Edinburgh Napier launches spin-out to tackle growing ransomware threat
Tech entrepreneur Pete Jaco has been appointed Chief Executive Officer of a University spin-out geared to tackling the multi-billion pound ransomware market.
MemCrypt was spun out of research at Edinburgh Napier’s School of Computing with substantial backing from Scottish Enterprise, who supported the launch and early-stage funding requirements.
Jaco now takes the reins as the business steps up plans to launch innovative products to help customers and technology partners combat the threat posed by cyber criminals.
The co-founder of the Scottish Tech Army, who was awarded the British Empire Medal for his services to charity during the Covid-19 response, Jaco joins Chief Technology Officer Dr Peter McLaren (above) on the MemCrypt management team.
Edinburgh Napier’s Professor Bill Buchanan will continue to support MemCrypt as the company’s Chief Scientist while Dr Owen Lo will take the role of Technology Lead.
Ransomware – malware that encrypts files, giving the attacker scope to demand a ransom to restore access – is increasingly becoming the attack of choice for cyber criminals as it has a high chance of financial return coupled with a low chance of detection, and the threat is increasing daily.
MemCrypt, which follows earlier Edinburgh Napier cybersecurity ventures ZoneFox, Symphonic Software and Cyan Forensics in making the leap from research lab to the market, built early traction through its pre-launch involvement with Innovate UK’s CyberASAP programme accelerator.
MemCrypt also benefited from intensive, hands-on support, guidance and advice through Scottish Enterprise’s High-Growth Spinout Programme as it developed its value proposition, business plan and investment strategy. It also secured via the programme early-stage grant funding and, more recently, a substantial six-figure investment in the form of a Convertible Loan Note.
Jaco has worked in the UK SME start-up industry for over 20 years as CEO, non-executive director, advisor, and chair, supporting companies including Becrypt, Digital Shadows, Immense and CyberOwl.
He is also a member of the Industry Advisory Board for the Department of Culture, Media and Sports funded London based cyber security accelerator, The London Office for Rapid Cybersecurity Advancement (LORCA) and serves as a board advisor to the Scottish Government’s Digital Directorate’s CivTech GovTech innovation programme. He is also a member of the Scottish Cyber Innovation Hub advisory group managed by ScotlandIS Cyber, Scotland’s Cyber cluster.
Jaco said of his appointment: “I am delighted to join the MemCrypt team to help bring some truly innovative technology to market to help organisations across all sectors address the growing threat of ransomware.
“It is a privilege to work with Bill Buchanan and the Edinburgh Napier team to launch their fourth cyber security spin-out. We welcome the financial support of Scottish Enterprise which will help us to establish the company, build our first product demonstrators and accelerate our market engagement.”
Victoria Carmichael, director of Strategic Investments at Scottish Enterprise, said: “Edinburgh Napier has a track record of producing successful cybersecurity spinouts. We’ve backed MemCrypt and its predecessors with advice and investment and believe the company is poised to repeat that success under Pete’s leadership.
“Scotland’s spin-outs and start-ups will make a huge contribution to the country’s economic recovery. Having created a package of early-stage support to prevent their development being derailed by the pandemic, Scottish Enterprise continues to play a leading role in helping them fulfil their potential.”
Fiona Mason, Head of Business Engagement and IP Commercialisation at the University, said: “I’m delighted to see this level of support being given by Scottish Enterprise to one of our newest spin-outs. We value the recognition that SE has given and look forward to supporting the team as the company develops further.”
SEPA issues further update on cyber-attack, data theft, service delivery and recovery.
Ransomware attack remains ongoing as SEPA reiterates it will not engage with criminals intent on disrupting public services and extorting public funds.
Data likely to be stolen by international serious and organised cyber-crime groups has been illegally published online.
SEPA working to recover and analyse data then contact and support affected organisations and individuals over coming days and weeks as quickly as identifications confirmed.
Dedicated data loss support website, Police Scotland guidance, enquiry form and support line available for regulated business and supply chain partners.
Priority regulatory, monitoring, flood forecasting and warning services continuing to adapt and operate.
Broader update on service delivery and recovery to be confirmed early next week.
SEPA continuing to work with Scottish Government, Police Scotland, the National Cyber Security Centre and cyber-security specialists to respond to what remains complex and sophisticated criminality. Subject of a live criminal investigation.
The latest information on the cyber-attack, limited data loss and how to contact the agency is available at sepa.org.uk/cyberattack
The Scottish Environment Protection Agency (SEPA) has provided a further update on the ongoing ransomware cyber-attack which has significantly impacted the organisation since Christmas Eve.
The organisation reiterated that it will not engage with criminals intent on disrupting public services and extorting public funds.
As part of a broad update on data theft, service delivery and recovery, the environmental regulator confirmed that data stolen by what was likely to be international serious and organised cyber-crime groups has now been illegally published online.
In a previous update on 14 January (one of a series since the attack on Christmas Eve), SEPA confirmed the theft of circa 1.2 GB of data across four broad categories. To provide some context, by comparison the theft was the equivalent to a fraction of the contents of an average laptop hard drive. Nevertheless, it still means that at least 4,000 files may have been stolen by criminals.
“Supported by Scottish Government, Police Scotland and the National Cyber Security Centre, we continue to respond to what remains a significant and sophisticated cyber-attack and a serious crime against SEPA” said SEPA Chief Executive, Terry A’Hearn.
“We’ve been clear that we won’t use public finance to pay serious and organised criminals intent on disrupting public services and extorting public funds”, he added.
“We have made our legal obligations and duty of care on the sensitive handling of data a high priority and, following Police Scotland advice, are confirming that data stolen has been illegally published online. We’re working quickly with multi-agency partners to recover and analyse data then, as identifications are confirmed, contact and support affected organisations and individuals.”
The agency reiterated that whilst stolen data had now been illegally published and work was underway to analyse the data set, it does not yet know, and may never know the full detail of the 1.2 GB of information stolen.
Some of the information stolen will have been publicly available, whilst some will not have been. It confirmed that staff had been contacted based on the information available, were being supported and that a dedicated data loss support website, Police Scotland guidance, enquiry form and support line was available for regulated business and supply chain partners.
The agency also confirmed that priority regulatory, monitoring, flood forecasting and warning services were continuing to adapt and operate and that a broader update on service delivery and recovery would be confirmed next week.
Mr. A’Hearn added: “Sadly we’re not the first and won’t be the last national organisation targeted by likely international crime groups. We’ve said that whilst for the time being we’ve lost access to most of our systems, including things as basic as our email system, what we haven’t lost is our 1,200 expert staff.
“Through their knowledge, skills and experience we’ve adapted and since day one continued to provide priority regulatory, monitoring, flood forecasting and warning services. Whilst some systems and services may be badly affected for some time, step-by-step we’re working to assess and consider how we recover.
“We’ll issue a broader update on service delivery and recovery early next week, with weekly updates to be clear on what those we work with can expect and how we’ll prioritise progress.”
The agency stressed firm Police Scotland advice that organisations and individuals should not seek to search for the stolen information, as accessing the host site may place organisations, individuals and their computer infrastructure at risk.
Detective Inspector Michael McCullagh of Police Scotland’s Cybercrime Investigations Unit said: “This remains an ongoing investigation. Police Scotland are working closely with SEPA and our partners at Scottish Government and the wider UK law enforcement community to investigate and provide support in response to this incident.
“Enquiries remain at an early stage and continue to progress including deployment of specialist cybercrime resources to support this response.
“It would be inappropriate to provide more specific detail of investigations at this time.”
Jude McCorry, Chief Executive of the Scottish Business Resilience Centre, added: “There are many ways including ransomware a business can experience a cyber security incident, with varying levels of complexity and disruption. Cyber incidents can occur through deliberate targeting like we have seen with SEPA, or even human error, the end result is the same, a disruptive effect on business operations.
“At SBRC we are working in partnership with Police Scotland and Scottish government running the UK’s first collaborative cyber incident response helpline for organisations in Scotland.
“If you feel that you are a victim of a cyber attack your first call should be to Police Scotland on 101 to report the crime (whilst respecting your IT systems as a crime scene) and our incident response helpline on 01786 437472, we will assist you with immediate support and expert guidance, and ensure you are speaking to the correct agencies and organisations to help you feel supported and get you back in operation securely.”
SEPA will provide further updates as quickly as possible at www.sepa.org.uk/cyberattack as more information becomes available.
Whilst the agency continues to work hard to understand and resolve the issues, members of the public, regulated businesses and suppliers can find additional information and contact options via:
SEPA confirms ongoing ransomware attack likely to be by international serious and organised cyber-crime groups intent on disrupting public services and extorting public funds.
Cyber security specialists have identified the theft of circa 1.2 GB of data (equivalent to a small fraction of the contents of an average laptop hard drive).
Dedicated data loss support website, enquiry form and support line available for regulated business and supply chain partners.
SEPA working with Scottish Government, Police Scotland and the National Cyber Security Centre to respond to what is complex and sophisticated criminality. Subject of a live criminal investigation.
What is now clear is that with infected systems isolated, recovery may take a significant period.
A number of SEPA systems (including email) will remain badly affected for some time, with new systems required.
Priority regulatory, monitoring, flood forecasting and warning services are adapting and continuing to operate.
The latest information on the cyber-attack, limited data loss and how to contact the agency is available at sepa.org.uk/cyberattack
The Scottish Environment Protection Agency (SEPA) has confirmed it is continuing to respond to an ongoing ransomware attack likely to be by international serious and organised cyber-crime groups.
The agency also confirmed the theft of 1.2 GB of data and the support available to staff and affected partners, whilst reassuring the public that priority regulatory, monitoring, flood forecasting and warning services are adapting and continuing to operate.
The matter is subject to a live criminal investigation and the duty of confidence is embedded in law. The agency confirmed last week that following the attack at 00:01 Hrs on Christmas Eve, business continuity arrangements were immediately enacted and the agency’s Emergency Management Team was working with Scottish Government, Police Scotland and the National Cyber Security Centre to respond to what is complex and sophisticated criminality.
SEPA’s approach continues to be to take the best professional advice from the multi-agency partners, including Police Scotland and cyber security experts, to support its response.
The agency advised that, for the time being, it needed to protect the criminal investigation and its systems . Consequently some internal systems and external data products will remain offline in the short term.
Priority regulatory, monitoring, flood forecasting and warning services are adapting and continuing to operate.
Terry A’Hearn, Chief Executive of the Scottish Environment Protection Agency, said: “Whilst having moved quickly to isolate our systems, cyber security specialists, working with SEPA, Scottish Government, Police Scotland and the National Cyber Security Centre have now confirmed the significance of the ongoing incident.
“Partners have confirmed that SEPA remains subject to an ongoing ransomware attack likely to be by international serious and organised cyber-crime groups intent on disrupting public services and extorting public funds.”
What is now clear is that with infected systems isolated, recovery may take a significant period. A number of SEPA systems will remain badly affected for some time, with new systems required.
Email systems remain impacted and offline.
Information submitted to SEPA by email since Christmas Eve is not currently accessible and whilst online pollution and enquiry reporting has now been restored, information submitted in the early stages of the attack is currently not accessible.
Limited data loss
Despite systems being certified to UK Government security standards, cyber security specialists have also identified the loss of circa 1.2 GB of data.
Whilst, by comparison, this is the equivalent to a small fraction of the contents of an average laptop hard drive, indications suggest that at least four thousand files may have been accessed and stolen by criminals.
“We have prioritised our legal obligations and duty of care on the sensitive handling of data very seriously” said Chief Executive, Terry A’Hearn “which is why we have worked closely with Police Scotland, Scottish Government, the National Cyber Security Centre and specialist cyber security professionals day and night since Christmas Eve.”
“Work continues by cyber security specialists to seek to identify what the stolen data was. Whilst we don’t know and may never know the full detail of the 1.2 GB of information stolen, what we know is that early indications suggest that the theft of information related to a number of business areas. Some of the information stolen will have been publicly available, whilst some will not have been” said Mr. A’Hearn.
Information included:
Business information: Information such as, but perhaps not restricted to, publicly available regulated site permits, authorisations and enforcement notices. Some information related to SEPA corporate plans, priorities and change programmes.
Procurement information: Information such as, but perhaps not restricted to, publicly available procurement awards.
Project information: Information related to our commercial work with international partners.
Staff information: Personal information relating to SEPA staff.
“Staff members affected to date have been notified, are being supported and are being given access to specialist advice and services. Support, including specialist advice from Police Scotland and mitigation services, is also being offered to staff across the organisation.”
Working with cyber security experts, a dedicated team has been established to identify the detail of business or partner information loss and, where identified, direct contact will be made as quickly as possible with affected organisations.
This will happen across the coming days and weeks as and when more direct evidence of data loss specific to individual businesses and partners becomes apparent. Cyber security advice and guidance for businesses is available from the National Cyber Security Centre.
Links to this advice, along with the latest information on the cyber attack and limited data loss is available at sepa.org.uk/cyberattack
The site contains information on the scope of data thought to have been accessed, guidance from Police Scotland, a contact form and details of a dedicated data loss support line now available for regulated business and supply chain partners. The support line will not have additional information on affected organisations at this time.
Ongoing response
In addition to working to identify as much of the detail as possible in relation to the 1.2 GB of stolen data, the multi-agency response is focused on eradication, remediation and recovery.
Priority regulatory, monitoring, flood forecasting and warning services are adapting and continuing to operate.
Delivery of nationally important flood forecasting and warning products has continued, with flood alerts and warnings being issued with 24 hours of the attack on 24 December.
Contact centre and web self-help services are being slowly restored, including SEPA’s Floodline, 24 Hour Pollution Hotline and environmental event online reporting.
Regulatory teams continue to prioritise the most significant environmental events, high hazard sites and sites of community concern.
Teams are quickly working on interim ways to authorise regulated site activity, prioritising nationally important sectors such as food and drink, energy and waste.
That said, the agency confirmed that email, staff schedules, a number of specialist reporting tools, systems and databases remain unavailable with the potential for access to a series of systems and tools to be unavailable for a protracted period. The multi-agency response is working to five clear priorities:
Incident response;
Supporting staff;
Protecting priority services;
Protecting Scotland’s environment;
Protecting communities.
Regulatory Approach
In addition to ensuring the continued delivery of priority flood forecasting and warning services, SEPA’s regulatory approach will continue to prioritise supporting Scottish businesses, Scotland’s recovery, environmental events, high hazard sites and sites of community concern.
The agency will help businesses meet their environmental obligations and prioritise authorising economic activity and will continue its risk based approach to regulation, focusing the most effort on sites or sectors which require oversight or where there is a risk of criminality or organisations seeking to take advantage of the ongoing cyber-attack.
Mr. A’Hearn said: “Whilst the actions of serious and organised criminals means that for the moment we’ve lost access to our systems and had information stolen, what we’ve not lost is the expertise of over 1,200 staff who day in, day out work tirelessly to protect Scotland’s environment.
“Sadly we’re not the first and won’t be the last national organisation targeted by likely international criminals. Cyber-crime is a growing trend. Our focus is on supporting our people, our partners, protecting Scotland’s environment and, in time, following a review, sharing any learnings with wider public, private and voluntary sector partners.”
Further information
SEPA will provide further updates as quickly as possible at www.sepa.org.uk/cyberattack as more information becomes available.
Whilst the agency continues to work hard to understand and resolve the issues member of the public, regulated businesses and suppliers can find additional information and contact options via:
Detective Inspector Michael McCullagh of Police Scotland’s Cybercrime Investigations Unit said: “This remains an ongoing investigation. Police Scotland are working closely with SEPA and our partners at Scottish Government and the wider UK law enforcement community to investigate and provide support in response to this incident.
“Enquiries remain at an early stage and continue to progress including deployment of specialist cybercrime resources to support this response.
“It would be inappropriate to provide more specific detail of investigations at this time.”
More than 250 offences of communicating indecently with a child in Scotland in four months after lockdown began
UK Prime Minister told bring forward tough Online Harms legislation that combats crime and brings in meaningful sanctions for rogue tech firms
Online grooming crimes in Scotland were more than 30% higher while children were not at school during the Coronavirus pandemic compared with the same months last year, the NSPCC can reveal.
The new data shows Police Scotland recorded 268 offences of communicating indecently with a child from April 1 to July 31 this year compared to 203 crimes in the same period last year, with the true scale of the problem likely to be much higher.
Yesterday, Police Scotland revealed that it had seen an 18% rise in all online child sexual abuse crimes between April and September this year compared to the same period last year.*
The findings have led to renewed calls for Boris Johnson to get tough on tech firms that fail to do enough to prevent offenders exploiting their sites and abusing children.
Offences have also increased annually in the three years prior to lockdown. In total, there were 1,661 offences recorded by Police Scotland from April 2017 to March 2020, with experts saying poorly designed social media sites are putting children at risk.
The NSPCC warned the pandemic had created a perfect storm for online offenders and believes these figures could mark the start of a surge in online grooming crimes.
With ongoing Coronavirus restrictions across the UK and children spending more time at home and online, the charity believes that the risk of online abuse will continue to spike, and many more offences may come to light when children report them at school.
One girl who contacted Childline during the pandemic said: “I am 12 and I don’t have social media but I wanted to get online and chat to people since my friends had done it and told me it would be fun. It started off fine with the occasional ‘hi’ and then men started sending d*** pics and saying really personal things.”
The new data comes as the UK Prime Minister makes vital decisions about online harms legislation that will create a Duty of Care on tech firms, with an announcement expected within weeks.
It’s understood the Online Harms White Paper consultation response has been signed off by the UK Government’s Department for Digital, Culture, Media & Sport and the Home Office and is sitting with Boris Johnson.
The Prime Minister is being urged to ensure companies and named managers can be held criminally responsible for failing to protect children from avoidable harm and abuse.
The need for a bold and ambitious response from Government has been heightened by the knock-on effects of the pandemic.
Criminals are exploiting the fact that children are spending more time online and high-risk video chatting and livestreaming services have become more popular.
After years of failed self-regulation, many platforms were easily exploitable for groomers during lockdown, with many seeing the crisis as an opportunity to commit abuse.
The NSPCC wants the upcoming Online Harms Bill to compel firms to consider child protections when they design their sites to prevent harm rather than react once the damage is done.
But it is warning tough deterrents will be needed to make some of the world’s biggest companies stand up and listen, and is concerned the UK Government may not go far enough.
NSPCC Chief Executive Peter Wanless said:“Families have long paid the price for big tech’s failure to protect children from abuse, but the Prime Minister has the chance to turn the tide and put responsibility on firms to clean up the mess they created.
“As the pandemic intensifies the threat children face online, bold and ambitious action is needed in the form of a world-leading Online Harms Bill.
“This means legislation that is tough on online crimes against children and regulation that holds tech companies and bosses financially and criminally responsible if they continue to turn a blind eye to entirely avoidable harm.”
Detective Chief Superintendent Samantha McCluskey, head of Police Scotland’s Public Protection Unit, said: “The digital world opens up massive opportunities for us all.
“As a society it has become integral to our daily lives, particularly for children and young people, whose key means of communication during this pandemic has been online. It is important that we take every opportunity to ensure young people stay safe and are protected.
“Online predators will infiltrate those platforms and apps most used by children. Tech companies and service providers have a key role, and a responsibility, in ensuring young people can access their services safely and that predators are identified and dealt with before they can groom or abuse children in the virtual or real world. Working together we can make the online world safe for all children.”
Last month the NSPCC laid out six tests the UK Government’s regulation of social media will be judged on if it is to achieve bold and lasting protections for children online.
The charity said in order to make the UK a world-leader in child protection online, regulation must:
Create an expansive, principles-based duty of care
Comprehensively tackle online sexual abuse
Put legal but harmful content on an equal footing with illegal material
Have robust transparency and investigatory powers
Hold industry to account with criminal and financial sanctions
Give civil society a legal voice for children with user advocacy arrangements.
Instagram was the most used platform in child grooming crimes during lockdown, research by the NSPCC suggests.
New data shows there were more than 1,200 online grooming crimes recorded against children in the three months from April to June, with the true scale of the problem likely to be much higher.
The figures reveal how Instagram is increasingly being exploited by offenders. It was used in 37% of cases where the platform was recorded, compared with 29% over the previous three years.
The findings have led to renewed calls for Boris Johnson to get tough on tech firms that fail to do enough to prevent offenders exploiting their sites and abusing children.
Freedom of Information responses from 38 police forces in England and Wales show that 1,220 offences of Sexual Communication with a Child were recorded in the first three months of lockdown.
Facebook-owned apps (Instagram, Facebook, WhatsApp) were used in 51% of instances where the means of communication was recorded. Snapchat was used in 20% of instances for which data was available.
Russia’s military intelligence service, the GRU, conducted cyber reconnaissance against officials and organisations at the 2020 Olympic and Paralympic Games due to take place in Tokyo this summer before they were postponed, the UK has revealed.
The targets included the Games’ organisers, logistics services and sponsors.
The attacks on the 2020 Summer Games are the latest in a campaign of Russian malicious cyber activity against the Olympic and Paralympic Games.
The UK is confirming for the first time today the extent of GRU targeting of the 2018 Winter Olympic and Paralympic Games in Pyeongchang, Republic of Korea.
The GRU’s cyber unit attempted to disguise itself as North Korean and Chinese hackers when it targeted the opening ceremony of the 2018 Winter Games.
It went on to target broadcasters, a ski resort, Olympic officials and sponsors of the games in 2018.
The GRU deployed data-deletion malware against the Winter Games IT systems and targeted devices across the Republic of Korea using VPNFilter.
The National Cyber Security Centre (NCSC) assesses that the incident was intended to sabotage the running of the Winter Olympic and Paralympic Games, as the malware was designed to wipe data from and disable computers and networks.
Administrators worked to isolate the malware and replace the affected computers, preventing potential disruption.
Foreign Secretary Dominic Raab said: “The GRU’s actions against the Olympic and Paralympic Games are cynical and reckless. We condemn them in the strongest possible terms.
The UK will continue to work with our allies to call out and counter future malicious cyber attacks.
The UK has already acted against the GRU’s destructive cyber unit by working with international partners to impose asset freezes and travel bans against its members through the EU cyber sanctions regime.
Today (Monday 19 October), the US Department of Justice has announced criminal charges against Russian military intelligence officers working for the GRU’s destructive cyber unit – also known by the codenames Sandworm and VoodooBear – for conducting cyber attacks against the 2018 Winter Games and other cyber attacks, including the 2018 spear phishing attacks against the UK’s Defence Science and Technology Laboratory (DSTL).
The UK attributed the attacks against DSTL, which followed the Salisbury poisonings, to Russia in 2018.
Memcrypt follows earlier University cybersecurity ventures ZoneFox, Symphonic Software and Cyan Forensics in making the leap from research lab to the market.
Ransomware – malware that encrypts files, giving the attacker scope to demand a ransom to restore access – is increasingly becoming the attack of choice for cyber criminals as it has a high chance of financial return coupled with a low chance of detection, and the threat is increasing daily.
However, the University’s cryptography experts are developing new methods of detecting ransomware as it runs. This will provide new ways of stopping the ransomware from infecting systems before it has a chance to spread.
The team’s work is part of Innovate UK’s CyberASAP programme accelerator, and is also supported more recently by Scottish Enterprise’s High Growth Spin-out Programme – the early stage growth challenge fund.
Memcrypt has evolved around a technical team of Professor Bill Buchanan, Dr Peter McLaren, Dr Owen Lo and Dr Gordon Russell, and a core business team of Dia Banerji (Imagine Ventures Ltd) and Matt Burdge (the Business Development and Relationship Manager supporting the School of Computing), as the University seeks to repeat earlier successes in converting ground-breaking research into high impact spin-outs.
Threat analytics spin-out ZoneFox has since been acquired by US giant Fortinet, and Symphonic Software and Cyan Forensics have also scaled up to become players in the international marketplace.
At the heart of Memcrypt lies Dr Peter McLaren’s PhD work, the first to discover the presence of the key schedule of a popular encryption method – ChaCha20 – within running memory on the computer. Another team member, Dr Owen Lo, earlier showed that encryption keys could be discovered just by listening to the electrical noise created by a device.
Dr McLaren said: “The core of our approach is to search for things that look completely random with memory, and mark these as suspicious.”
Dia Banerji said: “Ransomware attacks can have a debilitating effect on businesses, often leading to loss in revenue, falling share prices and reputational losses. We aim to better protect those at risk, and work with law enforcement agencies on improving their responses to these attacks.”
Professor Bill Buchanan (above), who played a key role in the research which paved the way for Edinburgh Napier’s earlier cybersecurity spin-out successes, added: “Ransomware affects virtually every market sector, and can affect every size of company. While building our company in Edinburgh, we aim to scale on an international basis.”
Fiona Mason, Head of Business Engagement and IP Commercialisation at the University, said: “We are delighted that our emerging spin-outs are recognised by CyberASAP and by Scottish Enterprise.
“Our success here is testament to the entrepreneurship, commitment and creativity of the University’s academic staff and students, supported by our talented Business Engagement and IP team in the Research Innovation and Enterprise Office who worked tirelessly to bring these opportunities to life.
“Over the last 10 years, our School of Computing has achieved three successful cyber spin-outs; ZoneFox in 2010, Symphonic in 2013 and Cyan Forensics in 2017.
“All of these spin-outs are currently in operation and growing, with ZoneFox having been acquired by the NASDAQ-listed US company Fortinet. This success is further highlighted in a UK government-backed report from The London Office for Rapid Cybersecurity Advancement (LORCA), which listed Edinburgh Napier in the top six universities that have contributed to the cybersecurity spin-out ecosystem.
“We believe Memcrypt will be our next game-changer.”
Which? is calling for enforcement of tough penalties for firms that fail to prevent data breaches, as new research from the consumer champion reveals the shocking scale of data theft following cyberattacks.
When data breaches occur, opportunistic fraudsters can then go on to buy stolen information such as passwords or credit card and bank details, as well as using other personal details to pose more convincingly as victims’ banks and other trusted organisations.
Now worryingly a new Which? survey suggests that these problems are rampant – revealing that almost half (46%) of people whose data was stolen by hackers then went on to experience fraud.
This was out of around a quarter (23%) of 1,369 Which? members who said they’d had their data compromised following a breach involving a company or organisation.
Which? also heard from people who said that they’d not only lost money but seen their mental health impacted in the aftermath of being involved in a data breach. These victims have also struggled to get any form of redress from the companies that failed to protect their personal data.
Jamie, a British Airways customer, had his trip of a lifetime ruined when he became one of the 500,000 customers whose names, email addresses and card details were stolen by cybercriminals. When he arrived for his holiday in Thailand he found that RBS had frozen his account, saying there had been a lot of suspicious activity including someone attempting to take £15,000 from his account, and Nationwide had also blocked his debit card.
Jamie said he suffered immense stress at the time and two years on he is still fighting to get compensation back from BA for his ruined holiday, he has even joined a group action claim against the airline, but is yet to receive any redress.
BA told Which?: “At the time, we notified all potentially affected customers as quickly as possible, advising them to contact their bank or card provider as a precaution.
“We confirmed that any customers who suffered direct financial losses as a result of the attack would be reimbursed, and offered credit rating monitoring, provided by specialists in the field, to any affected customer who was concerned about an impact to their credit rating.
“This was a unique case which we investigated at the time and could find no evidence that the fraud was attributable to the cyber-attack. A response to the relevant customer’s concerns was provided at the time.
“To date, we have identified no verified cases of fraud as a result of the attack.”
Which? has also heard from an easyJet customer who was disappointed that even though the company became aware of a huge data breach in January 2020, the airline said that it was only able to start informing customers in April.
Brendan, an easyJet customer, told Which? that he received a suspicious looking email from the company in June. “It looked like a standard easyJet email, but the links wouldn’t work, which I found strange. It also said, ‘you’ve cancelled your holiday to Spain’, which wasn’t true.” EasyJet had in fact cancelled Brendan’s holiday prior to this email.
Unsure whether the email was fraudulent, particularly given the many scammers looking to take advantage of the Covid-19 pandemic, Brendan tweeted easyJet but didn’t receive a response.
EasyJet later confirmed to Which? the email was genuine. However, it did not make an effort to resolve this with Brendan at the time, who felt let down by the response given the huge data breach the airline had experienced. Even though easyJet became aware of the breach in January 2020, it didn’t start to inform customers until April.
Brendan said. “It’s taken no responsibility. I’m worried that my data is out there, possibly being passed around on the dark web.”
He would rather have asked for a refund, instead of rebooking, if he had known there was a data breach. He added: “I’ve become overly cautious and it’s caused a lot of disruption. Here’s a business we’ve freely given our information to and the security issues are really concerning.”
He feels the airline has taken no responsibility and is worried his data is out there, possibly being traded by criminals on the dark web.
This year has seen some huge data breaches take place. EasyJet told around 9 million customers that their data had been compromised in a breach. Marriott also hit the headlines for losing around 5.2 million people’s contact and personal information – announcing its second data breach in three years.
And more recently the cyberattack on software company Blackbaud has left students and charity donors concerned their records have fallen into the hands of criminals.
EasyJetresponded: “We are sorry that the customer’s tweet about an email regarding their holiday was not responded to. This was as a result of human error and is not the level of service we expect for our customers.
“The email the customer tweeted about was an automatically generated email from easyJet holidays in response to the customer’s request to cancel their holiday. Our team has now been in touch with this customer to reassure them that the email he received was genuine and not fraudulent.
“At easyJet we take the safety and security of our customers’ information very seriously. As soon as we were able to do so, we notified and provided support to the small number of customers whose payment card data was compromised, offering them complimentary 12-month membership to an identity monitoring service.
“Out of an abundance of caution, we also sent phishing alert emails to approximately 9 million customers and have provided support to them via a dedicated customer service team. Our customer experience continues to be a key priority and our wider IT transformation strategy focuses on optimising that experience.
“The nature of the attack meant that it took time for easyJet to identify whether, and if so to what extent, personal data had been affected. We could only inform relevant customers once the investigation had progressed enough that we were able to identify whether any individuals potentially been affected, then who had been affected or potentially affected, and what information had been accessed or potentially accessed.
“It is, of course, regrettable that this cyber-attack took place, but it does not mean that easyJet was at fault or that customers are entitled to compensation under the compensation provisions set out in the General Data Protection Regulation.”
As part of its investigation, Which? also asked its members to submit their email addresses to haveibeenpwned.com, a website that tells you if your email address has been involved in a data breach.
Which? had 515 members take part, submitting a total of 610 email addresses. It was revealed that 79 per cent had experienced at least one breach. Of those, the average number of breaches per email address was 3.7. One address had been in 19 breaches.
Despite all of this, the ramifications for firms that fail to protect their customers’ data are limited. The ICO announced its intention to fine BA £183 million for its 2018 breach and Marriott just under £100 million for losing around 339 million guest records. However, the deadlines to issue the fines were extended and both companies are expected to appeal. The IAG Group, which owns BA, released a report in June, estimating the fine would be €22 million.
Currently victims have limited options to seek redress when data breaches occur. Although under GDPR consumers have a right to claim compensation if they have suffered damage as a result of an organisation breaking data protection law, doing so isn’t always easy. The ICO advises victims to take independent legal advice and to try to settle with the organisation first. If this fails, victims may be able to make a court claim – either independently or through a group action claim, where claimants join together to seek redress.
Which? is calling for the ICO to actually issue intended fines when organisations breach data protection law, otherwise firms may continue to treat customers, and their sensitive personal data, with disregard.
Which? also wants the government to implement provisions in the GDPR to allow not-for-profit organisations to bring collective redress action on behalf of consumers for breaches of data protection rules – without them having to opt-in to a group case or bring the case themselves.
This would help to support and enforce the rights of consumers, making it easier for victims of data breaches to secure adequate redress, and create further incentives for businesses to improve their data processing mechanisms.
Jenny Ross, Which? Money Editor, said:“Whether we’re shopping online, booking a holiday or signing up to a new mobile phone contract, we have to trust the companies we deal with to protect our details – and if things go wrong we need to know that businesses are held to account.
“We need the ICO to be a regulator with teeth that is prepared to step in and issue fines in the event of companies breaking data protection laws, to ensure more businesses better protect consumers from data breaches.
“Consumers should also have a much clearer route to redress when they suffer the financial and emotional toll of data breaches – and that’s why the government must allow for an opt-out collective redress regime that deals with mass data breaches.”
Further details on opt-out collective redress action
The government has the power to facilitate better redress by implementing Article 80(2) GDPR in its upcoming review of the Data Protection Act 2018. This would then allow not-for-profit organisations such as Which? to bring collective redress actions on behalf of people on an ‘opt- out’ basis, without those consumers each having to bring – or to appoint a representative body to bring – an individual case against the company involved.
A properly implemented redress system would ensure that people could trust that harm suffered as a result of data breaches would be remedied and would simultaneously act as an incentive for companies to improve their data handling processes – resulting in fewer breaches.
DCMS is consulting on the operation of the ‘representative’ action provisions of the Data Protection Act 2018.
Which? advice to consumers on protecting their data
Password manager – Many services now alert you if your passwords have been compromised. As services such as Lastpass and Dashlane can be used for free, there’s no reason not to use a password manager.
Two factor/multi-factor authentication (2FA/MFA) – Wherever possible turn on 2FA/MFA to increase security, particularly if your account holds your financial information. Don’t use SMS but use an authenticator app or even a hardware token if possible.
Credit card details – Don’t save your credit card details if you aren’t going to use the service regularly. Although it’s a faff to resubmit them, that’s better than having your financial information unnecessarily stored in a database that could be compromised.
Guest checkout – Similarly to the above, just checkout as a guest if you aren’t going to use the service that often. Only create an account if you really need to.
One hundred offenders have been arrested in the past six months and 180 children have been protected as a result of Police Scotland investigations into online child abuse.
Officers from Police Scotland’s Internet Investigations Unit have prepared over 350 National Online Child Abuse Prevention (NOCAP) packages since January.
NOCAP packages provide intelligence and evidence which underpins investigations carried out by both Police Scotland’s National Child Abuse Investigations Unit and local policing divisions to identify and apprehend online child abusers.
Assistant Chief Constable Duncan Sloan, Major Crime and Public Protection lead for Police Scotland, said: “Online child sexual abuse is a national threat with advancements in technology, online functions and platforms giving predators ever evolving opportunity to target children. “Behind every downloaded image, every attempt to groom or to extort, is a child being victimised by a faceless predator.
“As today’s figures show, predators are not anonymous. Every action leaves a trace, and we will work with our partners, nationally and internationally, to track you down.“You will be caught and you risk losing everything.
“Tackling online child abuse is a priority. We draw on specialist resources from across our organisation to gather intelligence, to carry out digital forensic examinations and to support our investigations.
“And we will continue to improve our response: investing resources, using the latest technologies and taking action to identify and apprehend those who pose a threat to our children.”
Police Scotland works with a wide range of partners, nationally and internationally, and from all sectors including law enforcement agencies, internet service providers and third sector organisations, to identify perpetrators, to tackle the threat and to build safer online communities.
Thousands of people could be conned if they don’t pay attention, says leading tax and advisory firm Blick Rothenberg.
Fiona Fernie, a partner at the firm said: “Within hours of the Government’s Coronavirus Job Retention Scheme (CJRS) there was significant activity by cybercriminals trying to cash in on the scheme.
“These were in the form of emails that purported to come from the Government and suggested that HMRC needed bank account details into which the grant should be paid.
“The wording most commonly used to-date is:
‘Dear customer, we wrote to you last week to help you prepare to make a claim through the Coronavirus Job Retention Scheme. We are now writing to tell you how to access the COVID-19 relief. You will need to tell us which UK bank account you want the grant to be paid into, in order to ensure funds are paid as quickly as possible to you’.
Fiona added: “Most scams focus on obtaining the banking details of the recipient either by suggesting they can claim some kind of financial benefit from following the instructions in the correspondence, (for example a tax refund to help protect themselves from the Coronavirus outbreak, a goodwill payment from HMRC or a large sum of money in return for a set-up payment), or that they have a ‘fine’ to pay as a result of some misdemeanour: such as leaving the house more than once a day during lock down.
“The most frequent forms of communication are emails and text messages purporting to come from Government or HMRC officials and are designed to lure the recipient into precipitate action before thinking carefully about the substance of the message.
“People should be aware that neither HMRC specifically nor Government more widely communicates with individuals either by email or by text, unless you have signed up to the relevant protocol with them. Certainly, payments that can be claimed by taxpayers or fines that can be imposed are not dealt with in this way.”
Fiona warned: “The communications are designed to look entirely legitimate and as well as using official logos, fraudsters change the ‘display name’ on their email address to only show the name of the body they purport to represent. They are very clever.
“It is imperative to treat any email or text apparently received from an official body with extreme caution – if you are taken in it could be a very costly mistake.
“WhatsApp or social media messages are also used by cybercriminals and should be treated with similar caution.”
So, what should you do if you receive one of these messages?
Fiona lists below some of the things that you can do to protect yourself:
Do not reply to these emails, texts, WhatsApp or social media messages
Do not call the phone number listed in an email or text
Do not click on any links or open any attachments in emails
Do not provide any personal or financial details
If in doubt about whether an email or text is genuine, click on/hover over the ‘display name’ email address from which you have received the email. This will show you the full details of the sender and will make it clear whether the email is from a genuine Government or HMRC source
If you are in doubt about the source of one of these messages which appears to be from HMRC, forward it to them. You can do this via email at phishing@hmrc.gov.uk or via text at 60599 (network charges apply) and then delete it.
Fiona said: “In addition, the National Cyber Security Centre (NCSC) has recently launched a reporting service urging the public to forward any questionable emails to report@phishing.gov.uk. The NCSC’s automated scanning system then checks them, and immediately shuts down and removes criminal sites.
“However, there are other scams which are even less easy to spot, and which are designed to play on the other major anxiety caused by the Coronavirus pandemic – protecting our health.
“Of the over 2,000 online coronavirus scams which have been removed over the last month by the NCSC, almost 500 were fake online shops selling personal protective equipment items such as gloves and face masks which either never arrive or do not meet the required standards. Some of the sites also distribute malware which damages the computer systems of those who visit the sites.
“Even charities are at risk: some have been contacted by fraudsters claiming to be from an organisation able to provide helpful information such as a list of ‘at risk’ elderly people in the community who may require support from the charity. The recipient is then directed to click on a link leading to a fake website or a request to make a cryptocurrency (such as Bitcoin) payment, to enable the release of the information.”
Fiona said: “The messages are not confined to scams allegedly coming from this Government; one received yesterday by a colleague purported to come from the National Crime Investigation Center, USA which is part of the FBI – it was another scam.”
Dear Scam victim,
This is National Crime Investigation Center USA.
In our investigations from banks on International and National Funds Transfer (INFT) protocols in the past 10 years from all banks worldwide. We have come across your contact details and records with one of these Banks. In view of the carried investigations, we have contacted you confidentially for vital information toward your transaction with this bank. It was clear that the bank have delayed your payment thereby looking for a means to divert your fund to different individual account not belonging to you.
However, all bank officials who mishandled your transaction has been duly sacked and management dissolved and dismissed from bank work as a result of this attempt. Upon our investigation conclusion, we found out that your transaction was legitimate and for this reason, a compensation amount of $3,150,567.00 (Three million one hundred and fifty thousand, five hundred and sixty seven dollars) has been allocated to you for immediate payment through our accredited bank, Federal Reserve Escrow.
Kindly contact the compensation paying officer with the below details.
Fiona said: “Sadly, there are always those who are happy to exploit the problems of others to their own advantage. Despite the many pressures we are all under in these difficult and unprecedented times: we must be vigilant so that we do not become their victims.”
Businesses and projects in Edinburgh are being advised to put in place stricter rules around passwords to protect staff and systems, as the country switches to home-working amid the coronavirus pandemic.
Following UK Government advice for businesses to work from home where possible, due to the rise in cases of COVID-19, the Scottish Business Resilience Centre (SBRC) is warning employers how this can increase an organisation’s vulnerability to cyber-attacks.
This was demonstrated just weeks into the COVID-19 outbreak, with scammers already capitalising on fear and system frailties, and scams relating to the virus costing UK businesses nearly £970,000.
SBRC is advising businesses to quickly and easily increase their security by using password manager software and implementing a two-factor authentication.
Declan Doyle, Ethical Hacking Consultant at SBRC, said: “We’ve seen a huge increase in the number of phishing scams since the outbreak of the virus – including fraudulent emails targeting businesses about fake Government tax rebates and Coronavirus funding.
“Criminals are very smart, and as much as we can find, identify and shut down scams, the best course of action is to tell people what to look out for and give them advice to follow to minimise the risk of falling victim to these traps. Increasing your online security is one way to do this.”
Eamonn Keane, Chief Operating Officer for Cyber and Innovation at SBRC, said: “The last thing any business battling the impact of coronavirus needs right now is a crippling cyber-attack.
“The prospect of thousands of temporary home workers, potentially accessing a range of vital business servers and applications from vulnerable home internet connections, or using old or inadequate laptops or PCs, is a scary one.
“One of the easiest ways for businesses to avoid cyber-attacks is to set up a password manager to secure, store and generate passwords for your team which can be accessed across various devices.
“Attackers use different techniques beyond hacking to discover passwords, including phishing, automated guessing using the most commonly-used passwords, manual guessing and intercepting networks. Password managers and two-factor authentication can easily put a stop to a lot of these tactics.”
Andy Maclaren, Head of IT Services at SBRC partner, Consider IT, said: “Password managers typically generate a long, secure and unique password for each website a user logs into, avoiding reusing passwords across different websites.
“This way, if a particular website’s database is hacked or leaked, attackers won’t be able to use the same log in details to access all of the other services your email address has signed up to.”
Two-factor authentication asks users for their password as normal, but also asks users to provide a second piece of information such as a code sent to an email address, or a fingerprint scan on a phone.
Eamonn added: “Two-factor authentication is just another way of ‘double-checking’ you are who you’re claiming to be when you’re logging into business accounts – meaning even if someone hacks or gains access to your password, they won’t necessarily be able to access your accounts.
“At SBRC, we endeavour to maintain Scotland’s reputation as a safe place to do business, so we will do everything we can to keep our partners, members and the public as up to date as possible in these uncertain and ever-changing times.”
The Scottish Business Resilience Centre is a non-profit organisation which exists to support and help protect Scottish Businesses.
To ensure Scotland remains a safe place to live, work and do business, SBRC will be regularly sharing COVID-19 developments and advice from Scottish Government, their partners and members as they happen.
Over the coming weeks SBRC will be holding a series of 60-minute webinars aimed at helping Scottish businesses prepare and survive the human and commercial impacts of COVID-19.
SBRC maintains a unique connection to Police Scotland, Scottish Fire and Rescue Service and Scottish Government, which gives the organisation exclusive access to the latest information to advise citizens and businesses how to interact safely.