InfoSec Round-Up April 9th
Facebook Leak, Booking.com Fined & University Attacks
This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.
530 Million Facebook Profiles Leaked
A leak including the names, phone numbers and locations of 530 million Facebook users is currently being investigated by Ireland’s Data Protection Commission (DPC).
Appearing last weekend on a hacking forum, Facebook have responded to the incident claiming that the information was ‘scraped’ and did not originate from an “old” 2019 breach, as the company had previously stated.
Freely available to online cyber criminals, Facebook users are being advised to check if their information was amongst the data via the website Have I Been Pwned.
Including data linked to over 11 million UK users, it is also reported that Mark Zuckerberg, Facebook’s own chief executive, also had his phone number leaked as part of the breach.
In a statement, Product Management Director, Mike Clarke, noted “This is another example of the ongoing, adversarial relationship technology companies have with fraudsters who intentionally break platform policies to scrape internet services.”
Adding, “As a result of the action we took, we are confident that the specific issue that allowed them to scrape this data in 2019 no longer exists.”
Booking.com Fined €475k
The Netherlands data watchdog has fined Dutch online travel agency Booking.com almost half a million Euros for failing to disclose a data leak in a timely manner.
Having seen the data of around 4,100 customers accessed via a social engineering scam, the cyber criminals were also able to access the credit card details of 283 people – including card security codes in 97 cases.
Occurring back in 2018, scammers reportedly targeted 40 hotel employees, obtaining login credentials to Booking.com systems and thus accessing the cache of customer data.
Not reported to the Netherlands Data Protection Authority (AP) until 22 days after the attack, GDPR mandates that such an incident be reported within 72 hours.
Monique Verdier, VP of the data authority, noted on the incident, “A data breach can unfortunately happen anywhere, even if you have taken good precautions, but to prevent damage to your customers and repetition… you have to report this in time.”
Education Ransomware Attacks
Both the National College of Ireland (NCI) and the Technological University of Dublin have experienced outages as a result of ransomware attacks against their IT infrastructure.
With access to NCI systems suspended and campus buildings closed, staff are working to restore systems following the cyber-attack which occurred on the 3rd of April.
Apologising for disruption and to students unable to submit work, details regarding the specifics of the attacks against the educational institutes are sparse, though the TU has noted that there is no indication that personal data has been “exfiltrated, downloaded, copied or edited.”
Just the latest in a long string of attacks against the education sector, these incidents come only weeks after the UK’s National Cyber Security Centre (NCSC) issued a warning urging senior leaders to take steps to help mitigate such attacks.
Responding to the occurrence, Technological University campus Principal Thomas Stone noted in an email to students, “With support from external cybersecurity, technical and legal experts, [Computer Services] are currently investigating the source and impact of this attack on our systems, as well as working to return access for all users as soon as possible.”
Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Investing in Information Security Awareness Training - educating people against cyber threats should be considered essential for any organisation operating in 2021
How Secure is Microsoft Teams? Information Security blog by Information Security Awareness solution provider Hut Six Security
Best Ways To Ensure Enterprise Data Regulation guest blog by technivorz.com and information security awareness solution Hut Six Security.
Writing a Disaster Recovery Plan: information security planning blog by information security awareness solution provider Hut Six Security.
Security program policies blog by information security awareness training provider Hut Six Security.
Security awareness training for Cyber Essentials blog by information security awareness training provider Hut Six Security.
Information Security Awareness Training in 2021 blog by information security awareness training platform Hut Six Security
What are the best VPNs for work? - VPN review blog by security awareness training provider Hut Six Security.
Information Security Awareness Training and ISO 27001 blog by information security awareness training provider Hut Six Security
Information Security Resolutions for the New Year: Part Two. Information security for 2021 blog post by Hut Six Security.