InfoSec Round-Up Dec 3rd

Play Video

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

Facial Recognition Company Faces Possible Fine

The Australian facial recognition company Clearview AI has been provisionally fined £17 million by the UK’s Information Commissioner’s Office for its handling of personal data.

Clearview AI, which promotes its product as a “Google search for faces” and claims to hold over 10 billion facial images, has been ordered to stop further processing and delete the personal data of people in the UK following “alleged serious breaches” of UK GDPR.

Announced by the data watchdog following a joint investigation by UK and Australian authorities, a preliminary review finds that the company failed to comply with a number of data protection regulations, including failing to stop data being retained indefinitely, failing to have a lawful reason for collecting information, and failing to inform individuals of what is happening to their data.

Despite Clearview AI’s chief executive claiming to have complied with “all standards of privacy and law”, Information Commissioner, Elizabeth Denham has stated “I have significant concerns that personal data was processed in a way that nobody in the UK will have expected. It is therefore only right that the ICO alerts people to the scale of this potential breach and the proposed action we’re taking.”

Insider Threat Charged

A former employee of electronic device maker Ubiquiti has this week been charged with data theft and attempting to extort his employer.

Nikolas Sharp, who if found guilty faces a maximum sentence of 37 years in prison, used his trusted position to steal gigabytes of confidential data from Ubiquiti, then attempted to extort the company for almost $2 million.

After these extortion attempts failed, Sharp then shared information with the media under the guise of being a whistle-blower. Actions which are believed to have resulted in Ubiquiti’s stock price falling by roughly 20%.

Taking care to hide his actions, including altering activity logs, the insider threat’s identity was eventually exposed after a temporary internet outage betrayed his home IP address.

U.S. Attorney Damian Williams has stated on the case: “As alleged, Nickolas Sharp exploited his access as a trusted insider to steal gigabytes of confidential data from his employer, then, posing as an anonymous hacker, sent the company a nearly $2 million ransom demand… Now the alleged theft and lies have been exposed, Sharp is facing serious federal charges.”

Cabinet Office Data Breach

The UK’s Cabinet Office has been fined £500,000 for the unauthorised disclosure of personal information of the 2020 New Year Honours recipients.

Found to have failed to put appropriate technical and organisational measures in place to prevent such a breach, the Cabinet Office published a file containing the names and unredacted addresses of more than 1,000 people announced in the New Year Honours list, including musician Sir Elton John.

Available online for a period of only two hours and 21 minutes, the personal data was accessed almost 4 thousand times.

Steve Eckersley, ICO Director of Investigations, has stated: “When data breaches happen, they have real life consequences. In this case, more than 1,000 people were affected.”

Adding, “The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety.”

Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.

Featured

Infosec Round-Up Nov 26th

Infosec Round-Up Nov 26th - Hut Six

1.2 million passwords breached in GoDaddy hack. 'Easy-to-guess' default passwords banned in UK. NSO Spyware company sued by Apple.

Infosec Round-Up Nov 19th - Hut Six

Infosec Round-Up Nov 19th - Hut Six

National Cyber Security Centre publishes annual review. US compensated fraud victims. State-sponsored hacker warning.

Infosec Round-Up Nov 12th

Infosec Round-Up Nov 12th - Hut Six

UK court throws out mass-action lawsuit against Google. US offers $10 million for the identity of REvil cyber criminals. Stor-a-File storage company suffers data breach.

Infosec Round-Up Nov 5th

Infosec Round-Up Nov 5th - Hut Six

UK Labour party data leaked by data handler. Facebook announces end to the use of facial recognition. US Commerce Department sanctions Israel's NSO Group.

Infosec Round-Up Oct 29th

Infosec Round-Up Oct 29th - Hut Six

GCHQ chief warns double in ransomware attacks. “Unprecedented” VOIP cyber-attack. Teen scammer has £2 million in crypto seized.

Infosec Round-Up Oct 22nd

Infosec Round-Up Oct 22nd - Hut Six

Computer maker Acer hacked twice in a single week. Ofcom reports almost 45 million people targeted by scammers. US restricts the sale of hacking tools.

Infosec Round-Up Oct 8th

Infosec Round-Up Oct 8th - Hut Six

125GB of Twitch data leaked. School IT tech charged in insider threat case. EU parliament votes against A.I surveillance.

Infosec Round-Up Oct 1st

Infosec Round-Up Oct 1st - Hut Six

iPhone contactless flaw could allow locked phone payments. China warns crypto “seriously endanger the safety of people’s assets”. Ethereum research facing 20 years in prison.

InfoSec Round-Up Sep 24th

InfoSec Round-Up Sep 24th - Hut Six

REvil steals loot from affiliate criminals. Lithuania warns of Chinese made phones. UK MoD exposes the data of Afghan interpreters.

Infosec Round-Up Sep 17th

Infosec Round-Up Sep 17th - Hut Six

Irish DPA investigates TikTok data collection. NSO Group flaw fixed. Microsoft announces passwordless future.