The EU’s Cyber Resilience Act, Security Incidents, and Windows TCO
-
Covington & Burling LLP ☛ The EU’s Cyber Resilience Act Has Now Been Agreed
Yesterday, the European Commission, Council and Parliament announced that they had reached an agreement on the text of the Cyber Resilience Act (“CRA”). As a result, the CRA now looks set to finish its journey through the EU legislative process early next year. As we explained in our prior post about the Commission proposal (here), the CRA will introduce new cybersecurity obligations for a range of digital products sold in Europe. We’ll provide a more detailed summary of the agreed text once it is finalized and published but in this post we set out a brief summary of key provisions. In terms of timing, the CRA will come into force over a phased transition period starting in late 2025.
[...]
The CRA will impose a range of obligations for manufacturers and importers of “products with digital elements” (“PDEs”) – a category which is defined broadly to that include both hardware and software products. The final text has not yet been published, but based on the draft text circulated before the agreement and related reporting, the obligations are set to include: [...]
[...]
Although the CRA applies broadly to PDEs, it is focused particularly on certain “Important” or “Critical” PDEs. The final list of PDEs in these categories has not yet published, but it is likely to include items covering both software (such as antivirus software and VPNs), and connected devices such as “smart home” devices, connected toys, and wearables. As with most recent European technology regulation, the CRA will come with the threat of high penalties for non-compliance – up to €15 million or 2.5% of global turnover.
-
The Record ☛ 60 credit unions facing outages due to ransomware attack on popular tech provider
About 60 credit unions are dealing with outages due to a ransomware attack on a widely-used technology provider.
National Credit Union Administration (NCUA) spokesperson Joseph Adamoli said the ransomware attack targeted the cloud services provider Ongoing Operations, a company owned by credit union technology firm Trellance.
-
Paris Criminal Court Dismissed Charges Against Platypus Hackers
A criminal court in Paris has dismissed charges against two hackers behind the $2 million Platypus exploit and acquitted them on December 1.
According to an article by local news outlet Le Monde, Platypus hackers Mohammed M and Benamar M have been released by the Court as “French criminal law doesn’t technically forbid hacks of protocol.”
-
Data Breaches ☛ Why we need legislation requiring more transparency in breach notices, Saturday edition (Bluefield University)
Following that post, the threat actor (TA) began telling DataBreaches more about the attack and incident response. Claims made by the TA were incorporated in the May 7 post. DataBreaches emailed the university to inquire about their incident response and the TA’s claims. They did not reply.
On May 12, with the university still not disclosing anything or answering questions, DataBreaches reported that the attack affected employees, students, and some students’ parents. As DataBreaches also reported, the TA still had access and was able to steal more data because Bluefield had not warned the community not to submit personal or sensitive information until the system was secured.
-
Data Breaches ☛ NYS Comptroller Audit: North Tonawanda City School District – Information Technology (2023M-102)
Determine whether North Tonawanda City School District (District) officials properly secured user account access to the network and managed user account permissions in financial and student information applications.
-
Data Breaches ☛ NYS Comptroller Audit: Brentwood Union Free School District – Information Technology (2023M-83)
Determine whether the Brentwood Union Free School District (District) Board of Education (Board) and officials ensured computerized data was safeguarded by monitoring network user accounts, providing network users with information technology (IT) security awareness training and implementing an IT contingency plan.