InfoSec Round-Up: August 16th 2020

SANS Institute Hack, TikTok Data Drama, Facial Rec & Travelex in Admin

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

This week we are discussing the SANS Institute hack, the historic facial recognition ruling, Travelex going into administration and TikTok data violations.

SANS Institute Hacked

The SANS Institute, a company that specialises in cybersecurity and information security training, has fallen victim to a phishing attack, compromising 28,000 records of personally identifiable information (PII).

The American-based educational company announced this week that following a single successful phishing email, over 500 of the organisation’s emails were forwarded to an unknown external address.

Occurring on August 6^th, the culprit of the attack has not been identified, though the information lost included names, email addresses and physical addresses; reportedly information belonging to attendees of a virtual training event organised by the company.

Read More: Hut Six’s Essential Anti-Phishing Training Guide for SMEs

In a statement, the company have announced that, upon discovery they “quickly stopped any further release of information from the account.”

Having trained many thousands of security professionals, the institute further noted: “We are working to ensure that no other information was compromised and to identify opportunities to harden our systems and improve our response.”

TikTok Violated Android Data Policy

It has been revealed that the popular social media platform TikTok, collected android users’ MAC addresses for a period of 18 months, in violation of the Google Play Store rules.

In a report by the Wall Street Journal, researchers found that TikTok was one of around 350 apps on the Play Store which were taking advantage of a loophole to collect the unique identifiers, which can be used for invasive tracking and advertising.

The collection, which was reportedly facilitated via “an unusual added layer of encryption”, was banned in 2015 on both the iOS App Store and the Android equivalent, though the Chinese-made app only ceased this data collection practice in November of 2019.

This change of policy has been attributed by some to mounting political pressure from the American government; a situation which has in recently weeks come to a head, with a US ban on the platform currently looming.

Commenting on the matter, a representative from TikTok stated: “We constantly update our app to keep up with evolving security challenges, and the current version of TikTok does not collect MAC addresses”.

Facial Recognition Ruled Unlawful

The use of controversial facial recognition by South Wales Police has been found unlawful by the Court of Appeal, following a challenge to a 2019 High Court ruling.

Three senior judges have found that South Wales Police, in their use of facial recognition, had violated the right to privacy under the European Convention on Human Rights (ECHR), data protection laws and obligations to address concerns about racial or sex discrimination.

Mr Bridges, who decided to challenge the technology following its use at an arms protest he attended said of the ruling: "I'm delighted that the court has agreed that facial recognition clearly threatens our rights.

“For three years now, South Wales Police has been using it against hundreds of thousands of us, without our consent and often without our knowledge.”

Liberty lawyer Megan Goulding stated: “This judgment is a major victory in the fight against discriminatory and oppressive facial recognition,”

“It is time for the government to recognise the serious dangers of this intrusive technology. Facial recognition is a threat to our freedom – it has no place on our streets.”

Travelex goes into Administration Following Ransomware Attack

The victim of the new year’s ransomware attack, Travelex, has announced that they have been forced into administration, ceasing the majority of UK business.

Resulting in around 1,300 redundancies, the currency exchange business was hit with a Sodinokibi/REvil ransomware attack last year, taking out its online services and affecting many of its brick and mortar stores as well.

Reportedly the result of unpatched Pulse Secure VNP servers, attackers are thought to have exfiltrated around 5BG of sensitive customer data and demanded £4.6 million for a decryption key.

As well as this attack, the pandemic led to the company predicting a first quarter loss of £25m; Travelex being just one of the many businesses struggling during this time.

In a press release, PricewaterhouseCoopers stated: “The impact of a cyber-attack in December 2019 and the ongoing Covid-19 pandemic this year has acutely impacted the business.”

Toby Banfield, joint administrator at PwC, adding: “The completion of this transaction has safeguarded 1,802 jobs in the UK and a further 3,635 globally, and ensured the continuation of a globally recognised brand.

Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.