View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Policy
  2. Big Tech
December 22, 2022

Lapsus$ – and the European Union – target Big Tech – March 2022 in review

Major tech companies were targeted by hackers, as well as regulators keen to limit their dominance of digital markets.

By Matthew Gooding

The Tech Monitor review of the year continues as we take a look back at March, when one of the most confusing hacking gangs of recent times – Lapsus$ – emerged onto the scene.

For a few brief weeks in March it felt like all the biggest names in tech were at the mercy of previously little-known hacking gang by the name of Lapsus$.

A flurry of activity saw Lapsus$ claim a list of victims to make even the most hardened of cybercriminals jealous: Microsoft, Nvidia and Samsung were among the companies said to have been breached by the group, with Microsoft even detailing its attack and posting advice on how to combat the hackers and their seemingly crude tactics.

Microsoft was among the big tech companies hacked by Lapsus$ in March (pic: Volodymyr Plysiuk/Shutterstock)

The gangs penchant for targeting high-profile companies and fondness for big proclamations (at one point they boasted of recruiting insiders at target businesses to aid their campaign) led security researchers to conclude their actions were more politically than financially motivated, bringing to mind hacktivist groups such as Anonymous, which first emerged in the mid-2010s. “They’ve targeted the big boys and are likely fully aware that while their footprint has dramatically increased, so has the target on their backs,” warned Chris Morgan, senior threat intelligence analyst at Digital Shadows.

So it proved as, later in the month, UK police arrested seven teenagers in connection with Lapsus$ activities, while the mastermind behind Lapsus$ was named in reports as a 16-year-boy. Little has been heard from the group since; as Neil Young once sang, it’s better to burn out than to fade away.

EU sticks it to Big Tech with the Digital Markets Act

As Big Tech companies bolstered their cyber defences against Lapsus$, the European Union geared up for a regulatory assault on Google, Meta et al by agreeing the terms of its Digital Markets Act (DMA).

The law takes a new proactive approach to regulating the digital economy, and was billed as a bid to force tech giants to rethink they way they integrate their digital services and handle data from customers.

Content from our partners
Powering AI’s potential: turning promise into reality
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline

It puts new obligations on so-called ‘gatekeepers’ that operate ‘core platform services’ that are relied on by internet users, such as search engines, operating systems, cloud platforms and digital marketplaces. The rules prohibit certain behaviours, such as self-preferencing and using data collected by one service to optimise another, with heavy fines in prospect for those that don’t comply.

Of course the big question was, would Big Tech comply? Early signs suggest the gatekeepers will acquiesce to EU demands, with Amazon having reportedly agreed a settlement with the European Commission over antitrust charges it faced regarding its supposedly self-preferencing behaviour, in part to remain compliant with the DMA.

Data sharing is caring for the Europe and the US

Elsewhere a new agreement which could allow data to flow safely between the European Union and the United States was drawn up.

The new EU-US data transfer framework was agreed following talks between the EU and the US government that culminated during a visit to Brussels by US President Joe Biden. President Biden said the new arrangement would “once again authorise transatlantic data flows that help facilitate $7.1trn in economic relationships,” and has since signed it into law via an executive order.

Whether the agreement, which was unsurprisingly welcomed by cloud providers such as Google Cloud and Microsoft Azure, will survive contact with the European Court remains to be seen. Two previous iterations of the data transfer agreement, known as Safe Harbour and Privacy Shield, have been invalidated by the court because they were deemed incompatible with Europe’s general data protection regulations (GDPR). This is because US law allows its government to requisition data from companies on national security grounds, something which is a no-no under GDPR.

Privacy campaigner Max Schrems, who brought the court cases against the previous versions of the agreement, wasted no time voicing his opposition to the latest plan, and could return to court with a new challenge. “It would be surprising if Schrems didn’t have another go, he’s probably looking for his hat-trick,” Jagvinder Singh, international and UK head of IT at law firm Mills & Reeve, told Tech Monitor. “The courts highlighted several issues [in the previous cases] and there will be aspects that haven’t been addressed by this new framework and operations which still happen in a way that don’t provide the necessary assurances.”

More from March 2022: Can crypto save the planet?

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.