InfoSec Round-Up: August 23rd 2020

Experian and Ritz Breaches, Jack Daniel’s Leak and Marriott Lawsuit

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

This week we are discussing the Jack Daniel’s leak, the Experian and Ritz breaches, and a class action lawsuit against Marriott hotels.

Jack Daniel’s Maker Suffers Data Theft

Brown-Forman, one of America’s biggest spirit and wine companies, has suffered a reported attack by operators of ransomware-as-a-service (RAAS) strain REvil.

Though few details of the attack have been confirmed by the victim, the Kentucky based company, whose products include Jack Daniels, El Jimador, Woodford and Finlandia, has stated it was able to prevent its systems from being encrypted. 

Having failed to effectively deploy the ransomware across company systems, the cyber-criminals claim to have stolen around 1TB of confidential information from Brown-Forman computer networks.

In a likely ploy to extort Brown-Forman, the criminals have posted multiple screenshots of the stolen data, including directory trees and internal communications, documents dating back as far as 2009, and from as recently as July 2020.

With no active negotiations occurring, a representative from the beverage company has stated: "Unfortunately, we believe some information, including employee data, was impacted. We are working closely with law enforcement, as well as world-class third-party data security experts, to mitigate and resolve this situation as soon as possible".

The Ritz Hotel Hit with Data Breach

The five-star London hotel, The Ritz, has reported a ‘potential’ data breach, with guests being targeted with phone-based identity fraud attacks.

The hotel revealed on Twitter that it has been hit with an information security attack, in which their food and beverage reservation system was compromised, loosing guests’ personal data.

With the stolen information and impersonating Ritz staff, attackers rapidly began contacting guests in attempts to obtain card details, with some victims reporting phone number spoofing.

In some instances, contacting victims multiple times, attackers attempted to spend thousands of pounds at the catalogue retailer Argos. How the cyber-criminals got their hands on the data is still unknown.

In the statement, the hotel noted that of the information lost, none included “any credit card details or payment information.”

Going on to state: “We immediately launched an investigation to identify the cause of the breach, which is ongoing, to find out what happened… We have contacted all of our clients whose data may have been compromised and alerted the ICO of the incident.”

Fraudsters Breach 24m Experian Customer Records

The consumer credit reporting company, Experian, has announced that data belonging to around 24 million South African customers, and nearly 800,000 businesses was wrongly handed over to a suspected fraudster.

The South African arm of the Experian company, the world’s largest credit data firm, stated that “an individual in South Africa, purported to represent a legitimate client” and had “fraudulently requested services”.

Though it is not clear how long it took the company to realise their mistaken sharing of customer data, the organisation stated that it does not believe it has been used for “fraudulent purposes”.

This is not the first time that the company has been involved in a data breach, with a 2015 hack against the company exposing around 15 million customer records, including drivers’ licenses and passport numbers.

Having reportedly identified the suspect and successfully contained the data breach, the company did not confirm what information the records contained, only that it was not consumer credit or consumer financial information.

In the notification, Experian stated that they are continuing their coordinated efforts with law enforcement, emphasising that “Experian South Africa bureau’s infrastructure, systems and database have not been compromised.”

Marriot Hack Could Cost Hotel Chain £1.75bn

Following one of the world’s biggest data breaches, which saw over 300 million customer records stolen from the Marriott’s global reservation database, a class action lawsuit has been launched.

Occurring in September of 2018, the hack involved a massive cache of personal information, including credit card details and passport numbers; data which is thought to have been exposed for several years.

Representing the affected 7 million customers living in England and Wales, the lawsuit has been launched by technology consultant Martin Bryant, and according the some sources, could cost the company up to £1.75bn.

Already facing a possible fine from the UK’s data protection watchdog, the Information Commissioner’s Office, of £99.2m, the incident is a stark reminder of the cost of poor information security.

Update: The ICO fined Marriott International £ 18.4 million for failing to keep customers personal data secure.

Michael Bywell, a partner at the law firm undertaking the lawsuit (Hausfeld) said of Marriott International, that they had failed “to take adequate technical or organisational measures to protect millions of their guests’ personal data which was entrusted to them”.

Adding, “I hope this case will raise awareness of the value of our personal data… and also serve notice to other data owners that they must hold our data responsibly.”

Thank you for reading this edition of InfoSec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.