InfoSec Round-Up: December 13th
Foxconn Ransomware, FireEye Hacked & Google Fined €100M
This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.
HRMC Reports 11 Serious Data Incidents
Her Majesty’s Revenue and Customs (HMRC) has, in the last financial year, reported 11 ‘serious’ personal data incidents to the UK’s data watchdog, the Information Commissioner’s Office (ICO).
Estimated to have affected almost 20,000 individuals, the disclosure comes as part of an annual report, in which all government departments are required to publish information regarding any serious data-related incidents.
One of the most serious of the incidents, affecting 18,864 individuals, occurred in May of last year in which National Insurance Number (NINO) letters were sent to 16-year-old children with “incorrect details” contained within.
As part of the report, HMRC stated: “We deal with millions of customers every year and tens of millions of paper and electronic interactions.”
Adding, “We take the issue of data security extremely seriously and continually look to improve the security of customer information. We investigate and analyses all security incidents to understand and reduce security and information risk. We actively learn and act on our incidents.”
Foxconn Hit with $32 Million Ransom
Electronics giant Foxconn has reportedly suffered a ransomware attack at a Mexican facility in which cyber-criminals have stolen a plethora of unencrypted files.
Occurring around November 29th, but only recently confirmed, the DoppelPaymer ransomware syndicate has publicly shared stolen information from their attack as part of their attempts to extort the company out of approximately $33,983,000 worth of bitcoin (BTC).
As the world’s largest electronic manufacturer, the Taiwanese company boasts annual revenues of £172 billion (2019) and over 800,000 employees worldwide, producing electronics for the likes of Apple, Sony, Huawei and Lenovo.
Though connectivity in Foxconn’s Juárez facility has reportedly gradually returned to normal the company is believed to have had around 1,200 servers encrypted, 100GB of files stolen, and 20-30TB of backups deleted in the attack.
The company is yet to make a formal statement on the matter.
Cybersecurity Firm Hacked
Prominent US cybersecurity firm FireEye has revealed that it has fallen victim to a ‘highly sophisticated’ attack in which cybercriminals stole a cache of proprietary hacking software.
Believed to be the work of a state-sponsored group, attackers reportedly used a combination of methods and techniques never before seen by the cybersecurity company, allowing them to make off with software used for testing customers’ security.
The publicly listed company, valued at around £3.5bn, has assisted in many high-profile security breaches, including the Sony and Equifax hacks; though following the announcement saw its share price plunge 13%.
In the blog post, FireEye CEO Kevin Mandia repeatedly emphasised the skill and cunning of the threat actors, stating: "The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus.”
Adding, “They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”
Google Fined €100M
French data privacy watchdog CNIL has issued its largest ever fine against Google following an investigation into its use of advertising trackers.
According to the CNIL, the company had, in contradiction to the French Data Protection Act, failed to provide clear information to users about how cookies were being used or how visitors to the French websites could refuse the online tracking.
Not alone in being penalised, the authority also issued retail giant Amazon a fine of €35 million for the same failure to obtain user consent; fines which both companies have publicly disputed.
In a statement Google responded, "We stand by our record of providing upfront information and clear controls, strong internal data governance, secure infrastructure, and above all, helpful products.”
Adding, "Today's decision under French ePrivacy laws overlooks these efforts and doesn't account for the fact that French rules and regulatory guidance are uncertain and constantly evolving."
Thank you for reading this edition of InfoSec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Preparing for SOC 2 Compliance. What are the 5 Trust Service Principles? Security · Availability · Processing Integrity · Confidentiality · Privacy
Top 10 Security Tips for Remote Work. Securing Work from Home blog image by Information Security Awareness Training provider Hut Six Security.
Building a Business Case for Information Security Awareness Training blog by Information Security Awareness Training provider Hut Six.
How Zero Trust Works - Zero Trust Security blog by Information Security Awareness Training provider Hut Six Security.
How to Write a Cyber Job Specification: Finding the Best Cybersecurity Talent. Cyber blog by Information Security Awareness solution provider Hut Six Security.
How to Build a Cyber Team - Top Points to Consider When Building Your Team. Blog by Information Security Awareness solution Hut Six Security.
What is GDPR Compliance UK? Understanding the General Data Protection Regulation and UK Compliance. Blog by Hut Six Security.
What is a DDoS attack and what should you do if you think you are experiencing one? Blog by Information Security Training provider Hut Six Security.
Does GDPR Apply to Individuals? How GDPR Relates to you Personally. Blog by Information Security Awareness Training provider Hut Six Security
Does GDPR Cover Paper Records? Paper Records and Data Protection Law blog by Information Security Awareness Training provider Hut Six Security.