InfoSec Round-Up April 9th

Facebook Leak, Booking.com Fined & University Attacks

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

530 Million Facebook Profiles Leaked

A leak including the names, phone numbers and locations of 530 million Facebook users is currently being investigated by Ireland’s Data Protection Commission (DPC).

Appearing last weekend on a hacking forum, Facebook have responded to the incident claiming that the information was ‘scraped’ and did not originate from an “old” 2019 breach, as the company had previously stated.

Freely available to online cyber criminals, Facebook users are being advised to check if their information was amongst the data via the website Have I Been Pwned.

Including data linked to over 11 million UK users, it is also reported that Mark Zuckerberg, Facebook’s own chief executive, also had his phone number leaked as part of the breach.

In a statement, Product Management Director, Mike Clarke, noted “This is another example of the ongoing, adversarial relationship technology companies have with fraudsters who intentionally break platform policies to scrape internet services.”

Adding, “As a result of the action we took, we are confident that the specific issue that allowed them to scrape this data in 2019 no longer exists.”

Booking.com Fined €475k

The Netherlands data watchdog has fined Dutch online travel agency Booking.com almost half a million Euros for failing to disclose a data leak in a timely manner.

Having seen the data of around 4,100 customers accessed via a social engineering scam, the cyber criminals were also able to access the credit card details of 283 people – including card security codes in 97 cases.

Occurring back in 2018, scammers reportedly targeted 40 hotel employees, obtaining login credentials to Booking.com systems and thus accessing the cache of customer data.

Not reported to the Netherlands Data Protection Authority (AP) until 22 days after the attack, GDPR mandates that such an incident be reported within 72 hours.

Monique Verdier, VP of the data authority, noted on the incident, “A data breach can unfortunately happen anywhere, even if you have taken good precautions, but to prevent damage to your customers and repetition… you have to report this in time.”

Education Ransomware Attacks

Both the National College of Ireland (NCI) and the Technological University of Dublin have experienced outages as a result of ransomware attacks against their IT infrastructure.

With access to NCI systems suspended and campus buildings closed, staff are working to restore systems following the cyber-attack which occurred on the 3rd of April.

Apologising for disruption and to students unable to submit work, details regarding the specifics of the attacks against the educational institutes are sparse, though the TU has noted that there is no indication that personal data has been “exfiltrated, downloaded, copied or edited.”

Just the latest in a long string of attacks against the education sector, these incidents come only weeks after the UK’s National Cyber Security Centre (NCSC) issued a warning urging senior leaders to take steps to help mitigate such attacks.

Responding to the occurrence, Technological University campus Principal Thomas Stone noted in an email to students, “With support from external cybersecurity, technical and legal experts, [Computer Services] are currently investigating the source and impact of this attack on our systems, as well as working to return access for all users as soon as possible.”

Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.