key: cord-241146-j0qperwz authors: Lallie, Harjinder Singh; Shepherd, Lynsay A.; Nurse, Jason R. C.; Erola, Arnau; Epiphaniou, Gregory; Maple, Carsten; Bellekens, Xavier title: Cyber Security in the Age of COVID-19: A Timeline and Analysis of Cyber-Crime and Cyber-Attacks during the Pandemic date: 2020-06-21 journal: nan DOI: nan sha: doc_id: 241146 cord_uid: j0qperwz The COVID-19 pandemic was a remarkable unprecedented event which altered the lives of billions of citizens globally resulting in what became commonly referred to as the new-normal in terms of societal norms and the way we live and work. Aside from the extraordinary impact on society and business as a whole, the pandemic generated a set of unique cyber-crime related circumstances which also affected society and business. The increased anxiety caused by the pandemic heightened the likelihood of cyber-attacks succeeding corresponding with an increase in the number and range of cyber-attacks. This paper analyses the COVID-19 pandemic from a cyber-crime perspective and highlights the range of cyber-attacks experienced globally during the pandemic. Cyber-attacks are analysed and considered within the context of key global events to reveal the modus-operandi of cyber-attack campaigns. The analysis shows how following what appeared to be large gaps between the initial outbreak of the pandemic in China and the first COVID-19 related cyber-attack, attacks steadily became much more prevalent to the point that on some days, 3 or 4 unique cyber-attacks were being reported. The analysis proceeds to utilise the UK as a case study to demonstrate how cyber-criminals leveraged key events and governmental announcements to carefully craft and design cyber-crime campaigns. The coronavirus pandemic which started in 2019 quickly became a global crisis event, resulting in the mass quarantine of 100s of millions of citizens across numerous countries around the world. At the time of writing, the World Health Organisation (WHO) Coronavirus Disease (COVID-19) Dashboard reported over 7.5 million confirmed cases and in excess of 430,241 deaths[1] globally. As COVID-19 spread across the globe, it also led to a secondary significant threat to a technology-driven society; i.e., a series of indiscriminate, and also a set of targeted, cyber-attacks and cyber-crime campaigns. Since the outbreak, there have been reports of scams impersonating public authorities (e.g., WHO) and organisations (e.g., supermarkets, airlines)[2, 3], targeting support platforms [4, 5] , conducting Personal Protection Equipment (PPE) fraud [6] and offering COVID-19 cures [7, 8] . These scams target members of the public generally, as well as the millions of individuals working from home. Working at home en-masse has realised a level of cyber security concerns and challenges never faced before by industry and citizenry. cybercriminals have used this opportunity to expand upon their attacks, using traditional trickery (e.g., [9] ) which also prays on the heightened stress, anxiety and worry facing individuals. In addition, the experiences of working at home revealed the general level of unpreparedness by software vendors, particularly as far as the security of their products was concerned. Cyber-attacks have also targeted critical infrastructure such as healthcare services [10] . In response to this, on April 8th 2020, the United Kingdom's National Cyber Security Centre (NCSC) and the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory on how cyber-criminal and advanced persistent threat (APT) groups were exploiting the current COVID-19 pandemic [11] . This advisory discussed issues such as phishing, malware and communications platform (e.g., Zoom, Microsoft Teams) compromise. What is arguably lacking here and in research, however, is a broader assessment of the wide range of attacks related to the pandemic. The current state of the art is extremely dispersed, with attacks being reported from governments, the media, security organisations and incident teams. It is therefore extremely challenging for organisations to develop appropriate protection and response measures given the dynamic environment. In this paper we aim to support ongoing research by proposing a novel timeline of attacks related to the COVID-19 pandemic. This timeline and the subsequent analysis can assist in understanding those attacks and how they are crafted, and as a result, to better prepare to confront them if ever seen again. Our timeline maps key cyber-attacks across the world against the spread of the virus, and also measures such as when lockdowns were put in place. The timeline reveals a pattern which highlights cyber-attacks and campaigns which typically follow events such as announcements of policy. This allows us to track how quickly cyber-attacks and crimes were witnessed as compared to when the first pandemic cases were reported in the area; or, indeed, if attacks preempted any of these events. We expand the timeline to focus on how specific attacks unfolded, how they were crafted and their impact on the UK. To complement these analyses, we reflect more broadly on the range of attacks reported, how they have impacted the workforce and how the workforce may still be at risk. In many ways this timeline analysis also forms a key contribution of our work both in terms of the chronological sequencing of attacks and the representation of campaigns using an accepted attack taxonomy. This therefore provides a platform which aligns with current literature and also provides the foundation which other research can easily build on. This paper is structured as follows. Section II reflects on relevant cyber-attack and cyber-crime literature, and considers how opportunistic attacks have emerged in the past due to real-life crises/incidents. We then present our COVID-19-related cyber-attack timeline in Section III as well as a dedicated focus on the United Kingdom as a case study of key-cyber-criminal activity. This is followed by a broader reflection on the attacks (those within and outside of the timeline). In Section IV we discuss the impact of attacks on those working from home and wider technology risk. Section V concludes the paper and outlines directions for future work. With the broad adoption of digital technologies many facets of society have moved online, from shopping and social interactions to business, industry, and unfortunately, also crime. The latest reports establish that cybercrime is growing in frequency and severity [12] , with a prediction to reach $6 trillion by 2021 (up from $3 trillion in 2015) [13] and even take on traditional crime in number and cost [14, 15] . Due to its lucrative nature [16] and low risk level (as cyber-criminals can launch attacks from anywhere across the globe), it is clear that cybercrime is here to stay. cyber-crime, as traditional crime, is often described by the crime triangle [17] , which specifies that for a cybercrime to occur, three factors have to exist: a victim, a motive and an opportunity. The victim is the target of the attack, the motive is the aspect driving the criminal to commit the attack, and the opportunity is a chance for the crime to be committed (e.g., it can be an innate vulnerability in the system or an unprotected device). Other models in criminology, such as Routine Activity Theory (RAT) [18] and the fraud triangle [19] use similar factors to describe crimes, with some replacing the victim by the means of the attacker, which it can be considered otherwise as part of the opportunity. While attacks today have become more sophisticated and targeted to specific victims depending on attacker's motivation, for example for financial gain, espionage, coercion or revenge; opportunistic untargeted attacks are also very prevalent. We define "opportunistic attacks" as attacks that select the victims based on their susceptibility to be attacked [20] . Opportunistic attackers pick-up victims that have specific vulnerabilities or use hooks, usually in the form of social engineering, to create those vulnerabilities. Thus, we define as hook any mechanism used to mislead a victim into falling prey of an attack. These hooks take advantage of distraction, time constraints, panic and other human factors to make them work [21, 9] . When victims are distracted by what grabs their interest/attention or when they are panicked, they are more susceptible to be deceived. Similarly, time constraints put victims under more pressure which can lead to mistakes and an increased likelihood to fall victim to scams and attacks. Other examples include work pressure, personal change of situation, medical issues, or events that cause deep and traumatic impact in the whole society in general such as fatalities and catastrophes. Opportunistic attackers always seek to maximise their gain, and therefore, will wait for the best time to launch an attack where conditions fit those mentioned above. A natural disaster, ongoing crisis or significant public event are perfect cases of these conditions [22] . In the past, several opportunistic attacks have been observed that took advantage of specific incidents; below, we provide few examples: • Natural disasters: In 2005 Hurricane Katrina caused massive destruction in the city of New Orleans and surrounding areas in the USA [23] . Not long after, thousands of fraudulent websites appeared appealing for humanitarian donations, and local citizens received scam emails soliciting personal information to receive possible payouts or government relief efforts. Similar scams and attacks have been witnessed in countless natural disasters since, such as the earthquakes in Japan and Ecuador in 2016 [24] , Hurricane Harvey in 2017 [25] , or the bush fires in Australia in 2020 [26] . • Notable incidents or events: On 25th June 2009, the tragic death of Michael Jackson dominated news around the world. Only 8 hours after his demise, spam emails claiming knowing the details of the incident were circulating online [27] . Waves of illegitimate emails echoing the fatality appeared soon after, containing links promising access to unpublished videos and pictures or Jackson's merchandise, that in reality were linked to malicious websites, or emails with malware infected attachments [28] . Noteworthy public events also attract a range of cyber-crime activities. During the FIFA World Cup in 2018 for instance, there were various attempts to lure individuals with free tickets and giveaways [29] . These were, in fact, scams leading to fraud. • Security incidents: In 2012, 164 million of email addresses and passwords were exposed in a LinkedIn data breach [30] . This data was not disclosed until 4 years later, 2016, when it appeared for sale in the dark market. Soon after that, opportunistic attackers began to launch a series of attacks. Many users experienced scams, such as blackmail and phishing, and some compromised accounts that had not changed their passwords since the breach, were used to send phishing links via private message and InMail [31] . Considering the variety of scams and cyber-attacks occurring around the events above, it is unsurprising that similar attacks have emerged during the ongoing COVID-19 pandemic. The outbreak has caused mass disruption worldwide, with people having to adapt their daily routines to a new reality: working from home, lack of social interactions and physical activity, and fear of not being prepared [32, 33] . These situations can overwhelm many, and cause stress and anxiety that can increase the chances to be victim of an attack. Also, the sudden change of working contexts, has meant that companies have had to improvise new working structures, potentially leaving corporate assets less protected than before for the sake of interoperability. Since the COVID-19 started, the numbers of scams and malware attacks have significantly risen [34] , with phishing being reported to have increased by 600% in March 2020 [35] . During April 2020, Google reportedly blocked 18 million malware and phishing emails related to the virus daily [36] . To increase likelihood of success, these attacks target sale of goods in high demand (e.g., Personal Protection Equipment (PPE) and coronavirus testing kits and drugs), potentially highly profitable in-vestments in stocks related to COVID-19, and impersonations of representatives of public authorities like WHO and aid scams [6, 37] . Brute force attacks on the Microsoft Remote Desktop Protocol (RDP) systems have increased as well [38] , signaling attacks also on technology, not only on human aspects. It is clear then that attackers are trying the make the most of the disruption caused by pandemic, particularly given it continues to persist. As a consequence, several guidelines and recommendations have also been published to protect against attacks [39, 40, 41] . These guidelines are imperative for mitigating the increasing threat, but to strengthen their basis, there first needs to be a core understanding of the cyber-attacks being launched. This paper seeks to address this gap in research and practice by defining a timeline of cyber-attacks and consideration of how they impact citizens and the workforce. The cyber-crime incidents erupting from the COVID-19 pandemic pose serious threats to the safety and global economy of the world-wide population, hence understanding their mechanisms, as well as the propagation and reach of these threats is essential. Numerous solutions have been proposed in the literature to analyse how such events unfold ranging from formal definitions to systemic approaches reviewing the nature of threats [42, 43, 44] . While these approaches enable the categorisation of the attack, they often lack the ability to map larger, distributed events such as the ones presented in this manuscript, where numerous events stem from the pandemic are, however, unrelated. To this end, we opted for temporal visualisation, enabling us to map events without compromising the narrative [45] . Furthermore, this type of visualisation is used across the cyber-security domain to represent consequent cyberattacks [46, 47, 48] . In this section, we outline the methodology used to create the timeline. We explain the search terms used to gather relevant COVID-19 cyber-attack data, the data sources (search engines) utilised, the sources of information we chose to focus on, and types of attack. We also acknowledge the potential limitations of the work. 1) Nomenclature: We explore a range of cyberattacks which have occurred during the COVID-19 pandemic. The novel coronavirus has been referred to by several different terms in the English-speaking world, including Coronavirus, Covid19, COVID-19, 2019-nCoV, and SARS-CoV-2. We use the term COVID-19 to refer to the virus, which falls in line with terminology used by the World Health Organization [49] . 2) Construction of the timeline: To aid in the construction of the timeline, we initially conducted a number of searches to identify cyber-attacks associated with the pandemic. These cyber-attacks were categorised by attack type, delivery method, and were ordered by date. The information gathered has been collated and is presented in Figure 2 which serves as a baseline for the construction of Table I . Information presented in the timeline includes the date China alerted the WHO about the virus, the date the pandemic was officially declared, and cyber-attacks which specifically relate to hospitals or medicine. Additionally, key countries involved in the pandemic were identified, and for those, we present the first identified case, the date lockdown was implemented, and the first cyber-attack they suffered. The table seeks to examine a sub-set of the information from the timeline. Furthermore, we have chosen to include a number of sources offering reports of attacks. The sources are a mixture of reputable news outlets (such as Reuters, and the BBC), blog articles, security company reports, and social media posts. Though blog articles and social media posts are not considered to be an academic source, in the context of this research where we are examining an emerging threat, they offer important insights into trends of cyber-attacks. It is also important to note that cyber-attacks may first be presented in these domains, before being highlighted by mainstream media outlets. With regards to the inclusion of news reports in the table of attacks and subsequent timeline, it should be acknowledged that these attacks are being presented through a journalistic lens, and as such may be written in an attempt to grab headlines. Nevertheless, these reported cyber-attacks still pose a tangible threat to the general public during the COVID-19 pandemic. The timeline seeks to provide an overview of attacks which have occurred. The state-of-the-art review of reports was performed from mid-March to mid-May 2020. The timeline limits cyber-attacks to those experienced by 31st March. This is because we reached what we believed to be a saturation point comprising a sufficient number of cyber-attacks to be representative. Following the conclusion of the search, the earliest reported attack was on 6th January 2020 [51] , whilst the most recently listed attack in the timeline was 31st March 2020 [52] . The most recently listed attack in the table was 13th May 2020 [53] . The table progresses the time period a bit further as it intends to provide more detail in regards to cyber-attacks experienced during this time. Sources were gathered from a number of locations. The criteria used to locate reports have been defined below and are presented in a similar way to existing reviews in cyber security literature [54, 55] . The structure of the timeline is described in further detail in Section III-B. Search engines: Several search engines were used in the creation of the table and timeline. These were-Google 1 (US-based and dominates the search engine market share), Baidu 2 (Chinese-based search provider), Qwant 3 (French-based search engine with a focus on privacy), and DuckDuckGo 4 (US-based search engine with a focus on privacy). Keywords used: A variety of keywords were used when collating reports of cyber-attacks. Non-English terms were translated using the Google Translate service [56] and additional independent sources were used as a means of validating the translation. When focussing on the virus itself, the following key words were used: sarscov-2, Covid, Covid19, Coronavirus, 冠状病毒(Chinese translation for Coronavirus, confirmed by the World Health Organization [57] ), コ ロ ナ ウ イ ル ス(Japanese translation for Coronavirus, confirmed by the Japanese Ministry of Health, Labour and Welfare [58] ). When searching for cyber-attacks, the following key phrases were used: 网络攻击(Chinese translation means Network Attack [59] or Cyber Attack [60] ), サ イ バ 攻 (Japanese translation for Cyber Attack or Hacking Attack [61] ), Attaque Informatique (French translation for Computer Attack [62] ), Attacco Informatico (Italian translation for Cyber Attack [63] ). Time range: We attempted to find the earliest reported cyber-attack which was associated with the COVID-19 pandemic. To allow for development of the timeline, and analysis of findings, mid-May 2020 was defined as a cutoff point, with the most recent news article being dated 13th May 2020 [5] . Exclusion criteria: Although we have created a comprehensive table and timeline, a number of results were excluded from the research. These included results which a) were behind a paywall, b) required account creation before full article was displayed, c) were duplicates of existing news reports, and d) could not be translated. 3) Types of cyber-attacks : To guide our analysis and the creation of a timeline of COVID-19-related cyberattacks, we decided to define attacks based on their types. This allowed us to examine the prominence in certain types of attacks. Although there exist numerous taxonomies relating to attacks and cyber-crimes (e.g., [64, 9, 65, 66] ), there exists no universally accepted model [67] . In this work therefore, we relied on the UK's Crown Prosecution Service (CPS) categorisation of Fig. 1 . Cyber-dependent and cyber-enabled crimes [50] cyber-crime. This definition includes cyber security by default and has inspired many international definitions of cyber-crime. The CPS guidelines categorise cyber-crime into two broad categories: cyber-dependent and cyber-enabled crimes [50] . A cyber-dependent crime is an offence, "that can only be committed using a computer, computer networks or other form of information communications technology (ICT)" [68] . Cyber-enabled crimes are, "traditional crimes, which can be increased in their scale or reach by use of computers, computer networks or other forms of information communications technology (ICT)" [69] . These categories as well as examples of their subcategories can be seen in Figure 1 . Some of the elements described by CPS are often interlinked in a cyber-attack. For instance, a phishing email or text message (e.g., SMS or WhatsApp) might be used to lure a victim to a fraudulent website. The website then may gather personal data which is used to commit financial fraud, or it may install malware (more specifically, ransomware) which is then used to commit extortion. This notion of cyber-attack sequences is explained in further detail in Section III-B. Similarly Denial of Service (DoS) attacks are increasingly used by cyber-criminals to distract (or, act as 'smokescreens' for) businesses during hacking attempts [70, 71] . In what follows, we consider the types of these attacks and reflect on how they have been launched, including any human factors or technical aspects (e.g., vulnerabilities) they attempt to exploit. Phishing, or Social Engineering more broadly, includes attempts by illegitimate parties to convince individuals to perform an action (e.g., share information or visit a website) under the pretence that they are engaging with a legitimate party. Quite often email messages are used, occasionally SMS or WhatsApp messages are used (referred to as smishing). Pharming is similar to phishing but instead of deceiving users into visiting malicious sites, attackers rely on compromising systems (e.g., the user's device or DNS servers) to redirect individuals to illegitimate sites. This type of attack is less common in general, as it requires more access or technical capabilities. Financial fraud generally involves deceiving individuals or organisations using technology for some financial gain to the attacker or criminal. Extortion refers to actions that force, threaten or coerce individuals to perform some actions, most commonly, releasing finances. Hacking, Malware and Denial of Service (DoS) attacks are forms of crime that are often favoured by more technical attackers. Hacking involves compromising the confidentiality or integrity of a system, and requires a reasonable about of skill; its techniques can involve exploiting system vulnerabilities to break into systems. Malware refers to malicious software and can be used for disrupting services, extracting data and a range of other attacks. Ransomware is one of the most common type of malware today [72, 73] , and combines malware with extortion attempts. DoS attacks target system availability and work by flooding key services with illegitimate requests. The goal here is to consume the bandwidth used for legitimate server requests, and eventually force the server offline. These types of attack provide the foundation for our analysis in the timeline and how we approach our discussion in later part of this research. 4) Limitations of the table: Within Table I , two columns referring to dates are provided. The first column "Article Date" refers to the date the reference was initially published. We acknowledge that in some cases, the web pages linked to the references continued to be updated with information following its inclusion with the paper. The table has been ordered by "Article Date" to provide a consistent chronological representation of events. We have also provided a second column,"Attack Date". When examining each reference, if a specific date was provided as to when the attack was executed, it was included. The rational behind including the attack date and report date is that an attack may not surface until several days after it has been carried out. 5) Limitations of the timeline: Two types of cyberattack reports are considered within this manuscript, those which describe cyber-attacks without providing the date of the attack and those which describe cyberattacks and include the date of the perpetration. When the date of the attack is not included, the date provided in the timeline refers to the date of the publication. The rationale behind the inclusion of both types of reports is based on providing a chronological representation of events. Furthermore, while the table provides an extensive overview of the threat landscape, it is by no means an exhaustive list of all the attacks carried out in relation to the pandemic, as gathering such information would not be possible in this context due to the lack and quality of reporting, the number of targeted incidents, the number of incidents targeted at the general public, the global coverage of the pandemic and the number of malicious actors carrying out these attacks. However, despite these limitations we have explored all resources available to depict the threat landscape as accurately as possible. In this section, we examine the cyber-attacks in further detail. Figure 2 provides a detailed temporal representation of the chain of key cyber-attacks induced by the COVID-19 pandemic. The timeline includes the first reported cases in China, Japan, Germany, Singapore, Spain, UK, France, Italy, and Portugal and then the subsequent lockdown announcements. The timeline presents 43 cyber-attacks categorised using the CPS taxonomy described in Section III-A3 and abbreviated as: P:phishing (or smishing), M:malware. Ph:pharming, E:extortion, H:hacking, D:denial of service and F:financial fraud. The events related to the crisis were validated against WHO timeline of events to ensure an accurate temporal reproduction. Table I describes a number of cyber-attacks in further detail. Within the table, cyber-attacks have been organised by attack date. If the attack date was not available within the reference, then the article date has been used. The target-country of each cyber-attack has been listed, alongside a brief description of the methods involved. Finally, the attack type has also been classified in accordance with the CPS taxonomy described earlier where it has been mentioned within the reference. Both the figure and the table present specific cyberattacks and incidents and exclude: general advisories (e.g. from governmental departments), general discussions and summaries of attacks, and detailed explanations of techniques and approaches utilised by the attackers. The extent of the cyber-security related problems faced in the UK was quite exceptional, and in this section we use the UK as a case study to analyse COVID-19 related cyber-crime. The discussion herein demonstrates that as expected and outlined above, there was a loose correlation between policy/news announcements and associated cyber-crime campaigns. The analysis presented herein focuses only on cyber-crime events specific to the UK. So for example, although many of the incidents identified in the previous section and particularly in [102] are global cyber-attacks, the discussion herein ignores these. Consequently, numerous announcements purportedly coming from reputed organisations such as WHO and a plethora of malware which reached UK citizens is ignored as these were not UK specific issues. Indications of the extent of the UK cyber-crime incident problem experienced during the pandemic are provided by the reported level of suspect emails and fraud reported. By early May (07-05-20), more than 160,000 'suspect' emails had been reported to the National Cyber Security Centre [103] and by the end of May (29-05-20), £4.6m had been lost to COVID-19 related scams with around 11,206 victims of phishing and / or smishing campaigns [104] . In response, the National Cyber Security Centre (NCSC) took down 471 fake online shops [105] and HMRC (Her Majesty's Revenue and Customs) took down 292 fake websites [106] . The timeline in Figure 3 shows a series of UK specific events and cyber-crime incidents. The timeline indicates a direct and inverse correlation between announcements and incidents. Direct correlations are instances where perpetrators appear to follow announcements or events, they may have drawn on these events and carefully configured cyber-attacks around policy context. These are shown in the figure with a solid coloured connecting arrow. Inverse correlations are instances where an incident has no clear correlation with an event or announcement. Although inverse correlations do not appear to have a direct correlation, these may exist because a number of events were being actively highlighted in the media. For example, the issue of personal protective equipment (PPE) was in active discussion well before the UK government gave this priority consideration. Similarly, the likelihood of a tax rebate scheme was in active consideration in early March before the budget announcement on 11-03-20. The first tax rebate phishing campaigns were in active circulation before the budget announcement. In both cases, we should emphasise that these are loose correlations and more work needs to be done in terms of whether a predictive model can be built using this data and data around the world as examples. On 11th March 2020, the UK government made a number of important budgetary announcements [107] which included: a £5bn emergency response fund to support the NHS and other public services in England; an entitlement to statutory sick pay for individuals advised to self-isolate; a contributory Employment Support Allowance for self-employed workers; a £500m hardship fund for councils to help the most vulnerable in their areas; a COVID-19 Business Interruption Loan Scheme for small firms; and the abolishment of business rates for certain companies. Soon after, the government continued to make an-nouncements to support the citizenry and economy. These announcements included: a scheme to support children entitled to receive free school meals (19-03-20) ; a hardship fund (24-03-20) ; help for supermarkets to target vulnerable people (25-03-20) ; the potential availability of home test kits (25-03-20); a job retention scheme (17-04-20) ; and the launch of the much awaited track and trace app (04-05-20). Events such as these increase the likelihood of a 20) , and a charitable donation to the recipient. None of these events have associated governmental announcements or even general public speculation. Examples supporting our notion of a correlation between events and cyber-security campaigns are provided in Table II and illustrated in Figure 3 . These examples indicate a loose correlation between events and cybercriminal campaigns. Many of the cases outlined in Table II and Figure 3 , were very simple. Potential victims were provided URLs through email, SMS, or Whatsapp. An example of this is provided in Figure 4 . In this case, the URL pointed to a fake institutional website which requests credit/debit card details. Although there are elements of this process which are obviously suspicious to a more experienced computer user, for example, spelling errors (relieve instead of relief in the COVID-19 relief scam), suspect reply email addresses and clearly incorrect URLs, these are not immediately obvious to many users. The timeline shown in Figure 2 and the UK case study above creates an ideal platform through which to analyse the cyber-attacks that have occurred in light of the pandemic. From the point that the first case was announced in China (08- [12] [13] [14] [15] [16] [17] [18] [19] , the first reported COVID-19 inspired cyber-attack took 30 days. The next reported cyber-attack was 14 days (19-01-20) . From this point onwards, it is clear that the timeframe between events and cyber-attacks reduces dramatically. The 43 cyber-attacks presented in the timeline can be further categorised as follows: • 37 (86%) involved phishing and / or smishing • 2 (5%) involved hacking • 2 (5%) involved denial of service • 28 (65%) involved malware Fig. 4 . The COVID-19-relieve scam [108] • 15 (34%) involved financial fraud • 6 (13%) involved pharming • 6 (15%) involved extortion Whilst this analysis is useful, the sequence of events in the complete attack can also provide key attack insights. The timeline reveals these sequences and shows the complete campaign comprising of, for instance, the distribution of malware (m) through phishing (p) which steals payment credentials which are used for financial fraud (f ). We can describe this cyber-attack sequence as p,m,f. Analysing cyber-attacks in this way is important because this indicates multiple points in a cyber-attack where protections could be applied. The timeline reveals the following cyber-attack sequences: This analysis does not include the sequence of events that took place in the two hacking and two denial of service incidents. It should be noted that although financial fraud is the most likely goal in most of the cyber-attacks described in the timeline, financial fraud was only recorded in the timeline where reports have clearly indicated that this was the outcome of a cyberattack. In reality, the p,m,f and p,ph,f cases are likely to be higher. Figure 5 provides a summary of the countries that were the target of early cyber-attacks during the pandemic, organised by attack date. As shown, China and the USA account for 39% of the attacks reported. It is also clear from Table I that both of these countries were primary target from the start of the pandemic. The attacks then spread to the United Kingdom and more other countries. By March 2020 however, a vast majority of the attacks are targeted at the whole world, with a reminder of attacks specifically focused at events in a single country, such as tax rebates due to COVID-19, or contact tracing phishing messages. It is useful to consider this in the context of UK specific cyber-attacks. This examination reveals that phishing was a component of all (n=17) the cyberattacks analysed. 1 involved extortion as the final goal, the remaining 16 involved financial fraud. 9 cyberattacks comprised the sequence: p,ph,f, 7 comprised the sequence p,f, the remaining 1 comprised of p,e. It is notable that although an NHS malware distribution website was discovered and removed on 23-04, none of the cyber-attacks we analysed appeared to involve malware in the same way that the global analysis reveals. There may be a number of reasons for this. Launching a malware connected campaign requires more sophistication and time. There may be less opportunity to directly connect it to a specific event or announcement. The time delay between some of the announcements and the associated campaigns was remarkably short. For instance, the time delay between the lockdown announcement (23-03-20) and the 'lockdown contravention fine' (25-03-20) was 2 days, and the time delay between the job retention scheme announcement (17-04-20) and the job retention scam (19-04-20) was also 2 days. To reflect more generally on the cyber-attacks discovered, we can see that phishing (including smishing) were, by far, the most common based on our analysis. In total, it was involved in 86% of the global attacks. This is however, unsurprising, as phishing attempts are low in cost and have reasonable success rates. In the case of COVID-19, these included attempts at impersonating government organisations, the WHO, the UK's National Health Service (NHS), airlines, supermarkets and communication technology providers. The specific context of the attacks can be slightly different however the underlying techniques, and the end goal is identical. For instance, in one email impersonating the WHO, attackers attach a zip file which they claim contains an ebook that provides, "the complete research/origin of the corona-virus and the recommended guide to follow to protect yourselves and others" [109] [2]. Moreover, they state: "You are now receiving this email because your life count as everyone lives count". Here, attackers are using the branding of WHO, posing as helpful (the Fig. 5 . Cyber-attack distribution across countries examined remainder of the email contains legitimate guidance), and appealing to people's emotions in crafting their attack email [110, 9] . Similar techniques can be seen in a fake NHS website created by criminals detected online, which possesses identical branding but is riddled with malware [111] , and a malicious website containing malware which also presents the legitimate Johns Hopkins University COVID-19 dashboard[4]. It is notable that the fake WHO email contains spelling/grammatical errors. The discussion in Section III-C provides further specific examples of this. To further increase the likely success of phishing attacks cyber-criminals have been identified registering large numbers of website domains containing the words 'covid' and 'coronavirus' [112] . Such domains are likely to be believable, and therefore accessed, especially if paired with reputable wording such as WHO or Centers for Disease Control and Prevention (CDC) or key words (e.g., Corona-virusapps.com, anticovid19-pharmacy.com, which have been highlighted as in use [113] ). Communications platforms, such as Zoom, Microsoft and Google, have also been impersonated, both through emails and domain names [112] . This is noteworthy given the fact that these are the primary technologies used by millions across the world to communicate, both for work and pleasure. These facts, in combination with convincing social engineering emails, text messages and links, provide several notable avenues for criminals to attack. Pharming attacks were much less common but did occur in 13% of cases. As can be seen Table I, these often occur alongside other attacks. COVID-19-inspired fraud has leveraged governmental/scientific announcements to exploit the anxieties of users and seek financial benefit. From our analysis, fraud was typically committed through phishing and email attacks-we also can see this in our sequencing above. In one case, criminals posed as the CDC in an email and politely requested donations to develop a vaccine, and also that any payments be made in Bitcoin [105] . Typical phishing techniques were used, but on this occasion these included requests for money: "Funding of the above project is quite a huge cost and we plead for your good will donation, nothing is too small". A notable point about this particular attack is that it also ask recipients to share the message with as many people as possible. This is concerning given that people are more likely to trust emails they believe have been vetted by close ones [9] . There were a range of other fraud attempts, largely based on threats or appeals. For instance, our analysis identified offers of investment in companies claiming to prevent, detect or cure COVID-19, and investment in schemes/trading options which enable users to take advantage of a possible COVID-19 driven economic downturn [114] . There were offers of cures, vaccines, and advice on effective treatments for the virus. The Food and Drugs Administration (FDA) issued 16 warning letters between 6 th March and 1 st April 2020 to companies "for selling fraudulent products with claims to prevent, treat, mitigate, diagnose or cure" COVID-19 [115, 116] . The European Anti-Fraud Office (OLAF) has responded to the flood of fake products online by opening an enquiry concerning imports of fake products due to COVID-19 pandemic [117] , and in the UK, the Medical and Healthcare products Regulatory Agency (MHRA) has began investigating bogus or unlicensed medical devices currently being traded through unauthorised and unregulated websites [118] . Extortion attacks were witnessed in our analysis but were less prevalent (appearing in only 13% of cases) compared to the others above. The most prominent case of this attack was an extortion email threatening to infect the recipient and their family members with COVID-19 unless a Bitcoin payment is made [119] . To increase the believability of the message, it included the name of the individual and one of their passwords (likely gathered from a previous password breach). After demanding money, the message goes on to state: "If I do not get the payment, I will infect every member of your family with coronavirus". This attempts to use fear to motivate individuals to pay, and uses passwords (i.e., items that are personal) to build confidence in the criminal's message. Malware related to COVID-19 increased in prominence during the pandemic and impacted individuals and organisations across the world. As shown above, it was the second largest cyber-attack type, appearing in 65% of cases. Vicious panda and MBR Loader were the only new malware discovered in this period. The remaining malware attacks were variants of existing malware and included Metaljack, REM-COS, Emotet, LOKIBOT, CXK-NMSL, Dharma-Crysis, Netwalker, Mespinoza/Pysa, SpyMax (disguised as the Corona live 1.1 app) GuLoader, Hawkeye, FORMBOOK, Trickbot and Ginp. Ransomware, in particular, was a notable threat and an example of such was COVIDLock, an Android app disguised as a heat map which acted as ransomware; essentially locking the user's screen unless a ransom was paid [120] . At the organisational level, ransomware has significantly impacted healthcare services-arguably the most fragile component of a country's critical national infrastructure at this time. Attacks have been reported in the United States, France, Spain and the Czech Republic [121, 10] , and using ransomware such as Netwalker. Such attacks fit a criminal modus operandi if we assume that malicious actors will target areas where they believe they stand to capitalise on their attacks; i.e., health organisations may be more likely to pay ransoms to avoid loss of patient lives. Interestingly there have since been promises from leading cyber-crime gangs that they will not (or stop) targeting healthcare services. In one report, operators behind CLOP Ransomware, Dop-pelPaymer Ransomware, Maze Ransomware and Nefilim Ransomware stressed that they did not (normally) target hospitals, or that they would pause all activity against healthcare services until the virus stabilises [122] . Other notable malware examples during the pandemic include: Trickbot, a trojan that is typically used as a platform to install other malware on victims' devicesaccording to Microsoft, Trickbot is the most prolific malware operation that makes use of COVID-19 themed lures for its attacks [123] ; a Master Boot Record (MBR) rewriter malware that wipes a device's disks and overwrites the MBR to make them no longer usable [124] ; and Corona Live 1.1, an app that leveraged a legitimate COVID-19 tracker released by John Hopkins University and accessed device photos, videos, location data and the camera [53] . As the pandemic continues, there are likely to be more strains of malware, targeting various types of harm, e.g., physical, financial, psychological, reputational (for businesses) and societal [125] . During the COVID-19 pandemic our analysis only identified a very small amount (5%) of DoS attacks, but there were several reports of hacking. These reports suggested that hacking was not indiscriminate but instead, targeted towards institutions involved in research on coronavirus. In one report, FBI Deputy Assistant Director stated, "We certainly have seen reconnaissance activity, and some intrusions, into some of those institutions, especially those that have publicly identified themselves as working on COVID-related research" [126] . This was further supported by a joint security advisory a month later from the UK's NCSC and USA's CISA [127] . In this advisory, Advanced Persistent Threat (APT) groupssome of which may align with nation states-were identified as targeting pharmaceutical companies, medical research organisations, and universities involved in COVID-19 response. The goal was not necessarily to disrupt their activities (as with the ransomware case), but instead to steal sensitive research data or intellectual property (e.g., on vaccines, treatments). While a detailed analysis of these attacks has not yet surfaced, password spraying (a brute-force attack which applying commonly-used passwords in attempting to login to accounts) and exploiting vulnerabilities in Virtual Private Network (VPN) have been flagged [127] . Attribution is another important consideration during such attacks. Determining the true origin of cyber-attacks has always been difficult, however, in response to these COVID-19-related threats, the US openly named the People's Republic of China (PRC) as a perpetrator in a joint FBI/CISA announcement [128] . The effects of the pandemic, the mass quarantine of staff and the measures put in place to facilitate remote working and resilience of existing cyber-infrastructures, against the attacks and timelines previously described, had a profound effect on the workforce -the people engaged in or available for work. The pandemic also had an effect on the resilience of technology, socio-economic structures and threatened, to a certain degree, the way people live and communicate. Figure 6 illustrates the COVID-19 impact on the workforce across eight different categories. All categories seemingly integrate with cyber-enabled assets and tools and different categories may be impacted differently. The pandemic created risk conflicts, for example, strict compliance with security standards which discourage data sharing, could be more harmful than sharing the data. So, whilst there may be strict requirements for patient data not to be accessed at home by GPs (general practitioners), this causes a greater harm during quarantine than enabling GPs to access patient data. Also, the way confidential patient information is processed requires a data protection impact assessment (DPIA) to enable further NHS support where needed. This can have an impact in terms of the timely delivery of medical interventions in response to COVID-19. In traditional risk classification, elements like asset registration and valuation, threat frequency and vulnerability probability are at greater risk of cyber threat. We, therefore, anticipate changes on the way the workforce accesses those information assets and how strategic, tactical and operational tasks are executed to generate socio-economical outputs. These changes can be captured by the development and testing of risk statements capturing 1) threat agents, 2) vulnerabilities, 3) Policy/process violation and 4) overall asset exposure on all emerging threat landscapes as illustrated in Figure 6 . These changes unavoidably cascade further changes to the threat landscapes associated with remote workforce activities and the increasing frequency of weaponised attack vectors related to the coronavirus spreading. Given the current climate, it is difficult to predict whether these changes will have a long-lasting effect on the workforce, but their significance is already recorded [129] . Therefore, it is increasingly important that the control of information (storage, processing, transmission) has an elevated importance given the increase of cyber-attacks on important infrastructures. Governments, private and public sectors throughout Europe currently consider measures to contain and mitigate COVID-19 impact on existing data structures and information governance frameworks (for example, Fig. 6 . COVID-19 Impact on Workforce [130] ). Particular emphasis is placed upon the implications of the pandemic in the processing of personal data. The General Data Protection Regulation (GDPR) legislation in the UK dictates that personal data must be processed only for the specific and explicit purposes for which it has been obtained [131] . In addition, data subjects should always receive explicit and transparent information with regard to the processing activities undertaken, including that of features and nature of the activity, retention period and purpose of processing. There are challenges related to the governance legal and regulatory compliance landscape in terms of conformance versus rapid access and processing of data by different entities. This is quite apparent in cases where public authorities seek to obtain PII to reduce the spread of COVID- 19 . Typical examples also include contact tracing applications and platforms in which the data is aggregated online for post-processing [132] . Specific legislative measures have to be re-deployed or introduced to safeguard public security while maintaining privacy at scale, while legal and regulatory principles continue to upheld [133] . With the rapid increase of COVID-19 symptoms, governments had to derive a plan that would enable them to understand epidemiological data further and identify positive interventions to contain and mitigate the impact of the pandemic. Research shows a high correlation between the use of big data that includes private identifiable information in the effectiveness of these epidemiological investigations [134] . That meant that in most cases, citizens had to provide this information voluntarily and that quickly resulted in discussions and debates on the tradeoffs between public safety versus personal privacy [135] . The information has also been obtained through internet communication technology. Medical testing equipment and coronavirus testing at a large-scale were used as instruments for data collection in the fight to reduce mortality rates. The legal and regulatory compliance frameworks differ between countries; thus, managing personal information was subject to different privacy protection measures. The de-identification of personal information was another component that governments had to exercise to satisfy personal privacy requirements and increase the trust of human participants during the epidemiological investigations. The process of collecting and process-ing personal information by applying de-identification technologies raised technical challenges with regards to accuracy and consent, safe and legally defensive data disposal and robustness of associated policies of data processing and management for epidemiological research. The urgency of the situation and the speed at which the data had to be acquired and processed, created a sense of distrust amongst citizens and challenged the efficacy of the existing processes in place [135] . The extensive lockdown periods introduced in many countries (described in Section III) have also tested their ability to deploy strategies for business recovery after these periods. These strategies had to ensure smooth and phased out recovery within an ongoing pandemic, which has proved to be a challenging task. However, there is an unprecedented speed and scale on the R&D activities in response to the COVID-19 outbreak forcing crossorganizational multilateral collaborations [136, 137] . There is currently a challenge across Europe to orchestrate information sharing in a timely and accurate manner as even mainstream media sources seem to have propagated false information [138] . The increase on both frequency and impact of these attacks will test further our existing monitoring and auditing capabilities, logical and physical access controls, authentication and verification schemes currently deployed. Also, as part of the current enterprise risk management approaches the way organisations sanitise incident reporting, media disposal and data destruction and sharing processes will also be tested alongside to traditional defence-in-depth principles currently established as de-facto. The finance sector is also affected as the predicted financial recession will leverage the sophistication and scale of targeted attacks as threat actors grow their capabilities [139] . The COVID-19 pandemic has generated remarkable and unique societal and economic circumstances leveraged by cyber-criminals. Our analysis of events such as announcements and media stories has shown what appears to be a loose correlation between the announcement and a corresponding cyber-attack campaign which utilises the event as a hook thereby increasing the likelihood of success. The COVID-19 pandemic, and the increased rate of cyber-attacks it has invoked have wider implications, which stretch beyond the targets of such attacks. Changes to working practises and socialization, mean people are now spending increased periods of time online. In addition to this, rates of unemployment have also increased, meaning more people are sitting at home online-it is likely that some of these people will turn to cyber-crime to support themselves. The combination of increased levels of cyber-attacks and cyber-crime means there may be implications for policing around the Worldlaw enforcement must ensure it has the capacity to deal with cyber-crime [140] . The analysis presented in this paper has highlighted a common modus-operandi of many cyber-attacks during this period. Many cyber-attacks begin with a phishing campaign which directs victims to download a file or access a URL. The file or the URL act as the carrier of malware which, when installed, acts as the vehicle for financial fraud. The analysis has also shown that to increase the likelihood of success, the phishing campaign leverages media and governmental announcements. Although this analysis is not necessarily novel, we believe this is the first time that this has been supported with a context of actual live events. This analysis gives rise to the recommendation that governments, the media and other institutions should be aware that announcements and the publication of stories are likely to give rise to the perpetration of associated cyber-attack campaigns which leverage these events. The events should be accompanied by a note / disclaimer outlining how information relating to the announcement will be relayed. Our research presents opportunity for further research. This research has shown what can best be described as a loose direct and inverse correlation between events and cyber-attacks. Further research should investigate this phenomenon and outline whether a predictive model can be used to confirm this relationship. There is an abundant supply of cyber-attack case studies relating to countries around the world and a wider analysis of the problem can help in affirming this phenomenon. Malware," 2020, https://krebsonsecurity.com/2020/03/live-coronavirusmap-used-to-spread-malware/ (Accessed 15 June 2020). [5] R. Smithers, "Fraudsters use bogus nhs contact-tracing app in phishing scam," 2020, https://www.theguardian.com/world/2020/may/13/ fraudsters-use-bogus-nhs-contact-tracing-app-inphishing-scam (Accessed 30 May 2020). deals could have been avoided," 2020, https://www.bloomberg.com/opinion/articles/2020-05-01/coronavirus-trillions-in-aid-draws-scams-anddodgy-deals (Accessed 9 May 2020). [38] D. Galov, "Remote spring: the rise of rdp bruteforce attacks," 2020, https://securelist.com/remote-spring-therise-of-rdp-bruteforce-attacks/96820 (Accessed 9 May 2020). [39] NCSC, "Home working: preparing your organisation and staff," 2020, https://www.ncsc.gov.uk/guidance/home-working (Accessed 9 May 2020). [40] NIST, "Security for enterprise telework, remote access, and bring your own device (byod) solutions," 2020, https://csrc.nist.gov/CSRC/media/Publications/Shared/ documents/itl-bulletin/itlbul2020-03.pdf (Accessed 9 May 2020). [41] FTC, "Online security tips for working from home," Pandemic Profiteering: How Criminals Exploit 2020 Coronavirus Phishing Emails: How to Protect Against COVID-19 Scams US Authorities Battle Surge in Coronavirus Scams, From Phishing to Fake Treatments Cybercrime and You: How Criminals Attack and the Human Factors That They Seek to Exploit Hackers Are Targeting Hospitals Crippled by Coronavirus UK's National Cyber Security Centre (NCSC) and the US' Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) The hiscox cyber readiness report 2019 2019 official annual cybercrime report Less traditional crime, more cybercrime Measuring the changing cost of cybercrime Understanding the Growth of Cybercrime Economy Scene of the cybercrime The novelty of 'cybercrime' an assessment in light of routine activity theory Other people's money; a study of the social psychology of embezzlement Hacking: The Next Generation: The Next Generation Understanding scam victims: seven principles for systems security How cybercriminals prey on victims of natural disasters Hurricane katrina fraud How to help the earthquake victims in Ecuador and Japan Watch Out For Hurricane Harvey Phishing Scams Hundreds of bushfire donation scams circulating Michael jackson's death sparks off spam Michael jackson's death spurs spam, malware campaigns You Have NOT Won! A Look at Fake FIFA World Cup-themed Lotteries and Giveaways Blackmailing and passwords leaks Compromised linkedin accounts used to send phishing links via private message and inmail 10 tips to help if you are worried about coronavirus Facing down the myriad threats tied to covid-19 Threat spotlight: Coronavirus-related phishing Protecting businesses against cyber threats during covid-19 and beyond Covid aid scams and dodgy 2020 A systematic approach toward description and classification of cybercrime incidents A cyber attack modeling and impact assessment framework A taxonomy and survey of intrusion detection system design techniques, network threats and datasets Extracting narrative timelines as temporal dependency structures Classification of cyber attacks in south africa Sony's nightmare before christmas: The 2014 north korean cyber attack on sony and lessons for us government actions in cyberspace Naming the coronavirus disease (COVID-19) and the virus that causes it Cybercrime -prosecution guidance Vietnamese threat actors apt32 targeting wuhan government and chinese ministry of emergency management in latest example of covid-19 related espionage Skype phishing attack targets remote workers' passwords Fake Coronavirus Tracking Apps Are Really Malware That Stalks You How to design browser security and privacy alerts Bayesian network models in cyber security: a systematic review Google Translate Coronavirus disease (COVID-19) pandemic Latest information on Coronavirus disease 2019 (COVID-19) Research on computer network attack modeling based on attack graph Who reports fivefold increase in cyber attacks, urges vigilance search (Accessed Municipal:"massive" computer attack at the town hall of marseille Cyber attack on easyjet, compromised the data of nine million customers An extended model of cybercrime investigations A taxonomy of operational cyber security risks A taxonomy of technical attribution techniques for cyber attacks A taxonomy of network threats and the effect of current datasets on intrusion detection systems Chapter 1: Cyberdependent crimes Cyber-enabled crimes -fraud and theft Research Reveals Hacker Tactics: Cybercriminals Use DDoS as Smokescreen for Other Attacks on Business From cybersecurity deception to manipulation and gratification through gamification Recent ransomware attacks define the malware's new age 2020 state of malware report Social engineering attacks and covid-19 Chinese hackers 'weaponize' coronavirus data for new cyber attack: Here's what they did Coronavirus email attacks evolving as outbreak spreads Coronavirus phishing Threat Intel:Cyber Attacks Leveraging the COVID-19/CoronaVirus Pandemic Hackers are using the "coronavirus" fear for phishing, please pay attention to prevention Take advantage of the fire! "the epidemic is a bait" cyber attack Global shipping industry attacked by coronavirus-themed malware Fighting the spread of coronaviruses who faces severe cybersecurity threats Indian Hackers Targeting Chinese Medical Institutes Amid Coronavirus Outbreak, Says Report Analysis and suggestions on several types of network security threats during the epidemic prevention and control period Coronavirus and ransomware infection -what's the connection? Fresh virus misery for illinois: Public health agency taken down by... web ransomware. great timing, scumbags Coronavirus test results delayed by cyber-attack on czech hospital Cyber-attack hits u.s. health agency amid covid-19 outbreak New threat discovery shows commercial surveillanceware operators latest to exploit covid-19 New android app offers coronavirus safety mask but delivers sms trojan Scams, lies, and coronavirus Cyber-attack threatens spanish hospital computer systems Covid sms phishing attempt Our @glospolice fcr have had calls asking if covid-19 texts like the below are genuine The school meals coronavirus text scam which could trick parents out of thousands Android malware takes payment for 'coronavirus finder' map Warning over coronavirus netflix scam Cyber criminals create a spoof copy of the nhs website in the midst of the coronavirus pandemic to trick users into downloading dangerous malware that can steal their passwords and credit card data Hackers exploit hmrc coronavirus job retention scheme with phishing email scam New coronavirus screenlocker malware is extremely annoying Docusign phishing campaign uses covid-19 as bait New Threat Intelligence Report:100 Days of Coronavirus NCSC Shines Light on Scams Being Foiled via Pioneering New Reporting Service Coronavirus: Fraud victims have lost more than £4.6m to virus-related scams Coronavirus: Israel enables emergency spy powers HMRC Shuts Down Almost 300 COVID19 Phishing Scam Sites Budget 2020: What You Need to Know Coronavirus Scams Pervasive ehealth services a security and privacy risk awareness survey Baiting the hook: factors impacting susceptibility to phishing attacks Cyber Criminals Create a Spoof Copy of the NHS Website in the Midst of the Coronavirus Pandemic to Trick Users Into Downloading Dangerous Malware That Can Steal Their Passwords and Credit Card Data Check Point There Are Now More Than 40,000 'High-Risk' COVID-19 Threats On The Web Covid-19 fraud A study on situational awareness security and privacy of wearable health monitoring devices Food and Drugs Administration (FDA) OLAF Launches Enquiry into Fake COVID-19 Related Products UK Medicines and Medical Devices Regulator Investigating 14 Cases of Fake or Unlicensed COVID-19 Medical Products Dirty little secret extortion email threatens to give your family coronavirus Covidlock update: Deeper analysis of coronavirus android ransomware Spanish Hospitals Targeted With Coronavirus-themed Phishing Lures in Netwalker Ransomware Attacks Ransomware Gangs to Stop Attacking Health Orgs During Pandemic Trickbot Named Most Prolific #COVID19 Malware Coronavirus Trojan Overwriting The MBR A Taxonomy of Cyber-harms: Defining the Impacts of Cyber-attacks and Understanding How They Propagate FBI official says foreign hackers have targeted COVID-19 research UK's National Cyber Security Centre (NCSC) and the US' Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) People's Republic of China (PRC) Targeting of COVID-19 Research Organizations Why cybersecurity matters more than ever during the coronavirus pandemic Data Protection and COVID-19 General data protection regulation (gdpr): Principle (b): Purpose limitation NHS contact-tracing app 'falls short of data protection law Covid-19 information governance advice for ig professionals Privacy in the age of medical big data Balancing personal privacy and public safety in covid-19: Case of korea and france AstraZeneca Advances Response to Global COVID-19 Challenge as it Receives First Commitments for Oxford's Potential New Vaccine COVID-19: Collaboration is the Engine of Global Science -Especially for Developing Countries The danger of mainstream media infections with viral and fake information Covid-19: Companies and verticals at risk for cyber attacks The implications of the COVID-19 pandemic for cybercrime policing in Scotland: a rapid review of the evidence and future considerations, ser. Research Evidence in Policing: Pandemics. Scottish Institute for Policing Research