The Tech Monitor review of the year continues as we take a look back at March, when one of the most confusing hacking gangs of recent times – Lapsus$ – emerged onto the scene.
For a few brief weeks in March it felt like all the biggest names in tech were at the mercy of previously little-known hacking gang by the name of Lapsus$.
A flurry of activity saw Lapsus$ claim a list of victims to make even the most hardened of cybercriminals jealous: Microsoft, Nvidia and Samsung were among the companies said to have been breached by the group, with Microsoft even detailing its attack and posting advice on how to combat the hackers and their seemingly crude tactics.
The gangs penchant for targeting high-profile companies and fondness for big proclamations (at one point they boasted of recruiting insiders at target businesses to aid their campaign) led security researchers to conclude their actions were more politically than financially motivated, bringing to mind hacktivist groups such as Anonymous, which first emerged in the mid-2010s. “They’ve targeted the big boys and are likely fully aware that while their footprint has dramatically increased, so has the target on their backs,” warned Chris Morgan, senior threat intelligence analyst at Digital Shadows.
So it proved as, later in the month, UK police arrested seven teenagers in connection with Lapsus$ activities, while the mastermind behind Lapsus$ was named in reports as a 16-year-boy. Little has been heard from the group since; as Neil Young once sang, it’s better to burn out than to fade away.
EU sticks it to Big Tech with the Digital Markets Act
As Big Tech companies bolstered their cyber defences against Lapsus$, the European Union geared up for a regulatory assault on Google, Meta et al by agreeing the terms of its Digital Markets Act (DMA).
The law takes a new proactive approach to regulating the digital economy, and was billed as a bid to force tech giants to rethink they way they integrate their digital services and handle data from customers.
It puts new obligations on so-called ‘gatekeepers’ that operate ‘core platform services’ that are relied on by internet users, such as search engines, operating systems, cloud platforms and digital marketplaces. The rules prohibit certain behaviours, such as self-preferencing and using data collected by one service to optimise another, with heavy fines in prospect for those that don’t comply.
Of course the big question was, would Big Tech comply? Early signs suggest the gatekeepers will acquiesce to EU demands, with Amazon having reportedly agreed a settlement with the European Commission over antitrust charges it faced regarding its supposedly self-preferencing behaviour, in part to remain compliant with the DMA.
Data sharing is caring for the Europe and the US
Elsewhere a new agreement which could allow data to flow safely between the European Union and the United States was drawn up.
The new EU-US data transfer framework was agreed following talks between the EU and the US government that culminated during a visit to Brussels by US President Joe Biden. President Biden said the new arrangement would “once again authorise transatlantic data flows that help facilitate $7.1trn in economic relationships,” and has since signed it into law via an executive order.
Whether the agreement, which was unsurprisingly welcomed by cloud providers such as Google Cloud and Microsoft Azure, will survive contact with the European Court remains to be seen. Two previous iterations of the data transfer agreement, known as Safe Harbour and Privacy Shield, have been invalidated by the court because they were deemed incompatible with Europe’s general data protection regulations (GDPR). This is because US law allows its government to requisition data from companies on national security grounds, something which is a no-no under GDPR.
Privacy campaigner Max Schrems, who brought the court cases against the previous versions of the agreement, wasted no time voicing his opposition to the latest plan, and could return to court with a new challenge. “It would be surprising if Schrems didn’t have another go, he’s probably looking for his hat-trick,” Jagvinder Singh, international and UK head of IT at law firm Mills & Reeve, told Tech Monitor. “The courts highlighted several issues [in the previous cases] and there will be aspects that haven’t been addressed by this new framework and operations which still happen in a way that don’t provide the necessary assurances.”