InfoSec Round-Up: August 2nd 2020
Ransomware Attacks, Google Privacy & Avon Leaks
This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.
This week we are discussing the ransomware attacks against Edinburgh Zoo and fitness tracker Garmin, Australia’s investigation to Google’s privacy practices and the 19 million records leaked by Avon.
Garmin In Recovery from Ransomware Attack
Garmin, the US based fitness tracker and GPS, has this week confirmed that it has suffered from a debilitating ransomware attack that led to a three-day outage of services.
The attack, which took place last week is likely the work of Russian cyber-gang ‘Evil Corp’ and is thought to have used a type of ransomware named WastedLocker to try and extort Garmin out of a reported $10 million.
With a $5 million bounty over his head, Maksim Yakubets (AKA ‘Aqua’) is accused of infecting tens of thousands of computers across North America and Europe and is thought to have close connections to the Russian government.
Garmin has publicly stated: "We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen."
Hoping to soon resume operations the company added, “we expect some delays as the backlog of information is being processed.”
Google Accused of Down Under Privacy Breach
The Australian consumer watchdog has accused the search giant Google of misleading millions of Australian citizens over the extent of personal data being collected.
The Australian Competition and Consumer Commission (ACCC) has launched a suit on the grounds that Google allegedly collected “potentially sensitive and private” browsing history from its users, without obtaining the proper informed consent.
“Some new features for your Google Account
We’ve introduced some optional features for your account, giving you more control over the data Google collects and how it’s used, while allowing Google to show you more relevant ads.”
The statement shown above is the notification in question; an option, which if agreed to would allow Google to collect third-party site activity, and to combine this with user account data to serve up targeted advertisement.
The Australian authority alleges that the notification was misleading because consumers could not have properly understood the changes Google was making, nor how their data would be used, and so did not - and could not - give informed consent.
Chair of the ACCC, Rod Sims stated on the matter, “Google significantly increased the scope of information it collected about consumers on a personally identifiable basis… then used this information to serve up highly targeted advertisements without consumers’ express informed consent.”
Edinburgh Zoo Impacted by Blackbaud Attack
The Royal Zoological Society of Scotland has announced they are amongst the latest of organisations know to be affected by the Blackbaud hack covered in last week’s Infosec Round-Up.
The charity, which runs Edinburgh Zoo, has made public that it is one of the 125 organisations ‘so far’ known to be affected by the Blackbaud hack.
In a statement the Zoological Society announced, “this cyber-attack may have involved some personal data belonging to members and adopters. We have been assured that the risk to our supporters is very low.”
“Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.”
With dozens of universities, museums, schools, and charities affected, Blackbaud has faced criticism for its handling of the situation, in particular, because of its capitulation to the criminal’s demands, and the speed with which the attack was disclosed.
The company has stated that at "every point we were working closely with law enforcement and other specialists". Adding, "we take our regulatory responsibilities seriously and comply with GDPR at all times, including in this instance."
Avon Exposes 19 Million Records
Around seven gigabytes of personal and technical records belonging to cosmetics brand Avon have been discovered publicly exposed on a misconfigured company server.
Uncovered by security researchers ‘Safety Detectives’ earlier this month, the vulnerability would have allowed anyone with the server’s IP-address access to the database in question, and to sensitive information.
Amongst the 19 million records discovered, personally identifiable information included full names, addresses and phone numbers; none of which is reported to have been protected by either passwords or encryption.
Though it is unclear if the incidents are linked, Avon had also disclosed a cyber incident on the 9th of June that had “interrupted some systems and partially affected operations.”
Speaking on the potential impact, the researchers who discovered the records noted: “Given the type and amount of sensitive information made available, hackers would be able to establish full server control and conduct severely damaging actions… namely, ransomware attacks and paralysing the company’s payments infrastructure.”
Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Does GDPR Cover Paper Records? Paper Records and Data Protection Law blog by Information Security Awareness Training provider Hut Six Security.
How Secure is My Organisation? Knowing where you are, before knowing where to begin. Blog by Information Security Awareness solution Hut Six Security.
How Does Ransomware get on your Computer? Chances are that in the last few years you've heard the term "ransomware". Blog by Hut Six Security.
How to Audit Your Business for GDPR Compliance with a GDPR Business audit. Hut Six Security guest blog by https://reciprocitylabs.com/.
What is a Breach of Data Protection? The Data Protection Act - Personal Data Breaches, Reporting and Consequences. Blog by Hut Six Security
University of California Ransomware Attack: a $1.1.4m ransom has been paid following a ransomware attack on University of California's School of Medicine.
What is the Purpose of the Data Protection Act? Blog by information security awareness training solution provider Hut Six Security.
Top 3 Remote Work Security Lessons: remote work security blog by information security awareness provider Hut Six Security.
Who Regulates the Data Protection Act? Data Protection Blog by Information Security Awareness Training provider Hut Six Security
NHS phishing attack sees email accounts compromised as part of an attack targeting a wide range of organisations Blog by Hut Six Security.