InfoSec Round-Up: December 13th

Foxconn Ransomware, FireEye Hacked & Google Fined €100M

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

HRMC Reports 11 Serious Data Incidents

Her Majesty’s Revenue and Customs (HMRC) has, in the last financial year, reported 11 ‘serious’ personal data incidents to the UK’s data watchdog, the Information Commissioner’s Office (ICO).

Estimated to have affected almost 20,000 individuals, the disclosure comes as part of an annual report, in which all government departments are required to publish information regarding any serious data-related incidents.

One of the most serious of the incidents, affecting 18,864 individuals, occurred in May of last year in which National Insurance Number (NINO) letters were sent to 16-year-old children with “incorrect details” contained within.

As part of the report, HMRC stated: “We deal with millions of customers every year and tens of millions of paper and electronic interactions.”

Adding, “We take the issue of data security extremely seriously and continually look to improve the security of customer information. We investigate and analyses all security incidents to understand and reduce security and information risk. We actively learn and act on our incidents.”

Foxconn Hit with $32 Million Ransom

Electronics giant Foxconn has reportedly suffered a ransomware attack at a Mexican facility in which cyber-criminals have stolen a plethora of unencrypted files.

Occurring around November 29^th, but only recently confirmed, the DoppelPaymer ransomware syndicate has publicly shared stolen information from their attack as part of their attempts to extort the company out of approximately $33,983,000 worth of bitcoin (BTC).

As the world’s largest electronic manufacturer, the Taiwanese company boasts annual revenues of £172 billion (2019) and over 800,000 employees worldwide, producing electronics for the likes of Apple, Sony, Huawei and Lenovo.

Though connectivity in Foxconn’s Juárez facility has reportedly gradually returned to normal the company is believed to have had around 1,200 servers encrypted, 100GB of files stolen, and 20-30TB of backups deleted in the attack.

The company is yet to make a formal statement on the matter.

Cybersecurity Firm Hacked

Prominent US cybersecurity firm FireEye has revealed that it has fallen victim to a ‘highly sophisticated’ attack in which cybercriminals stole a cache of proprietary hacking software.

Believed to be the work of a state-sponsored group, attackers reportedly used a combination of methods and techniques never before seen by the cybersecurity company, allowing them to make off with software used for testing customers’ security.

The publicly listed company, valued at around £3.5bn, has assisted in many high-profile security breaches, including the Sony and Equifax hacks; though following the announcement saw its share price plunge 13%.

In the blog post, FireEye CEO Kevin Mandia repeatedly emphasised the skill and cunning of the threat actors, stating: "The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus.”

Adding, “They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”

Google Fined €100M

French data privacy watchdog CNIL has issued its largest ever fine against Google following an investigation into its use of advertising trackers.

According to the CNIL, the company had, in contradiction to the French Data Protection Act, failed to provide clear information to users about how cookies were being used or how visitors to the French websites could refuse the online tracking.

Not alone in being penalised, the authority also issued retail giant Amazon a fine of €35 million for the same failure to obtain user consent; fines which both companies have publicly disputed.

In a statement Google responded, "We stand by our record of providing upfront information and clear controls, strong internal data governance, secure infrastructure, and above all, helpful products.”

Adding, "Today's decision under French ePrivacy laws overlooks these efforts and doesn't account for the fact that French rules and regulatory guidance are uncertain and constantly evolving."

Thank you for reading this edition of InfoSec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.