30th Floor, North Tower, Beijing Kerry Centre, 1 Guanghua Road, Chaoyang District, Beijing, 100020
+86 10 8519 0011
50th Floor, Central Plaza, 18 Harbour Road, Wan Chai, Hong Kong
+852 2521 5621
Room 4605, Park Place, 1601 Nanjing West Road, Jing An District, Shanghai, 200040
+8621 6321 1166
Suite 2405, 24/F, SCIA Tower, Qianhai Shenzhen-Hong Kong Modern Service Industry Cooperation Zone of Shenzhen, Shenzhen, 518000
+86 755 6123 5666
Select your language
Please accept the geolocation request appearing in your browser
Find other officesOUT-LAW NEWS 2 min. read
01 Dec 2021, 11:27 am
An annual review of incidents worked on by the cyber team at Pinsent Masons (20-page / 4.89MB PDF) has identified a marked increase in the number of cyber incidents in which an intrusion into corporate systems had originated with a cybersecurity breach at a supplier, compared to the previous year.
Julia Varley, a member of the cyber team at Pinsent Masons, said that requiring suppliers to notify cybersecurity incidents they experience is important because of the incident and data breach reporting obligations businesses face, such as in heavily regulated industries like financial services and energy, but also under more general legislation such as the General Data Protection Regulation (GDPR) which sets out strict timeframes for reporting breaches to regulators.
“We have seen a number of ransomware incidents affecting clients’ data processors,” Varley said. “We advised several clients whose data was impacted in the ransomware attack on Blackbaud, a technology provider that operates and supports the online donation technology platforms and databases for a large number of organisations worldwide. As part of the attack a backup file containing data relating to Blackbaud's clients was exfiltrated by the attacker. We advised several clients on the impact on their obligations as data controllers and consequent reporting obligations under the GDPR as well as other regulatory regimes.”
“In supply chain based cyber incidents, data controllers are heavily reliant upon the data processor or managed service provider to provide information and support during the course of a cyber event. However, many controllers will also – at an early stage – want to consider the potential legal recourse against such a third party, particularly in circumstances where there is clear evidence of a vulnerability the third party should have protected against,” she said.
Varley said that Pinsent Masons had also been engaged in work in relation to the SolarWinds and Kaseya cyber attacks, which targeted software supplied to a large number of organisations.
Varley said: “In the SolarWinds incident, attackers inserted malware into software updates. When customers downloaded these updates, they inadvertently downloaded malware onto their systems, which created a backdoor for the attackers to access the customers’ systems and deploy further malware. Similarly, the Kaseya attack involved the leveraging of a vulnerability in Kaseya’s virtual system administrator software which was used by a number of managed service providers to administer their customers’ network. Through this vulnerability, attackers were able to access and encrypt the provider’s end customer systems,” she said.
According to Pinsent Masons, most cyber incidents are identified internally by the organisation. However, over the last year there has been a jump in the proportion of incidents reported to an organisation by suppliers or other third parties. This happened in 39% of the cases Pinsent Masons’ cyber team worked on in the last year, up from 22% in the previous 12 months.
Pinsent Masons’ cyber team’s annual report for 2021 also identified the heightened cyber risk for businesses that has arisen from the growth in home working.
Varley said: “The Covid-19 pandemic which resulted in enforced home working around the globe provided greater opportunity for attackers as an increasing number of functions were moved online at very short notice, resulting in overloaded IT teams, stretched security monitoring protocols / software and slower incident detection. We have seen a number of serious incidents arising because of a lack of security being applied by organisations when employees are working outside of the normal office environment. Vulnerabilities in VPNs or remote desktop protocols appear to have been more readily exploited when employees are working remotely.”
Growth in compensation claims raised by or on behalf of data subjects, and a rise in the use of malware attacks, and in particular ransomware, was also identified by Pinsent Masons’ cyber team over the past 12 months. The report also identified the use of increasingly sophisticated phishing emails by cyber criminals.
“Some phishing emails are very realistic and authentic,” Varley said. “We have seen attackers use more sophisticated methods of phishing campaigns, through the sending of phishing emails from genuine accounts of organisations in a client’s supply chain. These can be very difficult to identify the threat. However, we continue to see intrusions arising out of phishing emails, which should be much easier to spot, particularly by individuals who have received phishing awareness training.”
“The key to guarding against these types of attack remains largely down to educating employees through methods such as conducting simulated phishing campaigns to raise awareness. In addition, we recommend the use of multi-factor authentication across systems, maintaining robust back-ups, and adopting principles of least-privilege and network segregation to protect against an attacker moving laterally through the IT estate,” she said.
Contact an adviser
Stay ahead by signing up to our weekly email of news and expert analysis, tailored for you
Data, privacy & cyber
Valid email address
Thanks, we have sent an email to
Please check your inbox to confirm your subscription. The confirmation email may take up to 15 minutes to arrive.
• Check your spam or junk folder
• Ensure your email address was entered correctly.
• You can amend your details and resubmit if required
• If the email has still not arrived, please contact us for assistance
OUT-LAW NEWS
A recent decision by the Court of Appeal in England & Wales highlights that judicial remedies cannot be used to unwind or amend regulated mortgages, an expert has said.
OUT-LAW NEWS
Businesses in Germany face increased risks of mass claims being raised against them if personal data they are responsible for is made available for sale on the ‘dark web’, experts have said following a ruling by the country’s highest court.
OUT-LAW NEWS
The Society of Construction Law (Singapore) rolled out a protocol for using experts’ joint statements.
We use cookies that are essential for our site to work. To improve our site, we would like to use additional cookies to help us understand how visitors use it, measure traffic to our site from social media platforms and to personalise your experience. Some of the cookies that we use are provided by third parties. To accept all cookies click ‘accept all’. To reject all optional cookies click ‘reject all’. To choose which optional cookies to allow click ‘cookie settings’. This tool uses a cookie to remember your choices.
Please visit our cookie policy for more information.
