resilience and Future Technology, said, “As cyber attackers increasingly target operational technology around the world, it has never been more vital for critical infrastructure operators to ensure security is baked into the systems they use.
“This new guide gives organisations practical advice on how to prioritise OT products that are secure by design when making purchasing decisions, helping to mitigate the very real cyber threats they face.”
noyb
noyb has filed GDPR complaints against TikTok, AliExpress, SHEIN, Temu, WeChat and Xiaomi for unlawful data transfers to China. While four of them openly admit to sending Europeans’ personal data to China, the other two say that they transfer data to undisclosed “third countries”. The complaints have been filed with the DPA in countries where the companies are based.
UK Department for Science Innovation and Technology
The UK Department for Science, Innovation and Technology has said that UK taxpayers are missing out on £45 billion in productivity savings. The details are in a report that will be released on the 21st of January 2025. It will say that public sector workers are being held back by archaic technology and will blame the previous government for not embracing technology faster.
UK Home Office
The UK Home Office has issued a proposal to reduce the impact of ransomware on businesses. Rather than offer a practical solution to improve security, it wants to make payments by public sector bodies and organisations operating critical national infrastructure illegal. It also wants to bring in mandatory reporting of any ransomware intelligence to improve the intelligence available to law enforcement.
US Department of Justice
Inheritance Fraud
A Nigerian national, Okezie Bonaventure Ogbata, has pleaded guilty to an inheritance fraud scheme. He was a member of a group of fraudsters that sent personalized letters to elderly victims in the United States over several years. It told them they were entitled to a multimillion-dollar inheritance from a family member who had lived in Spain.
To get the inheritance, victims were told they had to pay for documents, taxes and other items upfront. Once the money was paid, there was always another roadblock that required more money. Over 400 victims paid a total of $6 million to the gang.
Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division, said, “The Justice Department’s Consumer Protection Branch will continue to pursue transnational criminals wherever they are located.
“This case is a testament to the critical role of international collaboration in tackling transnational crime. I want to thank the members of the U.S. Postal Inspection Service (USPIS) and Homeland Security Investigations (HSI), as well as the Portuguese Judicial Police and Public Prosecution Service of Portugal, for their outstanding contributions to this case.”
Antitrust Scrutiny Avoidance
The Justice Department filed a civil lawsuit against global investment firm KKR and over a dozen of its investment advisors and funds. It alleges that they repeatedly sought to evade antitrust scrutiny of deals they were undertaking. Many of those deals were about buying out competitors to existing KKR Portfolio companies, thereby strengthening their control over the market.
The complaint lists 16 separate transactions, including the $6.9 billion acquisition of Applovin, the $3.75 billion acquisition of Barracuda Networks and the proposed acquisition of OutSystems for between $202 million and $779 million. In addition to failing to file documents, KKR and the other defendants are accused of deliberately deleting data and changing documents. All of this was done to ensure no investigation into the acquisitions.
This lawsuit covers the years 2021 and 2022. It is unknown if the Justice Department plans to look at other timescales and deals.
