Changelog: How hackers hit BA, the Beeb and Boots

This week: Big names reel from cyberattack, AI regulation (again) and the danger of "neurotech".

Jun 09, 2023

(Supply) chain reaction

Last week Changelog told you about the MOVEit Transfer vulnerability, a flaw in the popular file transfer software which allowed hackers to illicitly access systems.

British Airways data is in the hands of Cl0p (photo by Ceri Breeze/Shutterstock)

Often when we report these kind of glitches they feel largely academic: problems spotted by clever security researchers, addressed by vendors and patched by end users before they cause any trouble. But this week we have seen a very real demonstration of the impact such vulnerabilities can have.

One company that uses MOVEit Transfer is cloud software developer Zellis, supplier of payroll services to half the FTSE 100. Its network was breached as a result of the flaw, with data from at least eight of its clients exposed. The stolen information includes databases from British Airways, the BBC and Boots, and hundreds of thousands of Brits could now see their details dumped on the dark web if the criminals, Russian ransomware gang Cl0p, decide to publish their haul.

The incident demonstrates the fragility of software supply chains and the way businesses which have, themselves, done nothing wrong can get drawn into damaging cyber incidents. Managing the risks associated with using software from an large array of vendors is likely to be something that occupies an increasing amount of time for tech leaders in the coming months and years.

Rishi pitches new approach to AI regulation

It’s little over a month since the UK government was espousing a “light touch” approach to AI regulation in a white paper, which suggested that decisions about how automated systems are implemented should be left up to regulators in individual sectors, with only “high risk” use cases requiring intervention.

Rishi Sunak has been in the US this week to talk AI (photo courtesy Number 10 Press Office)

Now it appears Downing Street may be having a change of heart as other jurisdictions around the world are set to take a more hard-line approach to controlling potentially damaging AI systems.

Prime Minister Rishi Sunak has been in the US this week, and fresh from pitching a baseball at a Washington Nationals game, announced the UK will host a global AI summit in the autumn. Quite who will attend this automation extravaganza is at present unclear, but AI safety will be the central theme, a government spokesperson said. On Thursday, Sunak met with US President Joe Biden, in part of press the need for international co-operation on AI rules.

Sunak’s government believes the UK, with its strong AI sector, can play a leading role in regulating the industry. But at this point it appears more likely that post-Brexit Britain will be marginalised, with the much larger US and EU setting the agenda.

Tech vendor news

ICO fears brain drain

Technologies that monitor the brain are in danger of being misused during the recruitment process and in the workplace, data watchdog the Information Commissioner’s Office (ICO) has warned.

The growing popularity of “neurotech” in the UK private sector has prompted the ICO to release a stark warning of the potential for misuse and data bias within the gathering of neurological data.

The regulator says that the use of technology to obtain neurodata will become widespread within the next decade.